SoftDetective User's Guide

SoftDetective^™ User's Guide

Introduction

SoftDetective Overview

Thank you for choosing SoftDetective!

SoftDetective is a software utility that you can use to monitor activity of other programs and see which files were created or deleted, which registry entries were updated, and so on.

Using SoftDetective, you can specify a program's file to launch (with optional command line parameters). SoftDetective will launch the program for you and keep an eye on the files and registry entries it creates, deletes, or modifies. When you tell SoftDetective to stop the monitoring, it generates a report about the activity it detected, that you can view directly in SoftDetective window.

In addition to launching a program to monitor, you can also use SoftDetective to monitor the uninstall process or attach to the already running program.

After a report has been generated by SoftDetective, you can see it in a tree-like structure that you can navigate to see the details of the events captured. When a program updates a file, SoftDetective displays the changes detected, such as the size of the file, the modification time, the version information, if applicable. For the text files, SoftDetective also reports the change made to the text. Similar information is also reported for the folders and registry keys and values. SoftDetective can also report which file and registry values where created, deleted, renamed, or moved. You can view the reports using SoftDetective, or export them as the text of HTML files, to view with a text processor or a web browser.

Note: While SoftDetective can monitor the activity of the common programs, some situations can be tricky or impossible to monitor. See here for the troubleshooting tips.

What's new in this version of SoftDetective

Version 22.7

Minor changes to make SoftDetective work better with Windows 11.

System requirements for SoftDetective

SoftDetective is designed for Windows 11, 10, 8, 7 and similar versions of Windows. SoftDetective can be used with both 32-bit and x64 editions of Windows: the setup utility automatically installs the 32- or 64-bit executables of SoftDetective, depending on your version of Windows. SoftDetective is NOT compatible with Windows 95, 98, Me, Windows NT 4.0, Windows 2000, or any older version of Windows.

There are no special requirements or recommendations except the obvious one: the better processor and more RAM your computer has, the better SoftDetective will perform.

How to install SoftDetective

Login to Windows as the administrator, or as a power user. If you login as a regular or limited user, you may not be able to install or use this software.

To begin the installation, run the installation file that you have downloaded from the WinAbility.Com web site.

Note that if you have a previous version of this software already installed on your computer, the installation utility may prompt you to restart the computer, in order to be able to replace the files currently in use by Windows.

The installation program will walk you through the process of setting up SoftDetective. You will be prompted to read and accept the End User License Agreement, and to select the installation options such as the folder where to copy the files.

After you press the Finish button, the installation program will copy the files into the specified folder and configure Windows for using SoftDetective. If the installation program detects that your version of Windows is 64-bit, it installs the 64-bit executables. Otherwise, it installs the 32-bit files.

The installation process should take just a few seconds. When it's finished, SoftDetective is ready for use! You can start it by using its shortcut on the Start - Programs menu, or on Desktop (if you've selected such an option during the installation).

How to uninstall SoftDetective

To completely uninstall SoftDetective, it's not enough to simply delete its program files from the installation folder. To completely remove SoftDetective from your computer, follow the instructions below.

IMPORTANT: If your computer is configured for several user accounts, login into the same user account that you were logged in when you installed SoftDetective. If you use Windows Fast User Switching, log off from all other accounts before trying to uninstall SoftDetective.

To uninstall SoftDetective, use Windows Control Panel to open the Programs and Features (or Add/Remove Programs) item and use it to uninstall SoftDetective.

After the uninstall process has finished, you may need to restart the computer to complete the removal of the files that were in use by Windows.

Using SoftDetective

Choosing the program to monitor

To monitor a program's activity, first you need to specify the program you wish to monitor. To do that, run SoftDetective and use the Monitor page:

Enter the path to the program you want to monitor in the first box on this page. You can also click on the [...] button next to the box and choose the Browse for file command from the menu to locate the file.

In addition to the path to the program's file, you can also specify optional command line parameters. The parameters depend on the program you want to monitor. If you don't know which command line parameters to enter, leave the box empty.

SoftDetective keeps track of the programs you were monitoring in the past, and you can select them for repeat monitoring from the drop-down list. Keep in mind, however, that when you choose a program to monitor in this way, only its path information is updated, it does not include the command line parameters that where in effect when the previous monitoring was performed. You may need to adjust the command line parameters accordingly.

In addition to browsing for the program's file, SoftDetective lets you select a program from the Windows Uninstall list. This option is useful when you want to monitor the activity while uninstalling a program. (Use the second command on the menu after clicking on the [...] button and then select the desired program to uninstall from the list displayed.) When you do so, SoftDetective populates the path and the command line parameters for you.

