Find files created or modified by an installer

Jan 05, '10 07:30:00AM

Contributed by: tempel

Do you like to know which files and folders get created or modified when you install a new application? I can suggest two different solutions: Either use a tool to track all file system changes, or use a tool that searches the disk by creation/modification dates.

[robg adds: This hint includes information about using a free program, Find Any File, as one way to track file system changes. The author of this hint (Thomas Tempelmann) is the author of that application. However, because there's good information here in the hint, and because the app itself is free and seems to work well, I felt it was worth sharing. Read on for the discussion...]

Logging tools

First the "pro" method: Use a file system logging tool to trace all file operations during a period of time. The problem with these tools, though, is that you might see much more information than you want. Sorting out what's relevant may need some experience and/or patience.

For Terminal-savvy users, the tools of trade are: fs_usage and fslogger. I'll not go into detail here, as they require some reading, and there are man pages available. There's also fseventer, which provides a graphical user interface to fslogger. However, it doesn't offer convenient filters, so you'll usually get much more information than you seek.

Regardless of the tool used, the workflow is as follows:

  1. Start the logging tool
  2. Install the software
  3. Stop/pause the logging tool and analyze its output.
Searching for modifications afterwards

Another alternative is to use my program, Find Any File (FAF), which allows you to search for recent file and folder changes on your disk. Again, this might show you more items than just those of an install process, but the hierarchical view in FAF's results window should make it easy to see which folders and changes are related to the installation.

The workflow is as follows:
  1. Note the time when you start the application installation.
  2. Once the installation has finished, launch Find Any File, and change its search criteria to something like: Modification Date -- is within the past -- X minutes, replacing the "X" with the amount of time that passed since you started the installation.
  3. Hold down the Option key, which changes the Find button to Find All, then click the Find All button, which will relaunch FAF in root mode (and ask for your admin password) and start searching all areas of your hard drive.
  4. Once you see the results window, switch to the hierarchical view (Command-2) to see which folders have changed items.
  5. Repeat the search process for files with a recent Creation Date
Note: The are many other find tools similar to Find Any File, but FAF has the ability to search in root user mode, making it possible to find even such files that may be protected or hidden to the "normal" user.


None of the above options are perfect. The file system logging technique is safer than using a search tool (which still can be fooled if an installer resets creation dates of files and folders). I sometimes like to know what gets installed in my system, especially if it's an installer that asks me for my admin password. Usually, the "find" technique is sufficient, but if you really need to know every detail, go the logging route.

I think the best way to see which files get modified or installed by an app or its installer is to develop a special application which is based on fslogger or fs_usage, and which pays attention only to modifications invoked by the targeted app or its installer. A unix whiz may even be able to get this working just with fs_usage (it has quite a few helpful filters for this), but I imagine something with an easy-to-use UI. Any takers?

Comments (20)

Mac OS X Hints