If you wanted to determine/quantify the impact installing/desintalling a software has a on a system using images of a system before installing said software, and after, what are good things to look at/consider besides registry changes?
Â
Â
Can create a "signature" of all files changed between the two images. Including the registry files.
https://www.osforensics.com/faqs-and-tutorials/how-to-create-a-hashset.html#method3
Start by deciding what type of impact you are interested in. 'Good things' is not well defined term: you have to make your mind up. You mention registry changes. There's also filesystem changes (files created, deleted, modified, ...etc), system configuration changes (other software installed, uninstalled, updated, reconfigured, ...) including possible user changes. And there's always file access in general, and network activity. And perhaps also file hashes of installed files
Once you know what you want, it's easier. Only platform changes, then network activity may be uninteresting, for example.
In general, malware analyzers do most of this for installation, although they may be less useful for deinstallation. They tend to be rather costly, though. SysInternals Process Explorer allows you to collect almost everything, but you must be prepared to spend quite some time getting familiar with its capabilities
Â
For a relatively easy free option, take a look at SandboxIE. (Warning: It seems to have changed since I last checked it, when Sophos developed it -- but that seems to be on Github still.) It's easy to run a particular program (install.exe) in a sandbox, and as a result you get a directory tree where all modified (or even accessed?) files are collected, and, if I recall, also a file with registry changes. (There used to be a utility to print out changes as a report, but it is ages since I tried it -- check the product support forum for that.)
Same thing for uninstall.Â
There are several other possibilities, such as Cuckoo Sandbox, with different capabilities. Look around.
Â