Tracking Changes to a Windows System? 86
The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"
Specific solutions (Score:3, Informative)
For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.
Re:Specific solutions (Score:2, Informative)
Re:Specific solutions (Score:2)
Should have made that more clear the first time, sorry bout that
Right answer, wrong question. (Score:2, Informative)
Re:Right answer, wrong question. (Score:2)
Faronics Deep Freeze is the way to go. BTW, how do you disable it? My college is running it, and they run their boxes at 800x600 with the XP theme, and Opera gets wiped every time...
Re:Right answer, wrong question. (Score:2)
Re:Specific solutions - try RegShot! (Score:1)
It's free (as in beer).
You can make snapshots of certain points in time, and compare shots for differences. Unfortunately, the snapshots themselves are garbled (iow it's not standard
I use this (and RegTick) to manage and lock down a bunch of computers at a youth center, and it's working quite nicely.
installwatch pro (Score:5, Informative)
installwatch pro [epsilonsquared.com]
It will even make an install program for you with the changes!
Clarification of parent (Score:4, Informative)
What you do is this:
1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.
2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.
3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.
Re:Clarification of parent (Score:2, Informative)
Hopefully never. There's too much room for abuse. Somebody could post something insightful, get modded up and change it to "BSD is dead" or an ASCII goatse thing, etc. etc.
It could also be used in reverse. Someone could get modded down, change their post so they get modded back up, and then revert it.
Suggested solution (Score:2)
a) They were not moderated, and
b) They were not replied to.
Re:Suggested solution (Score:2)
plus showing that they were changed, maybe providing a link to the older ver.
Re:Suggested solution (Score:1)
DDL
Re:Suggested solution (Score:2)
If your correction is many replies down, you now get people replying to the original who haven't seen the correction yet, causing more noise and confusion.
Re:Clarification of parent (Score:2)
Configsafe (Score:2)
Re:installwatch pro (Score:3, Insightful)
Re:installwatch pro (Score:2)
Sysinternals' RegMon and FileMon (Score:5, Informative)
RegMon [sysinternals.com]
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon [sysinternals.com]:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.
Re:Sysinternals' RegMon and FileMon (Score:1)
Re:Sysinternals' RegMon and FileMon (Score:2)
I think the system restore points/install monitoring tools would be the way to go.
Re:Sysinternals' RegMon and FileMon (Score:2)
SpyBot and Adaware do this for you: (Score:1, Insightful)
Adaware - http://www.lavasoftusa.com/software/adaware/ [lavasoftusa.com]
Both are freeware.
Install is only part of the problem (Score:4, Insightful)
HiJack This! (Score:2, Informative)
Tactical Nuke - Auditing... (Score:2)
Slightly more realistically, there are a few tripwire derivitives that may be of some use to you - though these often require a fair bit of administrative overhead, so probably are not appropriate for a parental PC.
But perhaps the easiest way is to use the windows 'search' utili
Re:Tactical Nuke - Auditing... (Score:2)
You are right, but the only sane way to do this is if you are managing many similar systems that can be audited -- or you just want to be sure and don't mind how much time is involved in doing the audit.
The only methods are to stop using Windows (seriously) or do a wipe out and reinstall of registry settings and system + program directories on a regular basis. Just nuke everything that isn't in a small set of protected data. Setting up drive D: to handle all data and nuking
Re:Tactical Nuke - Auditing... (Score:3, Informative)
There are many, many tools that can be used to manage a single workstation.
The easiest way is to build the system then take an image. You could use System Restore points (free with Windows), or you could use Ghost or other utilities. Then simply rebuild the o/s from the image (less than an hour with decent hardware) every time you visit.
If they need to install or use different software then that of course will need to be managed, and new images/system restore points will
Re:Tactical Nuke - Auditing... (Score:2)
I'm stunned when they listen at all.
Re:Tactical Nuke - Auditing... (Score:2)
In the long run, we can see MS is moving towards a secure and patched by default model. For instance, when you set up Windows XP, it has the option to connect to MS and download patches for things like Blaster before the system is even fully running.
In service pack 2 for XP, the firewall is enabled by default. Outlook is blocking m
No admin! (Score:4, Insightful)
Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.
Re:No admin! (Score:2)
While I agree that's a smart tactic for Windows users out of necessity, it's sad that it is necessary.
Re:No admin! (Score:3, Informative)
Same goes for windows. Why is it that you say it's sad that it's necessary to make sure that Windows users aren't admins? Is it sad that it's best practice for Linux users to not be admins?
Seriously though. End users shouldn't be administrators, and that's something we all agree on.
Re:No admin! (Score:1)
Seriously though. End users shouldn't be administrators, and that's something we all agree on.
What about the owner of a machine used in a home environment? Do you use "end users" to refer to the actual people or to their accounts?
Re:No admin! (Score:2)
Obviously "end users" refers to accounts, because people aren't like Neo in the matrix. They need computers to access resources on networks.
Should the owner have an admin account? (Score:1)
Obviously "end users" refers to accounts
I made a mistake in getting my point across. I asked because it could be taken either way: either end users should use separate accounts for daily use of the computer and for administration (which I called the "accounts" way), or end users should not have access to accounts with admin-group privileges at all and must hire a professional to admin the computer (which I called the "people" way). I have read reports of Microsoft eventually shooting for the latter to i
Re:No admin! (Score:1)
Re:No admin! (Score:2)
Gator is installing it into an area that you haven't locked down.
