An Introduction to the Windows System State Analyzer

An Introduction to the Windows System State Analyzer

  • Comments 23
  • Likes

There often arises a need to figure out what may have changed on a system, either due to a specific issue or even to compare the difference between two systems. Today I would like to introduce you to the Windows System State Analyzer utility. Unless you are a developer or tester, you probably have never heard of this tool, as it is part of the Windows 2008 R2 Logo Software Certification and Windows 2008 R2 Logo Program Software Certification toolkits.

The basic functionality of the System State Analyzer tool is to allow you to compare two snapshots taken at different points in time. This allows you to compare the state of a machine both before and after an application install for instance. Today I will give you a run-through of what the tool looks like while doing a compare of a system both before and after installing a software package, in this case Virtual PC 2007. The initial UI will look something like this:

image

As you can see, the interface is divided into two panes, each of which is for a separate snapshot that you wish to compare. You start by naming the first snapshot. By default, you are given several default name instances such as Post Install, Pre Configuration or Custom.

The Tools – Options menu is where you can choose what you wish to include in the snapshot for comparison. You can compare drives, registry keys, services or drivers.

image

Once you click OK and come back to the main window, you are all set to begin the first baseline snapshot. This snapshot may take some time to complete depending on which options you have chosen and the amount of data on the drives. By default, it creates a snapshot as a .BIN file under C:\Users\Public\Documents.

Once the first snapshot was done, I installed Virtual PC 2007 and let it complete. This time, I choose the section on the right side, named it Post Install and took the second snapshot. Once this is done, I clicked Compare and the comparison was done. It gave me the option to view the Detailed Report, which is saved as an .HTML file. For now, let’s take a look at the Quick Comparison tab:

image

Looking at the Services section, we can see service state changes as well as any new services that might have been added during the installation. The drivers section looks like this:

image

As you can see, two new drivers were added to the system as part of the Virtual PC 2007 install. Likewise, the Registry section shows any registry changes made between the snapshots:

image

And the Files section also:

image

Below is a quick peek at the Detailed Report; you can see the change summary and details filtered based on file extension and various other file properties:

image

I am sure you can imagine scenarios in which this tool may come in handy. If anything undesirable happens after any system state change, you now have the ability to see what may be related to your issue. You can download the tool at the following locations:

· Server Logo Program Software Certification Tool x86: http://go.microsoft.com/fwlink/?LinkID=140110

· Server Logo Program Software Certification Tool x64: http://go.microsoft.com/fwlink/?LinkID=140109

Note: You must have the .NET Framework 2.0 installed for Windows System State Analyzer to work correctly.

I hope this information comes in handy, and thank you for your time.

Sumesh P.

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • This is like a wish come true. Will be testing it out shortly. Thanks!

  • Can this be run against a server, remotely? Or is there a single .exe that can be copied onto the server and run (instead of installing the entire package (without Certification & Works with Tools))?

  • Yes, you can copy the program directory and run it on another box

    No, you cant run it remotely

  • 'Had several problems installing and using on Windows 2003 server, very clean image.

    1. First time the install failed (took defaults) and it rolled back, complaining about "Error 1001.InstallUtilLib.dll: Unknown error."

     So I right clicked on the install file (Software_Certification_Toolkit_x86.msi) and did Properties Security and clicked Unblock.

    Installed again, only chose the system state analyzer option, and install completed (I think this is the sequence, 'recalling all from memory)

    2. Then I ran into a .Net problem saying I must install .Net v2.0.50727.  I downloaded .Net 2.0 and installed.

    3. At this point, I'm able to run the tool, and compare states.  However, when I create a detailed report, I get

    "error in generating report"

    which is a very vague messge.

    On a hunch, I guess that in generating the report, you are calling into .Net framework to do something, and I probably need a newer version (even though I'm supposedly ok wi v2.0.50727).

    So I download .Net2.0SP2 and install that.  I'm now able to run the compare and produce a detailed report.

    So... I'm sharing this so others may benefit.  Tool looks very useful, could use a couple bug fixes as per my above problems.  But, nonetheless, very grateful to have a tool like this.  Enhancement may be to format the "state" snapshot in a format I can analyze in MS Excel.

  • Can it run in a command line or silently?

  • I get the "error in generating report" also, but the reports appear to be generated just fine

    Very useful tool (thanks for the heads up!)

    I am looking forward to putting it into action after a complicated install/updated/bork etc

  • Another engineer and myself have found that System State Analyzer frequently hands when attempting to do a compare using the windows GUI in Vista.  I’d like to see if I experience the same problem with compare running via the command line but so far have been unable to find a list of instructions for System State Analyzer command line switches.  Do you know where I can find a list for certain?

  • I found that after installing this that my WinXP workstation would BSOD after opening process monitor. After a quick crash analysis I found that systrace.sys was the culprit. This file is installed as "Microsof MSN Flight Data Recorder Trace Driver" (the typo in microsof was intentional, the file description in the installer has a typo). After uninstalling, I still needed to go into c:\windows\system32 and delete the file to stop it from crashing the system when Process Monitor was opened. Further details here: forum.sysinternals.com/bsod-after-opening-process-monitor_topic23795.html

  • Process Monitor started crashing my system after installiing Windows System State Analyzer. This would happen right after opening (or several seconds after opening) process monitor. The dmp file shows systrace.sys being called before procmon20.dll is called, followed by the bugcheck. Systrace.sys is installed by one of components of this app, the MSN Flight Data Recorder trace Driver. Uninstalling did not resolve since the file remains behind. I had to manually delete the systrace. sys to clear up the BSOD. I added a post to the sysinternals blog with some screenshots: forum.sysinternals.com/bsod-after-opening-process-monitor_topic23795.html

  • Unfortunately the tool crashes (IndexOutOfRangeException) whenever a modified directory is being analyzed during the snapshot comparison.

    Using Reflector I found the code that is responsible for the crash (see below).

    private void CountDirectoryModified()

    {

         ...

         for (int j = this.directoryDifference[i].Modified.Count - 1; j >= 0; j++)

         {

            if ((this.directoryDifference[i].Modified[j].Key.IndexOf(@"\.") == -1) ...)

            {

            }

         }

    }

    The fact that this problem is in v3.0.0.0 I'm wondering why nobody else encountered this problem. Should I be using another version?

  • Is the tool Windows 7 x64 Sp1 compatible? It hangs for me at creating snapshot... Progress 10%

  • Hi Andre,

     I don't think this tool has been tested to work on Windows 7. I don't know of a reason why it should not work, but on my Windows 7 64-bit machine, the tool crashes on launch and won't even get to the point of letting me try to create a snapshot.

  • I also had crashes (InvalidOperation) in a Vista VM. But on my Windows 7 nothing works. I can only see that the paged pool is getting higher (over 1GB) and I have disk IO.

    The idea of the tool is great. Will it be ever updated (to .net 4.0 and to work with Win 7)?

  • This tool looks great, but no support for Win7?

  • Here's the link for the Windows 7 toolkit:

    www.microsoft.com/.../details.aspx

    Looks like an excellent tool to automate the detection of malware. I often wonder why the security experts at Microsoft never built an inline commercial malware analysis platform. I suppose their not interested in such wild ideas like making money.