If you use Windows 7 or Vista, you can also use the Run as Administrator option, to control how you want to program to be launched. Most programs to be installed or uninstalled require to be launched with the Run as Administrator option checked. However, some programs may require this option to be cleared. If the monitoring does not work as expected or the program refuses to run, try changing the Run as Administrator option, and that may solve such a problem.

Yet another monitoring option offered by SoftDetective is the ability to monitor a program that has already started. This is achieved by the third command on the menu shown on the image above. If you choose the Select a running task command from the menu, the list of the currently running programs will be displayed, for you to choose the one you want to monitor. If you use this option, then the command line parameters and Run as Administrator options will NOT be used.

Finally, you can optionally specify the name for the activity report to generate. If you leave the name empty, then the file name of the program (or the name of the task) will be used as the report name. SoftDetective will also automatically append the current date and time to the name of the report, to help you distinguish between different reports for the same program.

Instead of starting a new report, you can also choose to continue one of the previously generated reports. This is useful, for example, if you want to see the results of installing and then uninstalling a program in one single report.

To begin the monitoring, press the Start button. SoftDetective will launch the program you have selected (or begin monitoring the already running task). While monitoring is in progress, SoftDetective hides its window from the screen, and instead shows an icon in the taskbar notification area, next to the system clock, to provide a visual indicator that the monitoring is in progress:

During the monitoring, proceed with the program being monitored as usual: if it prompts you to enter the additional information, do so; if it needs you to press a button to proceed, press the button, and so on. While you work with the program, SoftDetective will keep working in the background, taking notes about the program's actions, the registry changes it makes, the files and folders that it creates, and so on.

To stop the monitoring (for example, when the program being monitored has ended), double-click the notification icon of SoftDetective, or right-click it and choose the Stop monitoring command from the menu.

After the monitoring is stopped, SoftDetective may take a few seconds to finalize the report. Finally, you can review the monitoring results on the Reports page of the SoftDetective window.

Analyzing the reports

You can use the Reports page of SoftDetective to see the results of the monitoring sessions:

To see a report, select it in the drop-down list. The content of the selected report is displayed below the list, in a tree-like structure. You can expand and collapse the branches of the tree, as usual, to see the events that belong to the given category. The events are displayed using the bold typeface; when you select an event in the tree, the details about the selected event are displayed below the tree.

The events of different categories may have different details. Most events include the name of the object that was subject of the event (such as the name of a file or a registry key), the name of the task that produced that event. The events related to Windows Registry include the registry keys and related information. The events related to files and folders include their full paths, as well as the version and file time information, if appropriate. For the event describing the updates to the files or registry values, the details include the information about the changes.

Some types of events offer more information via their right-click menus. For example, if a file has been deleted, you can right-click on its name in the report and navigate to the copy of the original file that SoftDetective saved in a temporary folder. Or, if a text file was modified, you can use the right-click menu to navigate to both the updated file and the original copy. You can also open both such files using the external diff viewer, to examine the differences in detail.

You can control the way the report is displayed by pressing the View button and using the commands from the menu:

Show full path in tree - When this option is selected, a complete file path (or registry key) information is used when grouping the events in the tree branches. To navigate such a tree faster, you can right-click on the expandable items and use the Expand All and Collapse All commands as necessary. If this option is not selected, then all events that belong to the same category are grouped together under a single branch. Even if you choose this option, you can still see the complete path information in the details section when you select an event.

Hide empty branches - Select this option if you don't want to display the empty branches of the report tree.

Re-order branches - Select this option to change the order of the branches. Note that the Information branch is always displayed first; its position cannot be changed.

Include temporary events - When analyzing the program activity, SoftDetective attempts to recognize the temporary events, such as a file being created and then deleted during the same session, or a temporary file being created under one name and then renamed or moved to a more permanent location. Keep in mind, however, that it's not always possible to recognize such events correctly, especially when monitoring complex installations involving the MSI files or multiple related processes.

Expand All/Collapse All - Use these commands to quickly expand or collapse all branches of the event tree at the same time. You can also expand or collapse individual branches, by right-clicking on them and selecting the commands from the shortcut menu.

Since large reports may contain hundreds or even thousands of events, it may be difficult to locate the particular items in the reports. If you know the name or the value of a particular item you are looking for, you can use the Search button to search for the text in the report.

In addition to viewing the reports as described above, you can also export them into separate files. SoftDetective supports exporting in two formats: as a text file or in the HTML format. To do that, press the Tools button and choose one of the Export command from the menu:

After exporting the report into a file, you can view the file as usual: the text file can be opened with any text editor (such as Notepad), and the HTML files can be viewed with any web browser.

