Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Changes to a Windows System?

Posted by Cliff on from the following-your-registry dept.

The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"

86 comments

  1. Specific solutions by Rapid+Home+Offer · · Score: 3, Informative

    For adware/spyware, use Spybot and Ad-Aware for this.

    For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.

    1. Re:Specific solutions by DRue · · Score: 1, Informative

      I have gotten very good at cleaning ad ware off of computers, because it's so common (even though I don't have a windows computer myself.. grr..) I actually carry a cd with both spybot and ad-aware with me in my car, with the latest definition files for each. When I get to an infected PC, I go straight away into safe mode. Run both utilities, reboot, and have them both run on reboot (before anything else loads). This seems to do a pretty good job of cleaning it up.

    2. Re:Specific solutions by Anonymous Coward · · Score: 0

      Please forgive my Windows ignorance. I followed you up to booting into Safe Mode and running the utilities, but what do you have to do to get the utilities to run at reboot before anything else loads?

    3. Re:Specific solutions by DRue · · Score: 1

      The utilities will ask you after you scan and clean if you want them to run on the next reboot. Just say yes to each one. They'll both run again on the next reboot before anything else loads..

      Should have made that more clear the first time, sorry bout that :)

  2. installwatch pro by beernutz · · Score: 5, Informative

    Free sotftware, and does a nice job.

    installwatch pro

    It will even make an install program for you with the changes!

    --
    (stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
    1. Re:installwatch pro by zero_offset · · Score: 2, Insightful

      If I understand it correctly, this is intended to be run manually before an intentional installation. It doesn't appear to just run in the background and log activity, as the article requests. (I didn't install it, so I might be wrong -- am I?)

      --

      Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005

    2. Re:installwatch pro by beernutz · · Score: 1

      It actually DOES run in the background. It pops up on its own after detecting a setup program starting, and takes a quick snapshot. It then waits for the install to complete, and asks you to press a button to allow it to finish.

      --
      (stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
  3. Sysinternals' RegMon and FileMon by Tech+Observer · · Score: 5, Informative

    Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
    RegMon
    This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
    FileMon:
    This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

    1. Re:Sysinternals' RegMon and FileMon by jonconley · · Score: 1

      I would definitely agree with this. SysInternals has some of the best freeware and commercial apps out there for monitoring your system. Often helps when seeing what installers/uninstallers are doing, looks for odd behavior from say trojans, and checking to see what applications may be accessing files, regkeys, ports, etc. Just remember to apply a filter though or you will probably be flooded with information :) It is easy to just add a filter for the executable files that you want to monitor.

      --
      www.TechiePlus.net "...we make IT easy" (serving Sioux City, Iowa area) Offering PC support, custom PCs, and web design
    2. Re:Sysinternals' RegMon and FileMon by obeythefist · · Score: 1

      It's a great utility but it doesn't fit the topic. Reg/filemon spam like crazy if you actually watch how busy Windows gets when it's doing things. The log files would fill up like crazy even with decent filters applied. Not suitable for long periods of time.

      I think the system restore points/install monitoring tools would be the way to go.

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    3. Re:Sysinternals' RegMon and FileMon by dargaud · · Score: 1

      Yes,I was going to suggest those SysInternals tools too. They are very useful, but the problem is that one has no idea of the staggering amount of file/registry modifications that go on while in normal operating mode, much less when installing a new app. Even with the provided filters and grep it's hard to track down what you are looking for.

      --
      Non-Linux Penguins ?
  4. SpyBot and Adaware do this for you: by peen · · Score: 1, Insightful
    SpyBot - http://www.safer-networking.org/

    Adaware - http://www.lavasoftusa.com/software/adaware/

    Both are freeware.

  5. Clarification of parent by beernutz · · Score: 4, Informative

    I hate to reply to myself, but i felt i should clarify my previous post. (WHEN will slashdot allow you to edit oyur own posts? PLEASE?)

    What you do is this:

    1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.

    2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.

    3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.

    --
    (stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
    1. Re:Clarification of parent by Anonymous Coward · · Score: 2, Informative

      WHEN will slashdot allow you to edit oyur own posts? PLEASE?

      Hopefully never. There's too much room for abuse. Somebody could post something insightful, get modded up and change it to "BSD is dead" or an ASCII goatse thing, etc. etc.

