Tracking Changes to a Windows System?

The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"

Specific solutions

[Rapid Home Offer]

For adware/spyware, use Spybot [kolla.de] and Ad-Aware [lavasoftusa.com] for this.

For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.

Re:Specific solutions

[DRue]

I have gotten very good at cleaning ad ware off of computers, because it's so common (even though I don't have a windows computer myself.. grr..) I actually carry a cd with both spybot and ad-aware with me in my car, with the latest definition files for each. When I get to an infected PC, I go straight away into safe mode. Run both utilities, reboot, and have them both run on reboot (before anything else loads). This seems to do a pretty good job of cleaning it up.

Re:Specific solutions

[DRue]

The utilities will ask you after you scan and clean if you want them to run on the next reboot. Just say yes to each one. They'll both run again on the next reboot before anything else loads..

Should have made that more clear the first time, sorry bout that :)

Right answer, wrong question.

[b00m3rang]

The question was what software can be used to track filesystem and registry changes, not what tools will remove the spyware.

Re:Right answer, wrong question.

[bhtooefr]

Why compare filesystem and registry changes when you can just automatically fix them?

Faronics Deep Freeze is the way to go. BTW, how do you disable it? My college is running it, and they run their boxes at 800x600 with the XP theme, and Opera gets wiped every time...

Re:Right answer, wrong question.

[jsfetzik]

Because not everything gets automatically detected and/or fixed. Some stuff still needs to be done by hand. Also there are changes that may get made that are not spyware related, such as the user deleting icons.

Re:Specific solutions - try RegShot!

[KlaymenDK]

I think I have just the thing for comparing old/new registry snapshots -- RegShot [webattack.com].
It's free (as in beer).
You can make snapshots of certain points in time, and compare shots for differences. Unfortunately, the snapshots themselves are garbled (iow it's not standard .reg files), but otherwise it's a neat, simple, effective program.

I use this (and RegTick) to manage and lock down a bunch of computers at a youth center, and it's working quite nicely.

installwatch pro

[beernutz]

Free sotftware, and does a nice job.

installwatch pro [epsilonsquared.com]

It will even make an install program for you with the changes!

Clarification of parent

[beernutz]

I hate to reply to myself, but i felt i should clarify my previous post. (WHEN will slashdot allow you to edit oyur own posts? PLEASE?)

What you do is this:

1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.

2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.

3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.

Re:Clarification of parent

[Anonymous Coward]

WHEN will slashdot allow you to edit oyur own posts? PLEASE?

Hopefully never. There's too much room for abuse. Somebody could post something insightful, get modded up and change it to "BSD is dead" or an ASCII goatse thing, etc. etc.

It could also be used in reverse. Someone could get modded down, change their post so they get modded back up, and then revert it.

Suggested solution

[alexo]

Allow editing of posts as long as
a) They were not moderated, and
b) They were not replied to.

Re:Suggested solution

[sigxcpu]

or have them lose thair moderation upon change.
plus showing that they were changed, maybe providing a link to the older ver.

Re:Suggested solution

[dannannan]

Slashdot already has this feature. You simply post your changes in a reply to your original post, as is clearly demonstrated in this thread. Moderation from the original post is not applied to the reply; replies to the original post are not listed as replies to the changed post, and the changed post has a link to the original posting labeled "parent".

DDL

Re:Suggested solution

[Frizzle Fry]

Yes, but the original doesn't indicate in any way that it has been modified (I guess changing your .sig to point to it is a partial solution; putting the correction itself in your .sig is another, if it will fit).

If your correction is many replies down, you now get people replying to the original who haven't seen the correction yet, causing more noise and confusion.

Re:Clarification of parent

[thecampbeln]

As long as it's in an eBay style (On X Date/Time, the user added this =), I'd get behind this idea! It'd sure help me change cheep -> cheap, et'la...

Configsafe

[Beryllium Sphere(tm)]

IBM included this with my Thinkpad. Does what you describe, and prompts you to take a snapshot when something's about to change.

Re:installwatch pro

[zero_offset]

If I understand it correctly, this is intended to be run manually before an intentional installation. It doesn't appear to just run in the background and log activity, as the article requests. (I didn't install it, so I might be wrong -- am I?)

Re:installwatch pro

[beernutz]

It actually DOES run in the background. It pops up on its own after detecting a setup program starting, and takes a quick snapshot. It then waits for the install to complete, and asks you to press a button to allow it to finish.

