17

Many times, online installers download files in order to run. I need to back them up. Is there any tool or something to find out where the files are saved to?

Example:

example

Daniel B
  • 60,360
  • 9
  • 122
  • 163
Armaan
  • 169
  • 9
  • 1
    Wireshark can analyze incoming and outgoing packets and give a destination IP/URL if packets are being captured and inspected as the downloader is running. – Narzard Aug 28 '22 at 06:44
  • No, I don't need File's URL, I am asking to figure out the path in Windows "C" Drive mainly. – Armaan Aug 28 '22 at 06:59
  • 2
    Process Hacker, a task manager replacement, has a "Disk" tab that shows which processes are doing IO on which files. – Hypershadsy Aug 28 '22 at 22:13
  • Usually you'll find the files if you search a bit in the Program Files and %appdata% folders. – Pierre Cathé Aug 29 '22 at 12:19
  • @PierreCathé Yes many times in its installation directory or in AppData\Roaming – Armaan Aug 29 '22 at 13:06
  • 2
    I'm curious why you'd want to back up downloaded files from "online installers" in general. I'm not sure this is going to be of any use to you, because you're unlikely to be able to restore such a backup in any meaningful way that future executions of the installer would make use of. This may be a case of seeking the wrong solution for an unstated problem. – Corrodias Aug 29 '22 at 16:18
  • 1
    @Corrodias Its a software "Gigapixel AI" which download model files to run, they are over 3 GB, In this case they were stored in C:\Program Data , I have there backup now and its working. – Armaan Aug 30 '22 at 01:19
  • The best way to have a working backup of this installer would probably be to make a new installer by repackaging it. For that to work, you will need a virtual machine and a software that can take snapshots of it and convert the difference into an installer. If you want, I can tell you some more about it, but there already is a high ranked answer that you said is working. – DarkDiamond Sep 07 '22 at 07:26
  • @DarkDiamond Thanks, but I don't have problem with multiple files. – Armaan Sep 07 '22 at 14:22
  • @DarkDiamond Ok, so unpackaging can extract files to different location by itself too? like in this case In order to make it run, I have to copy some of its files to C:\Program Data\ – Armaan Sep 07 '22 at 14:23
  • @Armaan I didn’t mean extracting the installer but **repackaging** as in creating your own installer. This way, the new, self made installer will also contain the stuff the online-installer downloads during the installation. – DarkDiamond Sep 07 '22 at 19:25

1 Answers1

20

Sysinternals Process Monitor (ProcMon)

ProcMon from Sysinternals is the best tool for such tasks as it provides many rich features to capture/track what processes are/were doing on disks, network and registry.
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Let it run for some seconds while downloading, then stop the capture, filter on the main and child processes of the program and on operations CreateFile and WriteFile.
The child processes may not be relevant if the download is done by the main process itself, but that depends on how the program was designed.

The easiest way to include the main and all of its child processes at once is by using the Process Tree (keyboard shortcut: CTRL + T) in the menu Tools. Just find the main process and right-click to add process and children to include filter. Unfortunately the Process Tree doesn't have a search function.

Examples

Steam Game Update

Note: Even if it's not an online installer, it's a similar approach. ProcMon capture of Steam

Adobe Acrobat Reader Online Installer

ProcMon capture of Adobe Reader

Windows Resource Monitor

Another option is the built-in Resource Monitor of Windows to see the current write operations on your disks, but without features to analyze it extensively.

Just search for Resource Monitor or resmon to open it and switch to tab Disk. In the second view Disk Activity you can sort the column Write (B/sec) descending to see the most write demanding processes and the affected files.

Important note

The process named in the column Image may not be the one you're looking for. It could also be System or svchost.

Example - Steam Game Update

Resmon live view of Steam

General

Keep the following in mind:

  • Those paths are often only partial temp files and may get combined into one or more "usable" files (like executables, assets, etc) somewhere else.
  • The files are often compressed with a special method.
  • Can get deleted immediately after they got applied (while the installer/updater is still in progress).
    If they get deleted, you would also need a filesystem watcher which backs them all up in real time.
swbbl
  • 721
  • 3
  • 8