      It could also be used in reverse. Someone could get modded down, change their post so they get modded back up, and then revert it.

    2. Re:Clarification of parent by thecampbeln · · Score: 1

      As long as it's in an eBay style (On X Date/Time, the user added this =), I'd get behind this idea! It'd sure help me change cheep -> cheap, et'la...

      --
      "1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
  6. Install is only part of the problem by GoRK · · Score: 3, Insightful

    Some of these programs create certain files and registry keys when they are installed; but many applications create MORE files and registry keys when they are first run or possibly even each time they are started... This is particularly true of spyware-containing applications that check to make sure the spyware is there and active each time they start up. Monitoring the installer is only half the battle.

  7. HiJack This! by PhyrePhox · · Score: 2, Informative

    http://www.spywareinfo.com/~merijn/index.html

  8. Tactical Nuke - Auditing... by RedPhoenix · · Score: 1

    It's a little like using a tactical nuke to take out a mosquito, but turning on Windows auditing, and using something like 'Snare for Windows' to set file auditing, would probably accomplish the task. (Disclaimer: Snare developer).

    Slightly more realistically, there are a few tripwire derivitives that may be of some use to you - though these often require a fair bit of administrative overhead, so probably are not appropriate for a parental PC.

    But perhaps the easiest way is to use the windows 'search' utility - it will tell you which files have been modified in the last (x) days. Alternatively, there's a port of the unix 'find' command available (both under cygwin, and native). Note though that if the trojan/virus modifies the mtime back to original state, these approaches are not too useful.

    Red.

    1. Re:Tactical Nuke - Auditing... by Spoing · · Score: 1
      Here's my take on auditing.

      You are right, but the only sane way to do this is if you are managing many similar systems that can be audited -- or you just want to be sure and don't mind how much time is involved in doing the audit.

      The only methods are to stop using Windows (seriously) or do a wipe out and reinstall of registry settings and system + program directories on a regular basis. Just nuke everything that isn't in a small set of protected data. Setting up drive D: to handle all data and nuking C:\ might be the way to go without a full audit.

      None of this is without pain, though if you want certianty and don't want to spend all your time on uncertian tools like spyware trackers, this is the only way I can think of doing it.

      Note to everyone else: Blocking next to everything at the router/firewall or using tools to find know-bad software only shifts the problem temporarily. Eventually, the bad guys will just work around your temporary methods...and you'll be back at either tweaking your router and/or updating software. When you do, it will be too late; the bad guys will have already had a chance to get a foot hold.

      The only other general tactic that should work is limting the ability to install new software and working from a known-OK white list. Easier to do under *nix, harder to get away with under Windows (though not impossible).

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:Tactical Nuke - Auditing... by obeythefist · · Score: 2, Informative

      Couldn't think of anything else?

      There are many, many tools that can be used to manage a single workstation.

      The easiest way is to build the system then take an image. You could use System Restore points (free with Windows), or you could use Ghost or other utilities. Then simply rebuild the o/s from the image (less than an hour with decent hardware) every time you visit.

      If they need to install or use different software then that of course will need to be managed, and new images/system restore points will need to be added, but this is a small price to pay compared to trying to manage a messed up system, due to the complexity that Windows carries with it.

      Likewise it's very easy to prevent users from running MSIE, and provide safer browsers like Opera or Mozilla. Also you can provide a safer email client like Pegasus or similar that won't automatically run viruses when they arrive. You can use a firewall and free A/V software like AVG to prevent new viruses. Spyware blocking tools can also be used to prevent malware from being installed.

      All of this stuff can be done without pain.

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    3. Re:Tactical Nuke - Auditing... by Spoing · · Score: 1
      Good ideas. Now get people to accept them and change the existing habbits they have.

      I'm stunned when they listen at all.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    4. Re:Tactical Nuke - Auditing... by obeythefist · · Score: 1

      Well the topical poster wanted to know how he could set up a computer for his relatives to make it easier for him to manage and prevent them from picking up spyware and virii.

      In the long run, we can see MS is moving towards a secure and patched by default model. For instance, when you set up Windows XP, it has the option to connect to MS and download patches for things like Blaster before the system is even fully running.

