Guide / Main UI

Main UI reference

The main interface is shown after the wizard's Start or Skip. The status label at the top reflects current view mode (e.g. Showing snapshot diff, Displaying Base Snapshot, or a countdown). Below that is the tab strip with all snapshot categories.

Tabs

Every tab has a list view of the data for the current view mode. Right-click most tabs for a context menu specific to that data type. Tabs not mentioned in the wizard's options (API Log, Directory Watch) are hidden when the corresponding feature is off.

Tab	Content
Running Processes	PID, parent PID, user, path, owning service. Right-click to act on the selected process (see Process menu).
Open Ports	Port, PID, type (TCP/UDP), path, owning service. Click an entry to load the corresponding process into the right-click menu.
Process Dlls	Two list views side by side. Left: per-monitored-process row (PID, dll count, name). Right: DLL list for the selected process row.
Loaded Drivers	Driver file, company name, description.
Reg Monitor	Path, value. The path column shows full registry path; the value column shows the data or sub-key name. See monitored keys.
Api Log	Real-time API call log from `api_log.dll`. Visible only if API logging was enabled. Some on-the-fly de-duplication is applied so identical entries do not flood the list.
Directory Watch Data	Action (created/modified/deleted), size in hex (with `+` if file was auto-saved), full path. Visible only if directory watching is on.
Mutexes	PID, mutex name. New mutexes after Snapshot 2 are flagged.
Tasks	Name, executable, full task path. Multi-select; double-click to dump full task XML.
Pipes	Named-pipe names.
Services	PID, service name, display name, path, description.
WMI	WMI event subscriptions: name, size, prop count, prop size, data preview. Double-click an entry to view all properties — useful for catching WMI persistence.

Color coding (when Known File DB is loaded): Files known to the DB show in green/blue. Known files whose hash has changed show in red/orange. Files matching the user's hide-known toggle disappear from the list.

Snapshot menu

Item	Action
Show Snapshot 1	Display Snapshot 1 (pre-launch state) across all tabs.
Show Snapshot 2	Display Snapshot 2 (post-launch state) across all tabs.
Show Diff report	Display the diff (default after the countdown ends).
Take Snapshot 1	Take a fresh base snapshot now. Replaces existing Snapshot 1 data.
Take Snapshot 2	Take a second snapshot now. Useful when the wizard's countdown was skipped or when a malware operates on an irregular schedule.
Start Over	Relaunch SysAnalyzer cleanly, preserving the original sample path on the command line.

Data menu

Item	Action
Search All Tabs	Prompt for a substring; case-insensitive search across every tab. Matches are selected on each tab and consolidated into a results report.
Copy All Tabs Data	Copy a flat dump of every tab to the clipboard.
Copy All Selected Entries	Copy only the rows currently selected, across all tabs.
Basic Text Report	Generate the consolidated text report and show it in a viewer.
Report Viewer	Open the analysis folder in the Report Viewer.

Tools menu

Item	Action
Scan Procs for Unknown Dlls	Identical to wizard equivalent. Disabled if Known DB is empty.
Scan Processes For Dll	Prompt for a DLL name; report all processes that have it loaded.
RWE Memory Scan All	Scan every running process for RWE memory regions; open the injection scan viewer.
String Memory Scan All	Open the deep memory scanner across all processes.
Start/Stop Filesystem Monitor	Toggle directory watching at runtime. The Directory Watch Data tab appears or disappears accordingly.
No Sleep	Toggle: prevents Windows from sleeping during long analyses.
Services.msc	Launch the Services console.
Command Prompt	Launch `cmd.exe` elevated.
RunAs Trusted Installer	Spawn a shell with TrustedInstaller privileges.

KnownDB menu

Item	Action
Disable	Toggle: ignore the Known File DB even if loaded. Useful for sanity checks and false-positive hunts.
Build Known File DB	Open the file scanner to populate the DB. Run only on a known-clean system.
Hide Known Files	Toggle: hide DB-known files from all list views.
Update Known Db	Show all currently-displayed unknown files in a marker form so trusted files can be promoted into the DB.

Right-click: Processes

Available on the Running Processes, Open Ports, and Process DLLs tabs. Items dependent on the process being alive are disabled when the PID has exited.

Main UI with the process right-click menu and Tools menu both open — Main UI with the process right-click menu (top) and the Tools menu cascaded (bottom). Older shot — current builds also expose Pipes, Services, and WMI tabs.

Item	Action
Analyze	Run full per-process analysis (memory dump, dll dumping, strings, RWE scan). See Process analysis.
ShowDlls	Open a window listing every module loaded into the process with company name and description.
Memory Map	Open the memory-map viewer for the PID. Shows every allocation with base, size, protection, and type.
Memory Search	Open the deep memory scanner pre-filtered to this PID. Supports ASCII, Unicode, and `\xNN` byte sequences.
RWE Mem Scan	Scan only this process for RWE-marked allocations.
Dump	Memory-dump the main module to disk and apply a quick PE alignment fix.
Kill	Terminate the process.
Kill All	Terminate every process matching the current list filter (only enabled when a filter is active).
Debug	Attach the system's registered JIT debugger (`HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug`). Errors out if no JIT is registered.
Strings	Run strings on the process executable.
Command Line	Show the command line used to launch the process.
Copy File Path	Copy the executable path to clipboard.
File Properties	Show full file properties: hashes, version info, sections.
Save to Analysis Folder	Copy the executable into the analysis folder.

Right-click: Process DLLs

Item	Action
Add Selected To Known DB	Promote selected DLLs into the Known File DB.
View All Properties	Show full file properties for the selected DLL.
Dump Module	Memory-dump the loaded module.
Copy To	Copy the on-disk file to a chosen path.

Right-click: Drivers

Item	Action
Save File	Copy the driver file to the analysis folder on the desktop.
Copy Path	Copy the driver path to clipboard.
Add Selected To Known DB	Promote selected drivers into the Known File DB.

Right-click: Reg Monitor

Item	Action
Copy Selected Line	Copy the path and value of the selected entry.
Copy Entire Table	Copy the full Reg Monitor view.
Open In Regedit	RegJump — opens regedit at the selected key.

Right-click: Tasks

Item	Action
Copy Delete Commands	Build `schtasks /delete /tn "..." /f` commands for every selected task and copy them to the clipboard. Lets you review before deleting.
Delete Selected Tasks	Run the delete commands directly. A summary report is shown after.

Right-click: Directory Watch

Item	Action
Copy Path	Copy the path of the selected file event.
Open Directory	Open the parent folder in Explorer.
Clear	Wipe the Directory Watch list.

Right-click: Api Log

Item	Action
Turn off Api Logging	Toggle: stop processing inbound API messages while the hook DLL keeps running. Use this when an API call is so noisy it floods the list.
Save Api Log	Save the current log to `api.log` in the analysis folder.

Auto-saved artefacts

Without any user action, SysAnalyzer drops the following into the desktop analysis folder during a normal run:

sample_[binary]_ — copy of the original sample.
capture[_N].log — PCAP from windump if Full Packet Capture was enabled.
api.log — API log if API logging was enabled.
dirWatch.log — directory-watch events if any were captured.
ProcWatch.log — process-creation log from proc_watch.exe.
DirWatch\ — auto-saved copies of every modified file the directory watcher caught.
[procname]\ per new process — sample copy, memory dump, dump-fix output, strings.
RWE_Memory\ — RWE region dumps if any were found.
Report_[time].log — consolidated text report.
debug.log — SysAnalyzer's own runtime trace.

Form behavior

The main form remembers size and position between runs. The active list view auto-resizes its last column to fit. List filters are sticky per tab.