What to look for in Process Monitor to see if an apps is sending data to another location

We are starting to use Process Monitor to monitor apps being installed.  There is a lot of data.  We look for "http:" for remote web location, but we also know that it can use IPs or anything else we as regular users may not know.  What should we look for to know if an apps is sending to other locations, websites, IPs or drive locations.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not sure process monitor is suitable for that. I think it lets you see what local resources are used and where. They are.
Wireshark or ms network monitor is the tool to capture packets .
Ashok DewanFreelancerCommented:
here are some tools you can use.
1) Process monitor:- In this you can see established connections through TCP network button and send/receive packets.
2) Cports:-  It will also show you connections made by applications.
3) Free Comodo firewall have best tool to see which app is going outside. It shows live activity. I never found individual tool like that. Active view tab in this firewall show you live activity.
4) you can also use wireshark. But it will not show you application name if you found traffic going outside. You have to analyze on the basis of protocols and port number.
JohnBusiness Consultant (Owner)Commented:
For reviewing internet traffic from one location to another, I use Comm View. This is an excellent packet sniffer but not free. Tamosoft.net.

Wire Shark is another packet sniffer. It is free, but not as flexible as Comm View.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

rayluvsAuthor Commented:
So Process Monitor will not monitor an installation apps if its sending data to another location?

If PM cannot do this, then how can we setup Wire Shark to check out an installation apps ift sending data to the internet.
JohnBusiness Consultant (Owner)Commented:
Process Monitor is for monitoring internal computer activity. Comm View is for monitoring internet activity.
Each tool covers what it covers, what you are looking at is using multiple tools to capture the data each can capture .
What is it you are looking to learn?
rayluvsAuthor Commented:
We want to monitor installation process of programs to see if they send data outside the PC and what do they access within the PC.
JohnBusiness Consultant (Owner)Commented:
You need a packet sniffer to see what happens once installed. That is how I do it.
rayluvsAuthor Commented:
We during the process of installation.
JohnBusiness Consultant (Owner)Commented:
You can have a packet sniffer running while installing and you can get your answers.

I have hundreds of applications on my computer. None of them are particularly interesting to watch install. The vast majority of them run home to mom looking for updates. They do not do anything nefarious.

What are you looking for?
rayluvsAuthor Commented:
Just got a call from one of the techs; said that Fiddler does this task, monitor an installation can capture if they are sending data outside the PC.  By any chance you guys know anything anything Fiddler? (don't want to install an apps an have my PC messed up)
rayluvsAuthor Commented:
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC.  We have to install a series of apps for other types of testing and wanted to know what they actually do.
JohnBusiness Consultant (Owner)Commented:
Fiddler is a web debugging program.


It is probably more interesting to see what it does AFTER it is installed.
JohnBusiness Consultant (Owner)Commented:
What we are looking for is if an installation is sending data outside the PC or accessing any sensitive area of the PC  <-- This will happen AFTER installation, not during.
Often, install offline will not impair the install proving that network access is not essential.  Running the program offline will let you know whether it needs to be activated and if so how (I.e. Entering an activation code) as John pointed out. When starting the program for the first time it wants to activate and one option it is using is through Internet access back home ......
rayluvsAuthor Commented:
understands on both entries, but if we need to monitor an installation process, what the apps is accessing/sending, what app(s) or steps do you guys recommend?
JohnBusiness Consultant (Owner)Commented:
I see no need to monitor an installation process. Nothing interesting there. What you need AFTER installation is a packet sniffer for what you want.
rayluvsAuthor Commented:
I'm with on this but our assign task is to check what the apps is doing during the installation.
JohnBusiness Consultant (Owner)Commented:
Some installations are done in 15 seconds or 30 seconds. What are you looking for. An install puts files into Program Files, entries into the registry, and maybe calls home to mother. A running packet sniffer will pick up the latter with no trouble.

Why do you need to know what is written to the registry? Process Monitor is the tool for this, but you could go blind and nuts trying to figure it all out.

Beyond packet sniffing (use a packet sniffer) what are you looking for?
As John pointed out, only applications that require internet/external connection to install would fall into the category that it will be useful to monitor with whom they communicate at the time. Often the install has an option to auto active at the conclusion of the install.

In regards to your question process monitor is the tool to use to determine what file system objects it is accessing and which registry settings it is accessing.
You would use a sniffer (MS network monitor tool or wireshark) to capture network traffic.
In wireshark, to minimize the amount of data, you would need to make sure to limit as much as possible your network application (mapped shared drives, iscsi resources unless you can limit the interface if iscsi has its own dedicated network, etc.)
Why not eliminate one that is easily handled, install while offline. no matter if it would send something, it will not be able to and procman might reflect the "attempt access to a network resource"
Ashok DewanFreelancerCommented:
In your case what I always do, I configure firewall such as Comodo, zone alarm pro. Then I make one rule on firewall that is Block all traffic and log it. If any application tries to go outside then it shows in logs where it was trying to go. That is easy to know.

Do the following :-
1) Close all unnecessary services and application first
2) then install comodo firewall which is free. This is Second best application firewall after ZoneAlarm for home users.
3) Remove all pre-configured rules then make one rule for All applications and exe files. That is Block all traffic for any IP protocol, TCP and UDP with log enabled. Now, Firewall will stop every traffic and will show in the logs.
Other thing is If you want to trace all changes during any software installation then you can use following tools.
1) process monitor
2) Microsoft attack surface analyzer(Required Dotnet 4.5)
3) InCtrl5

Fiddler and Burp tool both are dedicated to monitor only web traffic and These are best tools till now for web traffic troubleshooting, monitoring, testing and analysis.
rayluvsAuthor Commented:
Ashok Dewan, that is what we want, exactly what you say "...want to trace all changes during any software installation ...".  You include as #1, Process Monitor.  Which brings me back to our original question "What to look for in Process Monitor to see if an apps is sending data to another location".  In other words, beside "http:" or "www" or "\\", what else can tell us that the apps is accessing outside the PC installed?
Ashok DewanFreelancerCommented:
Check images attached by me
My steam.exe going outside
My PC ip address is    ---going outside---> at port no. 27019
27019 is game server port number for csgo game

below is the tutorial of process monitor if you need

Whenever you install any software then during installation following things happen :-
1) registry changes, queries, new key creations, deletions,
2) File and folder creations, file changes, DLL files creations,injections, queries  and etc...
During this process if your suspect software tries to go outside then firewall will block it and log it for you to watch it and also you can see logs in process monitor.
By this way you would determine the behavior of any software.
And you can also kept using above tools in background if you want such as wireshark, MS network monitor.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rayluvsAuthor Commented:
Hey Thanx!  Worked!  When exporting the entire file we saw IPs by looking for UDP Receive/Send.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.