Analyze install executable

[Robert Boudrie]

i have an executable that appear to be prepared as an installer using this program.

is there a way I can analyze the file to see what it installed?   I unintentionally ran it and fear it is scam software, so I would like to determine what files and/or registry settings were added/changed.

I cannot find what I seek in a "strings" of the file, however, that did lead me to believe this was the install package used.

[Jernej Simončič]

On Monday, January 12, 2026, 17:24:09, Robert Boudrie wrote:

is there a way I can analyze the file to see what it installed?   I unintentionally ran it and fear it is scam software, so I would like to determine what files and/or registry settings were added/changed.

I cannot find what I seek in a "strings" of the file, however, that did lead me to believe this was the install package used.

If it's Inno Setup, it'll support /LOG command-line parameter.

 

You can also try using InnoUnp to extract files from the setup.

 

-- 
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

Once the erosion of power begins, it has a momentum all its own.
       -- Law of Political Erosion

[Robert Boudrie]

I installed InnoUnpacker and unfortunately it appears to expect an archive file.  The file I need to examine is an install ".exe file.   Looking for a way to analyze the .exe file.

Thanks

[Gavin Lambert]

InnoUnp does work on exe files.  If it doesn't work for your installer, it might not be an Inno one, or InnoUnp might be outdated.  If you run the installer again, right-click the title bar and check for an About menu that should confirm it.

Otherwise, set up a VM, run Process Monitor, and then run the installer.  This will generate way too much logging (even once you filter it down to the right processes) but it should tell you exactly what it does, unless it does different things each time.  Or if it's an Inno installer then you can re-run with /LOG as Jernej suggested.

/LOG and InnoUnp both might omit some things, if the installer was deliberately written to conceal them (which is more likely for malware, but does not in itself prove malware).  Process Monitor will tell all though.