Sysinternals' RegMon and FileMon

[Tech Observer]

Both these utilities from SysInternals [sysinternals.com] allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon [sysinternals.com]
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon [sysinternals.com]:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

Re:Sysinternals' RegMon and FileMon

[jonconley]

I would definitely agree with this. SysInternals has some of the best freeware and commercial apps out there for monitoring your system. Often helps when seeing what installers/uninstallers are doing, looks for odd behavior from say trojans, and checking to see what applications may be accessing files, regkeys, ports, etc. Just remember to apply a filter though or you will probably be flooded with information :) It is easy to just add a filter for the executable files that you want to monitor.

Re:Sysinternals' RegMon and FileMon

[obeythefist]

It's a great utility but it doesn't fit the topic. Reg/filemon spam like crazy if you actually watch how busy Windows gets when it's doing things. The log files would fill up like crazy even with decent filters applied. Not suitable for long periods of time.

I think the system restore points/install monitoring tools would be the way to go.

Re:Sysinternals' RegMon and FileMon

[dargaud]

Yes,I was going to suggest those SysInternals tools too. They are very useful, but the problem is that one has no idea of the staggering amount of file/registry modifications that go on while in normal operating mode, much less when installing a new app. Even with the provided filters and grep it's hard to track down what you are looking for.

SpyBot and Adaware do this for you:

[peen]

SpyBot - http://www.safer-networking.org/ [safer-networking.org]

Adaware - http://www.lavasoftusa.com/software/adaware/ [lavasoftusa.com]

Both are freeware.

Install is only part of the problem

[GoRK]

Some of these programs create certain files and registry keys when they are installed; but many applications create MORE files and registry keys when they are first run or possibly even each time they are started... This is particularly true of spyware-containing applications that check to make sure the spyware is there and active each time they start up. Monitoring the installer is only half the battle.

HiJack This!

[PhyrePhox]

http://www.spywareinfo.com/~merijn/index.html

Tactical Nuke - Auditing...

[RedPhoenix]

It's a little like using a tactical nuke to take out a mosquito, but turning on Windows auditing, and using something like 'Snare for Windows' to set file auditing, would probably accomplish the task. (Disclaimer: Snare developer).

Slightly more realistically, there are a few tripwire derivitives that may be of some use to you - though these often require a fair bit of administrative overhead, so probably are not appropriate for a parental PC.

But perhaps the easiest way is to use the windows 'search' utili

Re:Tactical Nuke - Auditing...

[Spoing]

Here's my take on auditing. [slashdot.org]

You are right, but the only sane way to do this is if you are managing many similar systems that can be audited -- or you just want to be sure and don't mind how much time is involved in doing the audit.

The only methods are to stop using Windows (seriously) or do a wipe out and reinstall of registry settings and system + program directories on a regular basis. Just nuke everything that isn't in a small set of protected data. Setting up drive D: to handle all data and nuking

Re:Tactical Nuke - Auditing...

[obeythefist]

Couldn't think of anything else?

There are many, many tools that can be used to manage a single workstation.

The easiest way is to build the system then take an image. You could use System Restore points (free with Windows), or you could use Ghost or other utilities. Then simply rebuild the o/s from the image (less than an hour with decent hardware) every time you visit.

If they need to install or use different software then that of course will need to be managed, and new images/system restore points will

Re:Tactical Nuke - Auditing...

[Spoing]

Good ideas. Now get people to accept them and change the existing habbits they have.

I'm stunned when they listen at all.

Re:Tactical Nuke - Auditing...

[obeythefist]

Well the topical poster wanted to know how he could set up a computer for his relatives to make it easier for him to manage and prevent them from picking up spyware and virii.

In the long run, we can see MS is moving towards a secure and patched by default model. For instance, when you set up Windows XP, it has the option to connect to MS and download patches for things like Blaster before the system is even fully running.

In service pack 2 for XP, the firewall is enabled by default. Outlook is blocking m

No admin!

[Mr. Darl McBride]

Mom and dad should not have administrator accounts. Get them running 2000 or XP and lock stuff down so they can't add all that crapware.

Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.

Re:No admin!

[Spoing]

1. Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.

While I agree that's a smart tactic for Windows users out of necessity, it's sad that it is necessary.

Re:No admin!

[obeythefist]

Would you give them a Linux box and give them root access on it by default? No? Whyever not? ;)

Same goes for windows. Why is it that you say it's sad that it's necessary to make sure that Windows users aren't admins? Is it sad that it's best practice for Linux users to not be admins?

