My favorite tools for Windows are the ones that let you not only look under the hood (so to speak), but inside the engine itself. Process Explorer for instance, has long been the reigning king of such apps. As time has gone on, however, I've found a slew of other programs to complement Process Explorer's functionality. The newest candidate is called API Monitor from Rohitab Batra.
It's not hard to guess what API Monitor does considering its name. It tracks application program interface (API) calls made by programs and lets you analyze the results in a variety of ways. It's not for novices though, as it requires some understanding of Windows APIs -- otherwise the results it returns won't be of much use to you.
API Monitor works by running side-by-side with the programs you want to monitor. When you launch the program, you'll see a tree view of API lists in the upper left window from which you can select APIs to monitor. The window in the bottom left contains a list of processes that are currently running. Right-click on one, select Hook and API Monitor will begin dumping a list of all the previously selected APIs used by that program.
Each hooked process appears as a subentry in the Hooked Process window. Expand the program entry and you'll see a list of threads tracked from that process. Note that terminated threads are grayed out. Select a thread and you'll see a list of the API calls made from that thread. Click on a call to see its parameters exposed in another sub-window.
API Monitor isn't just limited to dumping native Windows APIs, however. It comes pre-loaded with API definitions from a number of third parties such as Mozilla. If you want to add a definition for a dynamic link library (DLL) on your own, you can manually create the definition as a simple XML-format file and add it to the program's API dictionary. The dictionaries let you register web links for APIs, which allow you to click on the name of an API and see a description for it in a browser window (from MSDN, for instance).
There are also a slew of tutorials available to walk you through some common API Monitor tasks, such as sniffing SSL-encrypted traffic from Internet Explorer. Before you panic, however, remember that this is only sniffing traffic on the local computer and that if someone has console access to your machine, it's game over for security no matter what.
API Monitor comes in two editions -- one for monitoring 32-bit applications and another for 64-bit apps. Unlike Process Explorer, where the 64-bit version could analyze 32-bit processes, you can only use the 64-bit version of API Monitor to analyze 64-bit programs and vice versa. Also, note that some programs may crash when hooked or unhooked, so don't hook into a program that's currently working with data you don't have backed up somewhere.
An older version of the program, API v1.5 (32-bit only) is also available, but the author encourages using the newer version, both for its expanded feature set and to help uncover bugs.
ABOUT THE AUTHOR
Serdar Yegulalp has been writing about computers and information technology for more than 15 years for a variety of publications, including InformationWeek and Windows Magazine.