Trace an application from startup

SpyStudio Tutorials Home

Introduction

SpyStudio lets you trace almost any process you want at almost any moment of its execution, but sometimes you need to monitor its behavior from its very creation. In this tutorial you will learn how to hook a process without losing track of any of its function calls.

Tracing a process from startup step by step

Selecting function groups

The first step is to select the function groups to trace. This is done by checking and unchecking items in the menu bar, under the "Monitor" drop-down menu.
See SpyStudio Group Selection for details on function groups.

Select a program to trace

In the upper-left corner of the SpyStudio window you will find two text boxes. The first one is labeled "Execute and Hook". You can write the full path of the executable file you want trace (extension included) or browse it using the button labeled "...", which is right next to the text box.
It is possible to also specify parameters for the executable file. Simply write them in the "Parameters" text box as if you were writing them in the command line. They will be appended after the path of the file.

Start tracing!

Once you are done specifying the executable file and its parameters, click on the "Execute and Hook" button (the one with the "play" symbol on it) or just use the F5 shortcut, and the process will be launched and hooked before it makes any function calls.
Now you are tracing the process from its very startup!

Tracing

SpyStudio intercepts and logs all calls to the functions included in the selected function groups. This information is shown both almost raw in the "Trace" tab and totally interpreted in the other tabs ("Registry", "Files", "Windows", etc).
See SpyStudio Interpreting Tracing Output for more information on how to read SpyStudio logs.


5. Unhooking

To stop tracing a process you can:
  • Right-click on the process in the "Running processes" pane and then select "Unhook".
  • Terminate the process normally. This will automatically unhook the process before it exits.
  • Select "Analysis" in the menu bar and then "Stop All" (Shift + F5).