To change the settings for InstallSpy, select the Settings menu item from the Settings menu on the main screen. The settings screen will appear:
There are four main types of changes the InstallSpy can record:
You can also access the filtering settings by clicking the Filter button. See the Filter section for more information on filtering, as that is not covered here.
Note that you can use a pop-up menu (right-click anywhere on the window) to clear or set all of the check-boxes and also revert to the default settings:
Note that these events are only recorded when they affect a file or directory that is open in explorer, e.g. the desktop, a file saved on the desktop, a folder open in an Explorer window, etc
| Event | Description |
| File type assocation change | The default program used to open file of a certain type, e.g. Microsoft Word documents, has been changed. |
| File or folder attributes changed | Note that it appears that this event is never sent by Windows. |
| Non-folder (e.g. file) created | A file has been created in a folder open in an Explorer window. |
| Non-folder (e.g. file) deleted | A file has been deleted in a folder open in an Explorer window. |
| Drive added | For example, a new network drive has been mapped. |
| Drive added, shell needs to create new window | For example, a new network drive has been mapped. Note there is no point recording this event. |
| Drive removed | For example, a new network drive has been disconnected. |
| Media inserted, e.g. CD | For example, a new CD or DVD has been put into the CD/DVD drive. |
| Media removed | For example, the CD or DVD has been taken out of the CD/DVD drive. |
| Disconnected from a server | Recorded when you have completely disconnected from a Windows server. Note the author has been unable to reproduce this event. |
| Folder being shared | A folder has been shared on the network. |
| Folder stopped being shared | A folder has stopped being shared. |
| Folder renamed | A folder has been renamed. |
| Non-folder (e.g. file) renamed | A file has been renamed. |
| Folder deleted | A folder has been deleted. |
| Folder created | A new folder has been created. |
| Folder contents changed | The contents of a folder has been changed, for example, a file in a folder being shown in an Explorer window has been changed. |
| System image changed | A system image has changed, e.g. the Recyclye Bin has been emptied. |
| Non-folder (e.g. file) changed | A file has been changed. |
It is recommended that the default settings are used.
The registry stores settings for many of the programs installed in Windows, including settings for Windows itself, specific users, all users, etc. For more information on what these root keys are used for see this Microsoft web page .
| Root Key | Description |
| HKEY_LOCAL_MACHINE | This root key stores all the settings that apply to the computer. Note that only an Administrator can changes these settings. |
| HKEY_USERS | This root key stores all the settings that apply to all the users of the computer. |
| HKEY_CURRENT_USER | This root key stores all the settings that apply to the current user only. It is a sub-key of HKEY_USERS . |
| HKEY_CURRENT_CONFIG | Contains information about the hardware profile used by the local computer at system startup. It is a sub-key of HKEY_LOCAL_MACHINE . |
| HKEY_CLASSES_ROOT | The information stored here ensures that the correct program opens when you open a file by using Windows Explorer. It is a sub-key of HKEY_LOCAL_MACHINE . |
As you can see, some of the keys are actually sub-keys of other keys. So, if you select HKEY_LOCAL_MACHINE then you will also be monitoring HKEY_CURRENT_CONFIG and HKEY_CLASSES_ROOT. If you select HKEY_USERS you will also be monitoring HKEY_CURRENT_USER. Therefore, selecting both HKEY_LOCAL_MACHINE and HKEY_USERS will record all changes made to the registry.
It is recommended that the default settings are used, i.e. select just HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
Note that InstallSpy can be configured to automatically alert you when certain registry keys or values are changed. For example, some adware programs may change your Internet Explorer home page without your consent. See the Registry Warnings section for more information.
File watching is only supported on Windows 2003, XP, 2000, and NT 4.
InstallSpy can watch for any type of change made to any file or directory. It can watch entire drives or just certain directories.
| File Setting | Description |
| Files created, deleted, or renamed | A file has been created, deleted, or renamed. |
| Directories created, deleted, or renamed | A directory has been created, deleted, or renamed. |
| File or directory attributes changed | A file or directories attributes have been changed, e.g. directory hidden. |
| File size changed | A files size has been changed. |
| File or directory creation date changed | A file or directories creation date has been changed. |
| File or directory last write date changed | A file or directories last modification date has been changed. |
| File or directory security attributes changed | A file or directories security attributes have been changed, e.g. the owner has changed. |
| File or directory last access date changed | A file or directories last access date has been changed. This is only valid on NTFS formatted drives. |
It is highly recommended that the default settings are used, otherwise duplicate information may be recorded. For example, if a file is modified then three events could be recorded (file size changed, file last write date changed, file last access date changed).
Enabling File or directory last access date changed may result in a large report. If you want to see what files a program is reading, then it may be better to enable just this setting.
Because of a limitation in Windows, InstallSpy cannot record the exact event that occurred. This table below shows what these settings are actually recorded as in the report:
| File Setting | Recorded In Report As |
| Files created, deleted, or renamed | Created, Deleted, or Renamed (depending on action) |
| Directories created, deleted, or renamed | Created, Deleted, or Renamed (depending on action) |
| File or directory attributes changed | Modified |
| File size changed | Modified |
| File or directory creation date changed | Modified |
| File or directory last write date changed | Modified |
| File or directory security attributes changed | Modified |
| File or directory last access date changed | Modified |
So from the report it would not be possible to distinguish between a file size change or a file attributes change, for example. To know exactly which setting changed you would need to select just that setting. Future versions of InstallSpy may be able to bypass this limitation.
By default, InstallSpy will record file system changes made to any directory or file on any hard drive in the computer. This can be changed by clicking the Paths to watch/scan button:
You can add directories by clicking the Add Directory button, and delete directories from the list by clicking the Delete Directory button. Note that sub-directories and their contents will also be scanned, so for example, if you add the directory C:\WINDOWS then all the files and sub-directories (and their files and sub-directories etc.) will be scanned for changes.
As an alternative to File Watching, you can use File Scanning (you can also use both at the same time).
Unlike File Watching, File Scanning can be used on all versions of Windows. It can be used with File Watching, or as an alternative.
File Scanning works by taking a snapshot of selected files and directories before and after, then comparing the lists to find the differences. It works the same way as detecting registry changes. Hashing can be used to guarantee detection of file changes. It computes a unique hash value based on the contents of a file - there is a choice of MD5 or SHA-1 hashing. Note that hashing is extremely slow and should only be used when the number of files being scanned is small. Also hashing cannot compute hash values on open files.
The directories to be scanned can be changed by clicking on the Paths to watch/scan button. The same paths are used for file watching and scanning.
What are the main differences between file watching and file scanning?
InstallSpy can keep track of what processes are running and start automatically when certain programs are run.
If Run InstallSpy on Windows startup is checked then InstallSpy will start when Windows is started. It will start minimized (to the tray area next to the clock). Starting InstallSpy with Windows is useful for when you want InstallSpy to run automatically whenever certain programs are run.
If you want InstallSpy to start automatically if a program is run you must enable Prompt me to record changes when these programs are run and add the names of the programs. For example:
So if a program named either install.exe or setup.exe is run, InstallSpy will prompt you automatically:
As soon as the program exits, InstallSpy will stop recording the changes and display the report.
By default, reports are called InstallSpy.html and saved in the same directory as the InstallSpy executable. This can be changed:
You can also prefix the filename with the date & time the report was produced.
You can skip some of the steps and also remove the disk usage from the report.
| Return to the Introduction |