NoVirusThanks PE Capture Portable

NoVirusThanks PE Capture Portable — Fast PE Extraction & Metadata Viewer

NoVirusThanks PE Capture Portable is a lightweight Windows utility that captures Portable Executable (PE) images (EXE, DLL, SYS) as they are loaded in the system, saving copies and logging execution events for offline analysis.

Key features

• Capture: Automatically saves loaded PE files into an “Intercepted” folder (files renamed by hash).
• Logging: Records execution events with timestamp, file path, MD5 hash, file size, publisher/company and signer; can export logs to file or the Windows Event Viewer.
• Exclusions: Manage files/folders to skip (supports wildcards).
• Filters: Options to skip large files (e.g., >50 MB) and ignore Microsoft- or vendor-signed files.
• Configurator GUI: Simple settings UI for directories, logging, and exclusions.
• Lightweight: Low CPU/memory impact; useful in malware analysis and incident response.
• Trial / Licensing: Typically distributed as shareware with a 30-day trial; personal/business licenses available.

Use cases

• Malware analysis and sandboxing — capture in-memory or just-before-execution PE samples.
• Incident response — build a timeline of loaded executables and DLLs on an infected host.
• Forensic collection — grab copies of drivers and DLLs that may have been moved or remapped.

Limitations & notes

• Captured files are renamed to their hashes, which may require additional mapping to original names.
• No comprehensive local help included; some UI elements (like exclusion entry) may require manual paths.
• Verify compatibility with your Windows version (supports Windows 7 SP1 through Windows 11, per vendor).
• Always run in a controlled/test environment when analyzing untrusted binaries.

Where to get it

Available from NoVirusThanks’ website and reputable download sites (product pages and reviews list version 1.5+ with changelogs). Check vendor site for latest version, licensing, and documentation.