That may be the reason. I will do some research when I have time.

sanddiff1.04 sounds good
thank u

I took a look through Everything's forums and found the reason NETSTAT.EXE is not found in system32. It is because netstat (and many other system32 files) are actually hardlinks. You can google the term. I don't know how this affects opening or running an app via ShellExecute().

why is netstat neccessary for this program? explain!

Part of the program can monitor ports that an application has open/listening.

And what is the relationship to the reghive and files in sandbox?

is sanddiff working when the box is active or not active?

its a bit like watching an electron (heisenberg): you cannot determine position and impulse same time

Sanddiff works when Sandboxie is not active.

SandDiff compares 2 moments of a given sandbox. Let´s call them "before and "after".

In the "before" moment the sandbox folder can be empty or contain information.

In the "after" moment the sandbox folder must contain information if not it´s pointless.

Between the "before" and the "after" you must run sandboxed whatever you want.

When you are done you terminate all processes and you are ready for comparision.

Sanddiff compares the file, registry and port differences between the "before" and the "after" states of the sandbox.

Relationship to the reghive and files in sandbox? None. It´s just another source of information to compare.

I think it´s pretty simple to understand. Let me know if something is not clear.

The next version of SandDiff will contain a new feature. It will check for malware activity and present results to the user based in the differences.

i understand your explanation - i can reproduce both ways.
what i NOT understand is the use of netstat in that combination.
if there is nothing active what to determine?
(except looking into registry i dont know a way to determine if
a sandbox is still active, never though about it till now)

Netstat is used to obtain the state of the ports.

Netstat automatically retrieves port information when you press "before".

Optionally you can press "Meanwhile" button and obtain port information before you press "after".

You decide when you press "Meanwhile" or even if you want to press it.

The user must press "after" when he has finished sandboxed processes. SandDiff doesn´t determine if a sandbox is still active.

and that is the point i dont understand.
if sanddiff does not care about activity what to determine at open ports and listening apps?

#hmm - just startet sanddif 1.04 - netstat is needed for the "meanwhile" option and open apps?

Who did say SandDiff doesn´t care about port activity?

Yes, netstat is needed for the "meanwhile".

I have fixed the problem with deleted keys/values.

As soon as tzuk adds the feature I requested I will release a new version.

I have a computer with Windows XP and Windows 7 installed and when I´m running Windows XP I can see NETSTAT.EXE in \Windows\System32 and does not look like a hard link. The file is 32kb long.

The hardlink is only in Win7. Maybe Vista, but I don't have it to test anymore. And the hardlink will seem exactly the same as the real file - properties, size, appearance, etc. - except the Compatibility settings will be greyed out.

Hi,

thanks for this great app.

It would be very nice if it could save registry differences automatically in Windows Registry Editor Version 5 format.

Thanks.

B.