Seriously though. End users shouldn't be administrators, and that's something we all agree on.

Re:No admin!

[tepples]

Seriously though. End users shouldn't be administrators, and that's something we all agree on.

What about the owner of a machine used in a home environment? Do you use "end users" to refer to the actual people or to their accounts?

Re:No admin!

[obeythefist]

Yep, I revoked admin access to my wife and the guys when they visit for LAN gaming. They all run with reduced privelege, because they simply don't need it for day-to-day activities.

Obviously "end users" refers to accounts, because people aren't like Neo in the matrix. They need computers to access resources on networks.

Should the owner have an admin account?

[tepples]

Obviously "end users" refers to accounts

I made a mistake in getting my point across. I asked because it could be taken either way: either end users should use separate accounts for daily use of the computer and for administration (which I called the "accounts" way), or end users should not have access to accounts with admin-group privileges at all and must hire a professional to admin the computer (which I called the "people" way). I have read reports of Microsoft eventually shooting for the latter to i

Re:No admin!

[lortho]

That won't do the trick; I do tech support at a company where the vast majority of users aren't granted admin rights on their NT/2k pc's by default, but I still have to scrape crap like Gator out of machines there all the time. I can't say I have a deep enough knowledge of the NT security model to know how this is possible, but obviously a lot of these programs don't need an admin logged in to install themselves.

Re:No admin!

[obeythefist]

It's pretty straightforward, there's a hole in your SOE, dear 'liza, dear 'liza.

Gator is installing it into an area that you haven't locked down.

I suggest you use AD policy to restrict users from executing files that relate to spyware, and that you use a CACLS script or similar in your SOE build that locks down the areas that Gator is writing itself to.

So fix it, dear henry, dear henry, dear henry...

Re:No admin!

[Kevster]

You obviously haven't had to administer Windows XP Home for Dad. My Dad downloads and installs software on his own all the time, and while that leads to disaster sometimes (Hotbar), it also means I don't have to run over there every time he needs a system change. He recently bought a 120 GB drive to upgrade his half-full 20 GB drive (his neighbours got a 80 GB drive and I guess he couldn't bear them having a larger hard drive than him), and asked me to install it for him, not realizing that it meant re-inst

Re:No admin!

[Gsus411]

You made things far harder than they really are for yourself when you put in the new hard drive. You could have used a cloning program like Ghost. You would simply plug in the new HD to the secondary IDE channel and clone from primary to secondary. Boom, all your data on a new drive and no reinstallation of anything is necessary.

Re:No admin!

[ibennetch]

And you can't even grant Users read/write access to the necessary files and folders (for badly written programs that expect to be able to write to C:\Program Files\... as a regular user) because the right-click context menu for Security doesn't exist?

Took me forever to find it a few weeks ago; but you need to turn off "Use Simple File Sharing" in...um...well,

• open an explorer window (My Computer will do fine)
• go to the tools menu
• select "Folder Options"
• click over to the "View" tab
• scroll down
• un-check "

Re:No admin!

[GodEater]

That "Use Simple File Sharing" Option is only available in XP Pro - not Home. It's certainly not visible here at any rate.

Re:No admin!

[Pantheraleo2k3]

C:\WINDOWS>net user

A very useful user management command. Add /? to the end to get a --help like summary. You can disable accounts with it

C:\WINDOWS>cacls

Change Access Control Lists. I think you can use it like chmod, play around with it to find out. Should be useful for your Program Files example

Re:No admin!

[ameoba]

The problem is that even locked down but still usable accounts can still install things through IE. Users that can't install or uninstall software normally get priveleges elevated while in IE.

Try it.

Re:No admin!

[ForestGrump]

"Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software."

But what if they pick up an AOL cd at the store?

Use some security

[Uteck]

I doubt that your parents were using kaza, so that means that someone installed it. Set them up with a separate user account that can not install that crap. If they are only web browser, than get a different OS.
I don't want to talk my dad through this stuff, so I told him to buy a Mac. User friendly and virus proof so far. It's all he needs for web browser and reading e-mail.
Winblows should not be used by 'average' users, it is too hard to maintain and too insecure.

Seriously, you need to determine it th

Re:Use some security

[obeythefist]

Don't rely on the security through obscurity that OS/X and *nix are enjoying right now.

See, eventually Mac emulation of x86 will become so good that spyware will install just as readily on the mac.

