Slashdot Mirror
Tracking Changes to a Windows System?
The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"
For adware/spyware, use Spybot and Ad-Aware for this.
For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.
Free sotftware, and does a nice job.
installwatch pro
It will even make an install program for you with the changes!
(stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.
I hate to reply to myself, but i felt i should clarify my previous post. (WHEN will slashdot allow you to edit oyur own posts? PLEASE?)
What you do is this:
1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.
2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.
3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.
(stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
http://www.spywareinfo.com/~merijn/index.html
I use WinInstall LE for this purpose. It is included on the Windows 2000 Server CD and can also be downloaded from here... It is used primarily to repackage an application install as a MSI file, but it produces a text file that shows all file system and registry changes between the before and after snapshots.
Looking out for new/modifed files isn't always going to help you unfortunately. Badly written application installers will stomp on common DLLs, overwriting them with their own particular version. Sometimes they'll just upgrade the common DLL with a later -- and mostly compatible -- version. If you go just looking to remove the files that have been "touched" after the install, you run the risk of removing a DLL that was previously in use by other applications. Welcome to what is affectionately known as "DLL Hell".
.NET subsystem (hand me my shotgun Jeeves: there's another flock of pigs overhead), all DLLs will be able to sit in side-by-side more whereby multiple versions can exist; however, this is a long ways away.
The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.
Once Windows is built entirely on a JIT'ed
- Oisin
PGP KeyId: 0x08D63965
Set up a daily scheduled event (yes, Windows can do that) that runs a batch file that:
/s :
dir
for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).
Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.
Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
This is dependent on what your folks are running, but you if you're concerned about removing what they've installed (purposefully or inadvertently) you may want to reinstall Windows, get everything setup properly and then run System Restore to save the system state at that moment. This way, when they call you telling you "XYZ is happening! Gator has taken over everything!" you can run system restore and roll back to where you were before, and scold your parents that if they install more crap, they'll get more of the same. I realize this might seem overkill, but it does get to the root of the problem rather quickly (having to get rid of all the crap inexperienced users installed)
Doesn't 'track' anything per say, however, on each reboot, the machine goes back to the state it was before hand.
I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.
This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.
It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.
Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm
The question was what software can be used to track filesystem and registry changes, not what tools will remove the spyware.
While PCMag has made their old utilities available by online subscription only, theere are a few folks on the net who have copies up of some of them. One utility that's FANTASTIC for tracking file/registry/ini-file changes/creations/removals is called In Control 5, or InCtrl5. Super simple to use, with multiple report formats (TXT, HTML, CSV, etc.) and I love it. Works on all Windows versions because it's totally non-invasive. If you can't find it, email me and I'll make a copy available. They're all free, and were freely available, they just restrict the downloads now to squeeze more money from the now discontinues Utility section (one of the last really useful parts of the magazine).
jX [ Make everything as simple as possible, but no simpler. - Einstein ]
I believe Total Uninstall does exactly what you want. A warning though, for most programs, you do not really want to monitor all changes manually, that's just a lot of work. And that's why there are such things as installers in the first place.
Couldn't think of anything else?
There are many, many tools that can be used to manage a single workstation.
The easiest way is to build the system then take an image. You could use System Restore points (free with Windows), or you could use Ghost or other utilities. Then simply rebuild the o/s from the image (less than an hour with decent hardware) every time you visit.
If they need to install or use different software then that of course will need to be managed, and new images/system restore points will need to be added, but this is a small price to pay compared to trying to manage a messed up system, due to the complexity that Windows carries with it.
Likewise it's very easy to prevent users from running MSIE, and provide safer browsers like Opera or Mozilla. Also you can provide a safer email client like Pegasus or similar that won't automatically run viruses when they arrive. You can use a firewall and free A/V software like AVG to prevent new viruses. Spyware blocking tools can also be used to prevent malware from being installed.
All of this stuff can be done without pain.
I am government man, come from the government. The government has sent me. -- G.I.R.
Would you give them a Linux box and give them root access on it by default? No? Whyever not? ;)
Same goes for windows. Why is it that you say it's sad that it's necessary to make sure that Windows users aren't admins? Is it sad that it's best practice for Linux users to not be admins?
Seriously though. End users shouldn't be administrators, and that's something we all agree on.
I am government man, come from the government. The government has sent me. -- G.I.R.
http://www.ashampoo.com/frontend/products/php/prod uct.php?idstring=0103&session_langid=2
It does the job of creating snapshots of the file-system & registry before & after installing a program, then uses these to create a log file that can be used to roll back the changes. Many options, quite flexible. It has saved my sanity many times.
Tripwire for cygwin is here: http://www.frenchfries.net/paul/tripwire/
Why not use a host-based intrusion detection system? They track changes made to the filesystem/registry.
Ionx's Data Sentinel (http://www.ionx.co.uk) is a great one for Windows. I use it at work, and it's the dogs'. Very simple to setup and use, if you can spare the 199.99, I highly recommend it.
There's probably some free (but more basic) ones out there too.