Tracking Changes to a Windows System?

The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"

Specific solutions

[Rapid+Home+Offer]

For adware/spyware, use Spybot and Ad-Aware for this.

For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.

installwatch pro

[beernutz]

Free sotftware, and does a nice job.

installwatch pro

It will even make an install program for you with the changes!

Sysinternals' RegMon and FileMon

[Tech+Observer]

Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

Clarification of parent

[beernutz]

I hate to reply to myself, but i felt i should clarify my previous post. (WHEN will slashdot allow you to edit oyur own posts? PLEASE?)

What you do is this:

1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.

2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.

3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.

WinInstall LE

[sybarite]

I use WinInstall LE for this purpose. It is included on the Windows 2000 Server CD and can also be downloaded from here... It is used primarily to repackage an application install as a MSI file, but it produces a text file that shows all file system and registry changes between the before and after snapshots.

dangers

[x0n]

Looking out for new/modifed files isn't always going to help you unfortunately. Badly written application installers will stomp on common DLLs, overwriting them with their own particular version. Sometimes they'll just upgrade the common DLL with a later -- and mostly compatible -- version. If you go just looking to remove the files that have been "touched" after the install, you run the risk of removing a DLL that was previously in use by other applications. Welcome to what is affectionately known as "DLL Hell".

The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

Once Windows is built entirely on a JIT'ed .NET subsystem (hand me my shotgun Jeeves: there's another flock of pigs overhead), all DLLs will be able to sit in side-by-side more whereby multiple versions can exist; however, this is a long ways away.

- Oisin

Cheapo method

[Jahf]

Set up a daily scheduled event (yes, Windows can do that) that runs a batch file that:

dir /s :

for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).

Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.

Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.

Deep Freeze

[sparkie]

Doesn't 'track' anything per say, however, on each reboot, the machine goes back to the state it was before hand.

I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.

This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.

It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.

Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm

In Control 5, from PC Magazine

[bluephone]

While PCMag has made their old utilities available by online subscription only, theere are a few folks on the net who have copies up of some of them. One utility that's FANTASTIC for tracking file/registry/ini-file changes/creations/removals is called In Control 5, or InCtrl5. Super simple to use, with multiple report formats (TXT, HTML, CSV, etc.) and I love it. Works on all Windows versions because it's totally non-invasive. If you can't find it, email me and I'll make a copy available. They're all free, and were freely available, they just restrict the downloads now to squeeze more money from the now discontinues Utility section (one of the last really useful parts of the magazine).