Or, alternatively, the marketing guys will realise that Mac users are great for spamming/spying on because we already know a couple of things about them that makes them great targets!

For starters, we know they have lots of money because they bought a mac.

Secondly, we know they would rather pay lots of money fo

Re:Use some security

[Gsus411]

One, the operating system is Mac OS X, not "OS/X."

Two, what are you talking about with x86 emulation? Sure, you can already get spyware running on a Mac by running Windows in VirtualPC. I somehow doubt, however, that Apple is building something like Wine into the OS and coupling it with x86 emulation. Even so, it would be like installing Windows spyware on a Linux box under Wine. Some simply won't work because they do tweaky stuff to the system at a low level. Others might be made to work through heavy twe

WinInstall LE

[sybarite]

I use WinInstall LE for this purpose. It is included on the Windows 2000 Server CD and can also be downloaded from here... [veritas.com] It is used primarily to repackage an application install as a MSI file, but it produces a text file that shows all file system and registry changes between the before and after snapshots.

dangers

[x0n]

Looking out for new/modifed files isn't always going to help you unfortunately. Badly written application installers will stomp on common DLLs, overwriting them with their own particular version. Sometimes they'll just upgrade the common DLL with a later -- and mostly compatible -- version. If you go just looking to remove the files that have been "touched" after the install, you run the risk of removing a DLL that was previously in use by other applications. Welcome to what is affectionately known as "DLL Hell".

The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

Once Windows is built entirely on a JIT'ed .NET subsystem (hand me my shotgun Jeeves: there's another flock of pigs overhead), all DLLs will be able to sit in side-by-side more whereby multiple versions can exist; however, this is a long ways away.

- Oisin

MSI for free software?

[tepples]

MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

Can the Microsoft Installer packager work on systems whose only native compiler is MinGW [mingw.org], or does it require a Microsoft Visual Studio license? If the latter, watch free software for Windows (such as GIMP, Gaim, Foobar2000, and the like) stick to Nullsoft's [sourceforge.net]

Re:MSI for free software?

[x0n]

MSI is a set of APIs exposed by a Windows Service; it is not actually a package per-se. These APIs are published, and public, so any third party install-packager software can generate MSI files; InstallShield & Wise to name two.

- Oisin

Re:MSI for free software?

[3waygeek]

Also the Windows Installer XML toolset [sourceforge.net], which MS posted to SourceForge last week.

InstallShield & Wise are the two main commercial packages -- I've used both, and prefer Wise. Either is going to set you back about $1K, so they're not terribly practical for the individual developer. VS.Net, as the grandparent points out, provides very limited MSI authoring capabilities.

Re:dangers

[zero_offset]

The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for.

I have to disagree with you. Having "every" app use MSI might help cleanup of reasonably legit software like Kaaza, but the GAIN/Gators of the world aren't going to make it t

In the old days...

[bahamat]

Many years ago when Win95 first came out I bought a program called "Uninstaller Pro" or something like that. Basically, it inventoried every file on the system, and copied the registry before every program installation. Then after the install it would take another file/registry inventory and diff the results. Anything changed is what the installer did.

Then when you wanted to dump the program you use it to eradicate everything in the diff file.

IIRC, it was a Symantec product, but you know it's pushing 1

Re:In the old days...

[tehcyder]

On Windows 95 I used to use "Cleansweep" which was bought by Symantec.

Cheapo method

[Jahf]

Set up a daily scheduled event (yes, Windows can do that) that runs a batch file that:

dir /s :

for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).

Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.

Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.

I think it was the old dos fc (file compare) tool

[TheScienceKid]

Take a butchers hook (look) at http://www.computerhope.com/fchlp.htm ... contains switch info etcetera

Windows System Restore

[flabbergast]

This is dependent on what your folks are running, but you if you're concerned about removing what they've installed (purposefully or inadvertently) you may want to reinstall Windows, get everything setup properly and then run System Restore to save the system state at that moment. This way, when they call you telling you "XYZ is happening! Gator has taken over everything!" you can run system restore and roll back to where you were before, and scold your parents that if they install more crap, they'll get

I'm a Big Fan Of GoBack

[szyzyg]

Used to be from Roxio, but symantec bought it. It's like a logging filesystem that lets you revert data to a point in the past. Maybe not idea for this situation because it only stores the last 10% or so of disk activity, older events get forgotten, so depending on system activity this could be anything from days to months of history.

Re:I'm a Big Fan Of GoBack

[Chess_the_cat]

Windows XP ships with System Restore built right in. Same thing.