      In service pack 2 for XP, the firewall is enabled by default. Outlook is blocking most virus style attachments. Just about every inch of the software is buffer checked. MSIE will have popup blocking. Spyware install requests will blink in a tray instead of popping up a window, so users will have to go out of their way to get Gator instead of just clicking through on a popup. Windows update will run and install patches by default, so unless people opt to make their systems *less* secure, the world is going to become a better place.

      You're right, people won't listen. Thankfully MS finally seems to be, so it won't matter in a year or so.

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
  9. No admin! by Mr.+Darl+McBride · · Score: 3, Insightful
    Mom and dad should not have administrator accounts. Get them running 2000 or XP and lock stuff down so they can't add all that crapware.

    Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.

    1. Re:No admin! by Spoing · · Score: 1
      1. Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.

      While I agree that's a smart tactic for Windows users out of necessity, it's sad that it is necessary.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:No admin! by Anonymous Coward · · Score: 0

      Screw that. Just accept that the computer breaks sometimes and needs being reinstalled. The reason everyone other than Slashdotters inevitably get stuck with heaps of crap on their machines is that they actually *enjoy* downloading and installing it. This is everyone's mom's favorite activity. Just accept it and let them have fun.

    3. Re:No admin! by lortho · · Score: 1

      That won't do the trick; I do tech support at a company where the vast majority of users aren't granted admin rights on their NT/2k pc's by default, but I still have to scrape crap like Gator out of machines there all the time. I can't say I have a deep enough knowledge of the NT security model to know how this is possible, but obviously a lot of these programs don't need an admin logged in to install themselves.

    4. Re:No admin! by obeythefist · · Score: 2, Informative

      Would you give them a Linux box and give them root access on it by default? No? Whyever not? ;)

      Same goes for windows. Why is it that you say it's sad that it's necessary to make sure that Windows users aren't admins? Is it sad that it's best practice for Linux users to not be admins?

      Seriously though. End users shouldn't be administrators, and that's something we all agree on.

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    5. Re:No admin! by obeythefist · · Score: 1

      It's pretty straightforward, there's a hole in your SOE, dear 'liza, dear 'liza.

      Gator is installing it into an area that you haven't locked down.

      I suggest you use AD policy to restrict users from executing files that relate to spyware, and that you use a CACLS script or similar in your SOE build that locks down the areas that Gator is writing itself to.

      So fix it, dear henry, dear henry, dear henry...

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    6. Re:No admin! by tepples · · Score: 1

      Seriously though. End users shouldn't be administrators, and that's something we all agree on.

      What about the owner of a machine used in a home environment? Do you use "end users" to refer to the actual people or to their accounts?

    7. Re:No admin! by obeythefist · · Score: 1

      Yep, I revoked admin access to my wife and the guys when they visit for LAN gaming. They all run with reduced privelege, because they simply don't need it for day-to-day activities.

      Obviously "end users" refers to accounts, because people aren't like Neo in the matrix. They need computers to access resources on networks.

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    8. Re:No admin! by Kevster · · Score: 2, Insightful
      You obviously haven't had to administer Windows XP Home for Dad. My Dad downloads and installs software on his own all the time, and while that leads to disaster sometimes (Hotbar), it also means I don't have to run over there every time he needs a system change. He recently bought a 120 GB drive to upgrade his half-full 20 GB drive (his neighbours got a 80 GB drive and I guess he couldn't bear them having a larger hard drive than him), and asked me to install it for him, not realizing that it meant re-installing all of his software. This meant painstakingly locating all the software he downloaded to who-knows-where, and in some instances re-downloading it from a link in an ancient e-mail. I'm still not done after several visits.

      That's not all. Did you know that there are only two types of users in XP Home - computer administrators and users? And you can't create new groups with the built-in utilities, since Microsoft felt that no home user would need more than those two classes of users? And you can't disable accounts, only create and delete them? And you can't even grant Users read/write access to the necessary files and folders (for badly written programs that expect to be able to write to C:\Program Files\... as a regular user) because the right-click context menu for Security doesn't exist?

      Just try installing a random dozen off-the-shelf programs as Administrator and see how many work at all as a user. People here complain all the time how much better Windows is than Linux for home users, but they assume Win98 (with no real security) or WinXP used as administrator all the time.