Finally, if you don't want to keep a specific report, you can delete it by selecting it in the reports list and pressing the Delete button. (You will be prompted to confirm that you want to delete the report before it will actually be deleted.) If you want to delete all reports that you've generated so far, you can use the Delete All command on the Tools menu. Keep in mind that there is no undelete command: if you've deleted a report, it is not possible to restore it back after that.

Changing the options

You can use the Options page of SoftDetective to change its options:

Folder to store reports - Specify where you want SoftDetective to store the report files it generates while monitoring programs. Note that if you change this folder, then only the reports located in the new folder will be visible in SoftDetective. If you want the previously generated reports visible as well, move them from the old folder to the new one using Windows Explorer or another file management application, such as AB Commander

Treat the following file extensions as the text files - Specify the list of the file name extensions (separated with commas) that you want to be treated as the text files. If during the monitoring a text file is modified, SoftDetective will attempt to detect the changes to the text inside of such a file. For other (non-text) files, SoftDetective only keeps track of the changes to the file time, size, and version information.

Text viewer - Specify the path to the application that you want to be used by SoftDetective when you choose a command to view a text file. (You can choose such a command by right-clicking on a text file in the report and choosing the View command from the shortcut menu.) If this box is empty, then Windows Notepad is used as the text viewer.

Diff viewer - Specify the path to the application that you want to be used by SoftDetective when you choose a command to view the text differences between the updated and original text files. (You can choose such a command by right-clicking on an updated text file in the report and choosing the Diff command from the shortcut menu.) If this box is empty, then an error is displayed when you attempt to use the Diff viewer.

Flash the notification icon while monitoring - While a monitoring session is in progress, SoftDetective displays a notification icon in the Windows notification area (next to the system clock). You can use this option to control the flashing of the icon: if you find the default flashing behavior too distracting, clear this option to display a static icon instead.

Check for software updates automatically - Select this option if you want SoftDetective to check for updates periodically without asking you every time. The updates are never downloaded or installed automatically, you will be always asked to confirm whether you want to download and install them.

Restore factory defaults - Press this button to discard any changes you've made to the options on this page and restore them the way they were originally, when you first installed SoftDetective.

Troubleshooting tips

While SoftDetective can monitor the activity of the common programs, some situations can be tricky:

Some programs are designed to run at specific elevation levels ("as administrator" or "as a standard user"). If you receive an error that the program you've specified has failed to start, try changing the Run as Administrator option on the Monitor page and try again.
Some programs run several modules, each performing only a part of the task. For example, one module may be responsible for displaying the user interface and collecting the user's input. This module may then pass the collected information on to another module that would actually perform the task. And yet another module could collect the results of the task and display it to the user. If you choose to monitor the activity produced by the first module, it may miss the activity produced by the second and the third ones. Detecting which module is responsible for which task is a non-trivial problem that's beyond the scope of SoftDetective.
Some installation programs come packaged as the compressed files (such as the Zip files). If you specify such a file to monitor, you may only receive a report of activity related to decompressing the file, rather than to the actual program within the Zip file. To be able to monitor the program itself, you may need to decompress the Zip file manually first, and then specify the decompressed program, as the file to monitor.
Some installation programs use non-standard packaging for their components: they could extract other files out of themselves and launch the secondary processes to perform parts of the installation. Depending on the exact methods used by such programs, the activity produced by the secondary processes may or may not be captured by SoftDetective. Unfortunately, there is little we can do to address such a problem if it occurs.
Some complex software packages contain installations of Windows services, device drivers, ActiveX controls, .NET components, and so on. If such components produce their own activity during the installation, it may not be captured by SoftDetective. Again, there is no practical solution to such a problem, short of trying to monitor all system activity happening during the installation (using a tool such as Process Monitor) and then trying to analyze the results manually.
Some programs use the so called client-server technique to perform their job: for example, the client part of the program may be responsible for collecting the user input and passing it on to the server component that would perform the actual work requested by the user. In such situations SoftDetective may be able to only monitor the activity of one component but not the other.
Some poorly designed programs may produce a lot of activity that can make it difficult or even impossible to analyze with SoftDetective. For example, some system cleaners request the write access to a large number of files while they scan the registry entries. This results in a large number of files copied by SoftDetective into its temporary folder, which may take several gigabytes of disk space and then a very long time to analyze. Unfortunately, there is no way to solve such a problem short of rewriting the system cleaner program so that it would not unnecessarily require the write access to the files.
The separation between the temporary and non-temporary events on the Reports page should be considered only as a suggestion at best. In some cases (especially when monitoring the installations of the MSI files), a large number of temporary files may be created, that later may be renamed or moved to the permanent locations and the temporary file names used again to create other temporary files, and so on. SoftDetective will try to make its best guess at the result, but it can go only so far trying to do so.