Deep Freeze

[sparkie]

Doesn't 'track' anything per say, however, on each reboot, the machine goes back to the state it was before hand.

I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.

This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.

It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.

Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm

In Control 5, from PC Magazine

[bluephone]

While PCMag has made their old utilities available by online subscription only, theere are a few folks on the net who have copies up of some of them. One utility that's FANTASTIC for tracking file/registry/ini-file changes/creations/removals is called In Control 5, or InCtrl5. Super simple to use, with multiple report formats (TXT, HTML, CSV, etc.) and I love it. Works on all Windows versions because it's totally non-invasive. If you can't find it, email me and I'll make a copy available. They're all free, and were freely available, they just restrict the downloads now to squeeze more money from the now discontinues Utility section (one of the last really useful parts of the magazine).

Total uninstall

[mst76]

I believe Total Uninstall [geocities.com] does exactly what you want. A warning though, for most programs, you do not really want to monitor all changes manually, that's just a lot of work. And that's why there are such things as installers in the first place.

Auditing

[RzUpAnmsCwrds]

If you have XP pro (don't know about home) you can turn on auditing. This will track every file written/read/modified/moved/deleted/created as well as failed attempts to do so.

Windows Restore

[blate]

Windows XP (and ME, I think) have a feature called "System Restore". Basically, what it does is track changes to the registry, driver database, and other parts of the system. It takes snapshots of the system periodically and sometimes during the installation of hardware or certain drivers.

If you break something (as I have been known to do from time to time), you can "roll back" to a previous snapshot. In my experience, this works pretty well for solving certain problems.

I'm not sure if it tracks installed

Cygwin

[n1ywb]

Install cygwin and generate sha1sum's of all files. Compare old sums to new sums later. Doesn't help with the registry though.

GFI

[SuiteSisterMary]

You can get a sort of 'tripwire for Windows,' as well as other security tools, from www.gfi.com.

Re:GFI

[Anonymous Coward]

Tripwire for cygwin is here: http://www.frenchfries.net/paul/tripwire/ [frenchfries.net]

Try Ashampoo Uninstaller Suite

[Anonymous Coward]

http://www.ashampoo.com/frontend/products/php/prod uct.php?idstring=0103&session_langid=2

It does the job of creating snapshots of the file-system & registry before & after installing a program, then uses these to create a log file that can be used to roll back the changes. Many options, quite flexible. It has saved my sanity many times.

ConfigSafe

[tedgyz]

I used to use a tool called ConfigSafe. It did a pretty decent job of showing what changed relative to a snapshot run from the tool.

I haven't used it in a couple years though so I can't say how well it works with Windows XP. I found that the newer Windows OS and apps were too complex to easily decipher the results.

Host based IDS

[cocowalla]

Why not use a host-based intrusion detection system? They track changes made to the filesystem/registry.

Ionx's Data Sentinel (http://www.ionx.co.uk [ionx.co.uk]) is a great one for Windows. I use it at work, and it's the dogs'. Very simple to setup and use, if you can spare the 199.99, I highly recommend it.

There's probably some free (but more basic) ones out there too.

Old School

[g0bshiTe]

I still prefer filemon and regmon.

Betas, but working...

[gillbates]

I've written some utilities to do just what you want.

• filestat.exe - prints out the file dates and checksum - very handy if you suspect virus infection.
• profile.exe (not the Windows XP command!) - This prints a recursive list of the files in a directory with checksums. It also counts the number of directories and files, so you can see what has changed at a glance.
• changectl.exe - can compare large text files
• incback - an incremental backup utility which can be used to selectively copy files. You can use

Similar - but different reason

[phorm]

I've been looking for something similar, though for different reasons. Basically I want to audit a computer's drive contents+registry before installing a program, then after, and track the changes (registry changes, files added, files removed, files changed).

With that being done, I would then like to compile all the changes into an archive/script which would allow me to duplicate them on a seperate machine. It would be really nice for network-based installs so that when I'm doing 30+ machines I don't have

Fix Microsoft's file system!

[eveningdarkstar]

Not one to normally throw nuclear rocks at something, but I think the only real solution to this is to mount pressure against Microsoft to fundamentally redesign their operating system's file handling subsystem. This usage of wide open file directory structure which gives easy access to any file or directory by any installer is based on some very old file system models dating back to pre DOS days and is way overdue for an upgrade. Taking snapshots of the system and doing rollbacks is a hack at best and very