      It's sad, really, since it's far from rocket science to write programs that only need My Documents and HKCU write access to run properly. This harkens back to another current topic about whether making Linux easier to use will make it more susceptible to viruses and the like. The answer is no, so long as those who write the programs and create the distributions have the self-discipline to stick to the correct user/root separation that has always been the hallmark of Unix programming.

      --
      I always equivocate. Well, almost always.
    9. Re:No admin! by ameoba · · Score: 2, Interesting

      The problem is that even locked down but still usable accounts can still install things through IE. Users that can't install or uninstall software normally get priveleges elevated while in IE.

      Try it.

      --
      my sig's at the bottom of the page.
    10. Re:No admin! by Gsus411 · · Score: 1

      You made things far harder than they really are for yourself when you put in the new hard drive. You could have used a cloning program like Ghost. You would simply plug in the new HD to the secondary IDE channel and clone from primary to secondary. Boom, all your data on a new drive and no reinstallation of anything is necessary.

    11. Re:No admin! by ForestGrump · · Score: 1

      "Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software."

      But what if they pick up an AOL cd at the store?

      --
      Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
    12. Re:No admin! by ibennetch · · Score: 1
      And you can't even grant Users read/write access to the necessary files and folders (for badly written programs that expect to be able to write to C:\Program Files\... as a regular user) because the right-click context menu for Security doesn't exist?
      Took me forever to find it a few weeks ago; but you need to turn off "Use Simple File Sharing" in...um...well,
      • open an explorer window (My Computer will do fine)
      • go to the tools menu
      • select "Folder Options"
      • click over to the "View" tab
      • scroll down
      • un-check "Use Simple File Sharing" to get access to all the permission goodies.
      That _should_ clear up your problems relating to not being able to secure folders. I think...
    13. Re:No admin! by Pantheraleo2k3 · · Score: 1

      C:\WINDOWS>net user

      A very useful user management command. Add /? to the end to get a --help like summary. You can disable accounts with it

      C:\WINDOWS>cacls

      Change Access Control Lists. I think you can use it like chmod, play around with it to find out. Should be useful for your Program Files example

    14. Re:No admin! by GodEater · · Score: 1

      That "Use Simple File Sharing" Option is only available in XP Pro - not Home. It's certainly not visible here at any rate.

      --

      Gentlemen, start your penguins

  10. Use some security by Uteck · · Score: 2, Interesting

    I doubt that your parents were using kaza, so that means that someone installed it. Set them up with a separate user account that can not install that crap. If they are only web browser, than get a different OS.
    I don't want to talk my dad through this stuff, so I told him to buy a Mac. User friendly and virus proof so far. It's all he needs for web browser and reading e-mail.
    Winblows should not be used by 'average' users, it is too hard to maintain and too insecure.

    Seriously, you need to determine it they NEED winblows.

    --
    no .sig found Please restart your browser.
    1. Re:Use some security by obeythefist · · Score: 1, Insightful

      Don't rely on the security through obscurity that OS/X and *nix are enjoying right now.

      See, eventually Mac emulation of x86 will become so good that spyware will install just as readily on the mac.

      Or, alternatively, the marketing guys will realise that Mac users are great for spamming/spying on because we already know a couple of things about them that makes them great targets!

      For starters, we know they have lots of money because they bought a mac.

      Secondly, we know they would rather pay lots of money for a computer because it's "grape" or "blueberry", irrespective of actual real-world performance. These mac users are people who you can sell anything to if your marketing is right!

      Conversely, Linux users will be spared because we all know they're too cheap to *pay* for an O/S.

      Flame away!

      --
      I am government man, come from the government. The government has sent me. -- G.I.R.
    2. Re:Use some security by Gsus411 · · Score: 2, Insightful

      One, the operating system is Mac OS X, not "OS/X."

      Two, what are you talking about with x86 emulation? Sure, you can already get spyware running on a Mac by running Windows in VirtualPC. I somehow doubt, however, that Apple is building something like Wine into the OS and coupling it with x86 emulation. Even so, it would be like installing Windows spyware on a Linux box under Wine. Some simply won't work because they do tweaky stuff to the system at a low level. Others might be made to work through heavy tweaking. It wouldn't be something that users just blindly install without knowing what they are doing. If any Mac spyware is to be made, it's gonna have to be native to the OS. Windows and Mac OS X are far different architecturally to do what you claim will happen.

      Three, not all Mac users have lots of money. I myself am I high school student who works part time after school. My Mac is a 500 MHz iBook I bought used for $600 after working for a summer. I bought it simply because I adore Mac OS X and prefer it to any other OS. I didn't buy the iBook because it's pretty. Besides, your choice of color thing doesn't apply. This thing only came in white. The only thing Apple sells today with multiple colors are those new iPod minis.

      You seem to think performance is all that matters for some reason. If I wanted performance, I'd be trying to get big iron from Cray, NEC, SGI, IBM, or Sun. Maybe even huge linux based clusters. Why don't I have these kinds of things? One, I don't have the money. Two, I don't have a need for that kind of performance. This little iBook here meets my needs perfectly. It is small enough for me to carry around to all my classes, powerful enough to do the admin work I do after school, and it's a *nix environment where I can play around. It's a godsend in my Cisco cert classes. Not to mention how nifty Cocoa is....

    3. Re:Use some security by Anonymous Coward · · Score: 0

      One, the operating system is Mac OS X, not "OS/X."

      Yeah, and it's "Windows" not "Windoze", and "UNIX", not "Eunichs". Yawn.

    4. Re:Use some security by Anonymous Coward · · Score: 0

      A mac is an awfully expensive tool for reading e-mail and browsing a few web pages. If I told my father to plop down $2K+ for one, rather than a $500 Dell machine, just so he didn't have to use Windows, he'd probably kick my ass.

  11. WinInstall LE by sybarite · · Score: 4, Informative

    I use WinInstall LE for this purpose. It is included on the Windows 2000 Server CD and can also be downloaded from here... It is used primarily to repackage an application install as a MSI file, but it produces a text file that shows all file system and registry changes between the before and after snapshots.

  12. dangers by x0n · · Score: 3, Informative

    Looking out for new/modifed files isn't always going to help you unfortunately. Badly written application installers will stomp on common DLLs, overwriting them with their own particular version. Sometimes they'll just upgrade the common DLL with a later -- and mostly compatible -- version. If you go just looking to remove the files that have been "touched" after the install, you run the risk of removing a DLL that was previously in use by other applications. Welcome to what is affectionately known as "DLL Hell".

    The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

    Once Windows is built entirely on a JIT'ed .NET subsystem (hand me my shotgun Jeeves: there's another flock of pigs overhead), all DLLs will be able to sit in side-by-side more whereby multiple versions can exist; however, this is a long ways away.

    - Oisin

    --

    PGP KeyId: 0x08D63965
    1. Re:dangers by zero_offset · · Score: 1

      The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for.

      I have to disagree with you. Having "every" app use MSI might help cleanup of reasonably legit software like Kaaza, but the GAIN/Gators of the world aren't going to make it that easy for you. And if they decide using MSI makes it easier on THEM, those features you mention are easy enough to disable through that same API. The API is intended for use by legimate software, which is not the problem being discussed.

      I do agree that if Windows eventually reaches full-on .NET under the hood, the Windows-using world will potentially become quite a bit less spyware-friendly, particularly if future versions of Windows take certain obvious measures to automatically further restrict installed software, but no technical measure will "fix" the problem of the clueless from installing CometCursor and BanziBuddy intentionally.

      --

      Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005

  13. In the old days... by bahamat · · Score: 1

    Many years ago when Win95 first came out I bought a program called "Uninstaller Pro" or something like that. Basically, it inventoried every file on the system, and copied the registry before every program installation. Then after the install it would take another file/registry inventory and diff the results. Anything changed is what the installer did.

    Then when you wanted to dump the program you use it to eradicate everything in the diff file.

    IIRC, it was a Symantec product, but you know it's pushing 10 years here, and I honestly can't remember. Maybe you can look for something that works similar.

    1. Re:In the old days... by tehcyder · · Score: 1
      On Windows 95 I used to use "Cleansweep" which was bought by Symantec.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  14. Cheapo method by Jahf · · Score: 3, Informative

    Set up a daily scheduled event (yes, Windows can do that) that runs a batch file that:

    dir /s :

    for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).

    Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.

    Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.

