Categories
guides

Using Process Monitor from SysInternals

Sometimes, you need to be able to figure out what an application is doing. What its retrieving information from or saving data to.

In my scenario, I was trying to figure out where a game was saving its high scores and configuration. I found a location in my AppData folder, but deleting it would not wipe it from the game. I considered the Registry as well, with no luck.

I decided on using Process Monitor from Microsoft SysInternals for the job.

First, I tried filtering to only include the .exe as the process name, and ran the program. This yielded several thousand results, which was too much. I then tried using .swf in the path, since this game was built on Adobe Air, which only yielded the content in the path I already knew about. Finally, I considered using the steam ID number contained in the path, which got me to find the secret folder and in the AppData directory, and a secret file formatted in JSON, with all the high scores, configuration, and even the ability to unlock certain parts of the game. Deleting this file properly wiped the game of the data.

Personal note for reference: The game involved was The Jackbox Party Game Pack, and the secret directory was %LOCALAPPDATA%\STEAMNAME while the other leftover directory which didn’t affect the game when deleting was at %APPDATA%\TheJackboxPartyPack

Leave a Reply

%d bloggers like this: