19

Many times, online installers download files in order to run. I need to back them up. Is there any tool or something to find out where the files are saved to?

Example:

example

user219095
  • 65,551
Armaan
  • 309
  • 2
  • 11

1 Answers1

22

Sysinternals Process Monitor (ProcMon)

ProcMon from Sysinternals is the best tool for such tasks as it provides many rich features to capture/track what processes are/were doing on disks, network and registry.
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Let it run for some seconds while downloading, then stop the capture, filter on the main and child processes of the program and on operations CreateFile and WriteFile.
The child processes may not be relevant if the download is done by the main process itself, but that depends on how the program was designed.

The easiest way to include the main and all of its child processes at once is by using the Process Tree (keyboard shortcut: CTRL + T) in the menu Tools. Just find the main process and right-click to add process and children to include filter. Unfortunately the Process Tree doesn't have a search function.

Examples

Steam Game Update

Note: Even if it's not an online installer, it's a similar approach. ProcMon capture of Steam

Adobe Acrobat Reader Online Installer

ProcMon capture of Adobe Reader

Windows Resource Monitor

Another option is the built-in Resource Monitor of Windows to see the current write operations on your disks, but without features to analyze it extensively.

Just search for Resource Monitor or resmon to open it and switch to tab Disk. In the second view Disk Activity you can sort the column Write (B/sec) descending to see the most write demanding processes and the affected files.

Important note

The process named in the column Image may not be the one you're looking for. It could also be System or svchost.

Example - Steam Game Update

Resmon live view of Steam

General

Keep the following in mind:

  • Those paths are often only partial temp files and may get combined into one or more "usable" files (like executables, assets, etc) somewhere else.
  • The files are often compressed with a special method.
  • Can get deleted immediately after they got applied (while the installer/updater is still in progress).
    If they get deleted, you would also need a filesystem watcher which backs them all up in real time.
swbbl
  • 741