    --
    It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
  15. Windows System Restore by flabbergast · · Score: 2, Informative

    This is dependent on what your folks are running, but you if you're concerned about removing what they've installed (purposefully or inadvertently) you may want to reinstall Windows, get everything setup properly and then run System Restore to save the system state at that moment. This way, when they call you telling you "XYZ is happening! Gator has taken over everything!" you can run system restore and roll back to where you were before, and scold your parents that if they install more crap, they'll get more of the same. I realize this might seem overkill, but it does get to the root of the problem rather quickly (having to get rid of all the crap inexperienced users installed)

  16. I'm a Big Fan Of GoBack by szyzyg · · Score: 1

    Used to be from Roxio, but symantec bought it. It's like a logging filesystem that lets you revert data to a point in the past. Maybe not idea for this situation because it only stores the last 10% or so of disk activity, older events get forgotten, so depending on system activity this could be anything from days to months of history.

    1. Re:I'm a Big Fan Of GoBack by Chess_the_cat · · Score: 1, Insightful

      Windows XP ships with System Restore built right in. Same thing.

      --
      Support the First Amendment. Read at -1
  17. Deep Freeze by sparkie · · Score: 4, Informative

    Doesn't 'track' anything per say, however, on each reboot, the machine goes back to the state it was before hand.

    I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.

    This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.

    It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.

    Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm

  18. Right answer, wrong question. by b00m3rang · · Score: 2, Informative

    The question was what software can be used to track filesystem and registry changes, not what tools will remove the spyware.

    1. Re:Right answer, wrong question. by bhtooefr · · Score: 1

      Why compare filesystem and registry changes when you can just automatically fix them?

      Faronics Deep Freeze is the way to go. BTW, how do you disable it? My college is running it, and they run their boxes at 800x600 with the XP theme, and Opera gets wiped every time...

    2. Re:Right answer, wrong question. by jsfetzik · · Score: 1

      Because not everything gets automatically detected and/or fixed. Some stuff still needs to be done by hand. Also there are changes that may get made that are not spyware related, such as the user deleting icons.

  19. In Control 5, from PC Magazine by bluephone · · Score: 4, Informative

    While PCMag has made their old utilities available by online subscription only, theere are a few folks on the net who have copies up of some of them. One utility that's FANTASTIC for tracking file/registry/ini-file changes/creations/removals is called In Control 5, or InCtrl5. Super simple to use, with multiple report formats (TXT, HTML, CSV, etc.) and I love it. Works on all Windows versions because it's totally non-invasive. If you can't find it, email me and I'll make a copy available. They're all free, and were freely available, they just restrict the downloads now to squeeze more money from the now discontinues Utility section (one of the last really useful parts of the magazine).

    --
    jX [ Make everything as simple as possible, but no simpler. - Einstein ]
  20. Total uninstall by mst76 · · Score: 2, Informative

    I believe Total Uninstall does exactly what you want. A warning though, for most programs, you do not really want to monitor all changes manually, that's just a lot of work. And that's why there are such things as installers in the first place.

  21. Auditing by RzUpAnmsCwrds · · Score: 1

    If you have XP pro (don't know about home) you can turn on auditing. This will track every file written/read/modified/moved/deleted/created as well as failed attempts to do so.

  22. Windows Restore by blate · · Score: 1

    Windows XP (and ME, I think) have a feature called "System Restore". Basically, what it does is track changes to the registry, driver database, and other parts of the system. It takes snapshots of the system periodically and sometimes during the installation of hardware or certain drivers.

    If you break something (as I have been known to do from time to time), you can "roll back" to a previous snapshot. In my experience, this works pretty well for solving certain problems.

    I'm not sure if it tracks installed software or whether such software would automagically be removed by rolling back. But the snapshots must have some such information in them, if only we could extract it... :)

  23. Cygwin by n1ywb · · Score: 1

    Install cygwin and generate sha1sum's of all files. Compare old sums to new sums later. Doesn't help with the registry though.

    --
    -73, de n1ywb
    www.n1ywb.com
  24. GFI by SuiteSisterMary · · Score: 2, Interesting

    You can get a sort of 'tripwire for Windows,' as well as other security tools, from www.gfi.com.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
    1. Re:GFI by Anonymous Coward · · Score: 1, Informative

      Tripwire for cygwin is here: http://www.frenchfries.net/paul/tripwire/

  25. Suggested solution by alexo · · Score: 1

    Allow editing of posts as long as
    a) They were not moderated, and
    b) They were not replied to.

