The following is provided from Microsoft Security and Compliance blogs at TechCommunity:



Attack Surface Analyzer has been a valuable asset to software developers and IT security personnel for years in helping detect key system changes that may occur from software installations.  We’re pleased to announce the release of Attack Surface Analyzer 2.0 earlier this month, which is a complete rewrite of the classic 2012 version of the tool, and remains one of several tools recommended from Microsoft SDL Practices which can help improve customer trust in software.


Attack Surface Analyzer 2.0 helps identify potential security risks introduced by new or untrusted software by detecting changes to key areas of the system security configuration including: 

  • File System
  • User Accounts
  • System Services
  • Network Ports (listeners)
  • System Certificate Store
  • Windows Registry

It includes both static change detection of these key areas and real time file change monitoring as well as an export feature for snapshot data which is stored in a local SQLite database file.   Additional collection types and improvements are planned to be released later this year. 


Attack Surface Analyzer 2.0 comes with both a scriptable command line interface (CLI) and an Electron based option which can optionally be replaced with your own custom front end to call the underlying core components programmatically for a different or white label client experience.  The entire codebase has been released as an Open Source project on GitHub allowing developers to further extend the tool features themselves or contribute for the community.  The application now comes with cross-platform support for Windows, Linux and macOS.




Attack Surface Analyzer allows you to create “snapshotsâ€� before and after you install the target software under consideration.  A clean initial system with minimal additional software is ideal, but not required though it does require administrator user privileges to use fully .


Let’s say you want to detect system changes made from the installation of a software application e.g. Firefox. After downloading Attack Surface Analyzer, you can use the Electron GUI option and select Start or Scan to create a baseline initial snapshot labeling it e.g. “Before Installâ€� or “Clean Systemâ€� and allow the scan to complete.


Scan1.pngScan system

Next, install your software and run a new scan labeling it “After Install� for example and selecting the same collector types used in the initial scan.


Note: you can also run additional scans to capture changes made while using the software beyond just the installation.


Use the Analyze Results feature selecting both the initial and post install scans that were previously saved to analyze for changes or selecting any two scans for comparison.  Finally, choose a desired filter to view any unexpected and potentially security impactful changes that were made.


Results.pngAnalyze results







Alternatively, use the CLI interface which comes with command line help and the same level of functionality or greater in some cases, and which can be scripted into your build or other processes.

CLIsn1.pngCommand line option


Software Development Lifecycle Value


Attack Surface Analyzer contributes as an important software development best practice helping ensure the use of least privilege in your own software products for minimizing unwanted attack surface changes to your customers systems.  The output options provide evidence for release management and security auditors that your code does only what it claims. 


As maintaining customer trust is key, it is just one more reason why it is recommended from the Microsoft SDL Practices.  Future releases of the tool will include additional security guidance help on identified changes that may warrant additional scrutiny.

Getting Started


To get started, visit the project site on Github at and download the latest release.  We value your feedback, bug reports, and ideas and are excited by the release of this valuable tool for contributing to security compliance needs.


The above was provided from Microsoft Security and Compliance blogs at TechCommunity