I suggest you use AD policy to restrict users from executing files that relate to spyware, and that you use a CACLS script or similar in your SOE build that locks down the areas that Gator is writing itself to.
So fix it, dear henry, dear henry, dear henry...
Re:No admin! (Score:2, Insightful)
Re:No admin! (Score:1)
Re:No admin! (Score:1)
Took me forever to find it a few weeks ago; but you need to turn off "Use Simple File Sharing" in...um...well,
Re:No admin! (Score:1)
Re:No admin! (Score:1)
A very useful user management command. Add
C:\WINDOWS>cacls
Change Access Control Lists. I think you can use it like chmod, play around with it to find out. Should be useful for your Program Files example
Re:No admin! (Score:3, Interesting)
Try it.
Re:No admin! (Score:1)
But what if they pick up an AOL cd at the store?
Use some security (Score:2, Interesting)
I don't want to talk my dad through this stuff, so I told him to buy a Mac. User friendly and virus proof so far. It's all he needs for web browser and reading e-mail.
Winblows should not be used by 'average' users, it is too hard to maintain and too insecure.
Seriously, you need to determine it th
Re:Use some security (Score:2, Insightful)
See, eventually Mac emulation of x86 will become so good that spyware will install just as readily on the mac.
Or, alternatively, the marketing guys will realise that Mac users are great for spamming/spying on because we already know a couple of things about them that makes them great targets!
For starters, we know they have lots of money because they bought a mac.
Secondly, we know they would rather pay lots of money fo
Re:Use some security (Score:2, Insightful)
Two, what are you talking about with x86 emulation? Sure, you can already get spyware running on a Mac by running Windows in VirtualPC. I somehow doubt, however, that Apple is building something like Wine into the OS and coupling it with x86 emulation. Even so, it would be like installing Windows spyware on a Linux box under Wine. Some simply won't work because they do tweaky stuff to the system at a low level. Others might be made to work through heavy twe
WinInstall LE (Score:4, Informative)
dangers (Score:4, Informative)
The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.
Once Windows is built entirely on a JIT'ed
- Oisin
MSI for free software? (Score:1)
MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.
Can the Microsoft Installer packager work on systems whose only native compiler is MinGW [mingw.org], or does it require a Microsoft Visual Studio license? If the latter, watch free software for Windows (such as GIMP, Gaim, Foobar2000, and the like) stick to Nullsoft's [sourceforge.net]
Re:MSI for free software? (Score:2)
- Oisin
Re:MSI for free software? (Score:2)
InstallShield & Wise are the two main commercial packages -- I've used both, and prefer Wise. Either is going to set you back about $1K, so they're not terribly practical for the individual developer. VS.Net, as the grandparent points out, provides very limited MSI authoring capabilities.
Re:dangers (Score:2)
I have to disagree with you. Having "every" app use MSI might help cleanup of reasonably legit software like Kaaza, but the GAIN/Gators of the world aren't going to make it t
In the old days... (Score:2)
Then when you wanted to dump the program you use it to eradicate everything in the diff file.
IIRC, it was a Symantec product, but you know it's pushing 1
Re:In the old days... (Score:1)
Cheapo method (Score:3, Informative)
dir
for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).
Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.
Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.
I think it was the old dos fc (file compare) tool (Score:1)
Windows System Restore (Score:2, Informative)
I'm a Big Fan Of GoBack (Score:2)
Re:I'm a Big Fan Of GoBack (Score:2, Insightful)
Deep Freeze (Score:4, Informative)
I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.
This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.
It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.
Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm
In Control 5, from PC Magazine (Score:4, Informative)
Total uninstall (Score:3, Informative)
Auditing (Score:2)
Windows Restore (Score:2)
If you break something (as I have been known to do from time to time), you can "roll back" to a previous snapshot. In my experience, this works pretty well for solving certain problems.
I'm not sure if it tracks installed
Cygwin (Score:2)
GFI (Score:3, Interesting)
You can get a sort of 'tripwire for Windows,' as well as other security tools, from www.gfi.com.
Re:GFI (Score:1, Informative)
Try Ashampoo Uninstaller Suite (Score:1, Informative)
It does the job of creating snapshots of the file-system & registry before & after installing a program, then uses these to create a log file that can be used to roll back the changes. Many options, quite flexible. It has saved my sanity many times.
ConfigSafe (Score:2)
I haven't used it in a couple years though so I can't say how well it works with Windows XP. I found that the newer Windows OS and apps were too complex to easily decipher the results.
Host based IDS (Score:2, Informative)
Why not use a host-based intrusion detection system? They track changes made to the filesystem/registry.
Ionx's Data Sentinel (http://www.ionx.co.uk [ionx.co.uk]) is a great one for Windows. I use it at work, and it's the dogs'. Very simple to setup and use, if you can spare the 199.99, I highly recommend it.
There's probably some free (but more basic) ones out there too.
Old School (Score:1)
Betas, but working... (Score:2)
Similar - but different reason (Score:2)
With that being done, I would then like to compile all the changes into an archive/script which would allow me to duplicate them on a seperate machine. It would be really nice for network-based installs so that when I'm doing 30+ machines I don't have
Fix Microsoft's file system! (Score:1)