    1. Re:Suggested solution by sigxcpu · · Score: 1

      or have them lose thair moderation upon change.
      plus showing that they were changed, maybe providing a link to the older ver.

      --
      As of Postgres v6.2, time travel is no longer supported.
    2. Re:Suggested solution by dannannan · · Score: 1

      Slashdot already has this feature. You simply post your changes in a reply to your original post, as is clearly demonstrated in this thread. Moderation from the original post is not applied to the reply; replies to the original post are not listed as replies to the changed post, and the changed post has a link to the original posting labeled "parent".

      DDL

    3. Re:Suggested solution by Frizzle+Fry · · Score: 1

      Yes, but the original doesn't indicate in any way that it has been modified (I guess changing your .sig to point to it is a partial solution; putting the correction itself in your .sig is another, if it will fit).

      If your correction is many replies down, you now get people replying to the original who haven't seen the correction yet, causing more noise and confusion.

      --
      I'd rather be lucky than good.
  26. Try Ashampoo Uninstaller Suite by Anonymous Coward · · Score: 1, Informative

    http://www.ashampoo.com/frontend/products/php/prod uct.php?idstring=0103&session_langid=2

    It does the job of creating snapshots of the file-system & registry before & after installing a program, then uses these to create a log file that can be used to roll back the changes. Many options, quite flexible. It has saved my sanity many times.

  27. MSI for free software? by tepples · · Score: 1

    MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

    Can the Microsoft Installer packager work on systems whose only native compiler is MinGW, or does it require a Microsoft Visual Studio license? If the latter, watch free software for Windows (such as GIMP, Gaim, Foobar2000, and the like) stick to Nullsoft's free packager.

    1. Re:MSI for free software? by x0n · · Score: 1

      MSI is a set of APIs exposed by a Windows Service; it is not actually a package per-se. These APIs are published, and public, so any third party install-packager software can generate MSI files; InstallShield & Wise to name two.

      - Oisin

      --

      PGP KeyId: 0x08D63965
    2. Re:MSI for free software? by 3waygeek · · Score: 1

      Also the Windows Installer XML toolset, which MS posted to SourceForge last week.

      InstallShield & Wise are the two main commercial packages -- I've used both, and prefer Wise. Either is going to set you back about $1K, so they're not terribly practical for the individual developer. VS.Net, as the grandparent points out, provides very limited MSI authoring capabilities.

  28. Re:Specific solutions - try RegShot! by KlaymenDK · · Score: 1

    I think I have just the thing for comparing old/new registry snapshots -- RegShot.
    It's free (as in beer).
    You can make snapshots of certain points in time, and compare shots for differences. Unfortunately, the snapshots themselves are garbled (iow it's not standard .reg files), but otherwise it's a neat, simple, effective program.

    I use this (and RegTick) to manage and lock down a bunch of computers at a youth center, and it's working quite nicely.

    --
    "Good news, everyone!"
  29. ConfigSafe by tedgyz · · Score: 1

    I used to use a tool called ConfigSafe. It did a pretty decent job of showing what changed relative to a snapshot run from the tool.

    I haven't used it in a couple years though so I can't say how well it works with Windows XP. I found that the newer Windows OS and apps were too complex to easily decipher the results.

    --
    "No matter where you go, there you are." -- Buckaroo Banzai
  30. Host based IDS by cocowalla · · Score: 2, Informative

    Why not use a host-based intrusion detection system? They track changes made to the filesystem/registry.

    Ionx's Data Sentinel (http://www.ionx.co.uk) is a great one for Windows. I use it at work, and it's the dogs'. Very simple to setup and use, if you can spare the 199.99, I highly recommend it.

    There's probably some free (but more basic) ones out there too.

  31. I think it was the old dos fc (file compare) tool by TheScienceKid · · Score: 1

    Take a butchers hook (look) at http://www.computerhope.com/fchlp.htm ... contains switch info etcetera

  32. Should the owner have an admin account? by tepples · · Score: 1

    Obviously "end users" refers to accounts

    I made a mistake in getting my point across. I asked because it could be taken either way: either end users should use separate accounts for daily use of the computer and for administration (which I called the "accounts" way), or end users should not have access to accounts with admin-group privileges at all and must hire a professional to admin the computer (which I called the "people" way). I have read reports of Microsoft eventually shooting for the latter to increase the strength of the digital restrictions management and user lock-in aspects of its operating system.

