SpyStudio v2.0 Overview
SpyStudio is the best product to trace user-mode API calls on Windows. SpyStudio is an Application tracer which shows and interprets calls, displaying the results in a structured way which is easy for any IT professional to understand. SpyStudio can understand the resources that an application uses, track down errors, detect malware and create application layers for virtualization.
SpyStudio has a trace comparison tool which is useful for identifying problems in virtualized environments. You can obtain two samples: the native version of the application and the virtual version which has the problems. Using the 'Compare traces' feature, you can see what is missing in the virtual environment. SpyStudio is the user-mode SysInternals Process Monitor's (aka Procmon) complement. Looking for application errors with kernel-mode traces is tedious, and it is very difficult to see the final outcome of a user-mode call. With kernel-mode tools, you get a lot of noise that the application does not see, since a single user-mode call generates lots of kernel-mode events that are not important from the application's perspective. Most application errors are generated by failed user-mode calls which expect a different state of some resources: registry keys and values, files, pipes, services and printers.
SpyStudio can also be used for Dynamic Program Analysis because it allows to trace a large number of functions which provide more than enough data to understand the application flow, runtime dependencies and resources used.
SpyStudio is very useful to test filter driver's performance. It can show time differences when the application executes user mode APIs. Unlike the rest of the products, it shows exactly the time that kernel mode takes to answer a system call. If a system call generates several kernel level calls, Process Monitor or any other kernel tool will show several calls that are not relevant to the application performance.
SpyStudio is able to read Process Monitor logs and show them in a user friendly interface. It shows registry operations like the Regedit and errors with a different color, and file operations like an Explorer (see Load ProcMon log).