  33. Old School by g0bshiTe · · Score: 1

    I still prefer filemon and regmon.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  34. Betas, but working... by gillbates · · Score: 1
    I've written some utilities to do just what you want.
    • filestat.exe - prints out the file dates and checksum - very handy if you suspect virus infection.
    • profile.exe (not the Windows XP command!) - This prints a recursive list of the files in a directory with checksums. It also counts the number of directories and files, so you can see what has changed at a glance.
    • changectl.exe - can compare large text files
    • incback - an incremental backup utility which can be used to selectively copy files. You can use this to filter out which files have changed most recently.
    Granted, their still in beta form, but if you're interested, reply and I'll send you the source. I'm also working on a system installer...
    --
    The society for a thought-free internet welcomes you.
  35. Similar - but different reason by phorm · · Score: 1

    I've been looking for something similar, though for different reasons. Basically I want to audit a computer's drive contents+registry before installing a program, then after, and track the changes (registry changes, files added, files removed, files changed).

    With that being done, I would then like to compile all the changes into an archive/script which would allow me to duplicate them on a seperate machine. It would be really nice for network-based installs so that when I'm doing 30+ machines I don't have to insert/remove a CD a bazillion times just to upgrade office or whaetever.

  36. Configsafe by Beryllium+Sphere(tm) · · Score: 1

    IBM included this with my Thinkpad. Does what you describe, and prompts you to take a snapshot when something's about to change.

  37. Don't Use Ad-aware by Anonymous Coward · · Score: 0

    Ad-Aware is "questionable" I have had friends who use it and are still complaining about spyware, I come over remove it, install Spybot and clean the system, I never hear another complaint. Spybot is the shiznit. I have also read many discussions on whether or not Ad-aware in itself is spyware, do a google search you'll find some interesting points. Also I read a mention of using Windows System Restore, which is built into ME + XP don't do it, this feature should be turned off as it's a complete resource hog and only works half the time at best. If you like the sound of it buy goback from Roxio, It works like a charm.

  38. Fix Microsoft's file system! by eveningdarkstar · · Score: 1
    Not one to normally throw nuclear rocks at something, but I think the only real solution to this is to mount pressure against Microsoft to fundamentally redesign their operating system's file handling subsystem. This usage of wide open file directory structure which gives easy access to any file or directory by any installer is based on some very old file system models dating back to pre DOS days and is way overdue for an upgrade. Taking snapshots of the system and doing rollbacks is a hack at best and very likely inadaquate as that procecure may also remove applications and settings that were installed subsequently to the installation of the app which is misbehaving. And as is often mention, apps may install .dlls or other system files, override registery settings, etc. which may have widespread effects and further damage a system when removed.

    I feel the basic file system model needs to be redesigned so that applications are installed in their own "sandboxs"/space period. No application should ever be implicitely given permission to modify other system/app files, no "common" registry entries can be tampered with, NO changing/adding/deletion of any Windows or Windows/System files etc. should ever be implicitely allowed. There are lots of ways to implement such a file system so that this basic sandbox paridigm can be upheld, but fundamentally the COMPLETE removal of an application should be as simple as just deleting the directory/sandbox in which it resides.

    Any application which tries to modify another applications "sandbox" of files, registry settings, data etc needs to be given VERY explicit permission, from the user, to do so, i.e. file permissions controlling access should not be strictly limited to just human users, but to applications as well. Solving problems such as overriding or redirecting behaviours provided by default system files should be handled by having the OS provide adaquate interfaces and dynamic registration procedures, so that they can request, and be granted permission to override some default system behaviour.

    I understand that such a radical redesign has a lot of issues/details that need to be worked out, but until Microjunk fixes their file system model, so that applications can be safely installed and COMPLETELY removed via a simple premise, and gaurentee that applications cannot interfer with each other, without permissions, then this mess is going to continue forever. This IS one of the primary responsibilities of an operating system and one that the Microsoft engineers have badly overlooked!

    (PS. I get very annoyed by web based interfaces such as this which do not provide spell and grammer check options. Sorry for any misspellings, I am not good at it.)

    1. Re:Fix Microsoft's file system! by Anonymous Coward · · Score: 0

      Dear Christ, you do talk some pish...