Tracking Changes to a Windows System?

The Watcher asks: "I was at my parents house over the weekend trying to remove various adware/spyware/annoying software, things like Kazaa, Bonzi Buddy, etc.. During this I thought it would be helpful to know things like exactly what files/folders were created/modified and what registry entries were created/modified by an installer program so that I would not have to rely on the supplied uninstaller that only removes a selected subset of what was installed. So what are some preferred utilities out there that work well for this purpose?"

Specific solutions

[Rapid+Home+Offer]

For adware/spyware, use Spybot and Ad-Aware for this.

For the average program, Windows XP comes with a very nice utility that allows you to restore your setup to a previous day. I've found it to be very useful. Don't know about more generic utilities for older Microsoft OSes.

installwatch pro

[beernutz]

Free sotftware, and does a nice job.

installwatch pro

It will even make an install program for you with the changes!

Re:installwatch pro

[zero_offset]

If I understand it correctly, this is intended to be run manually before an intentional installation. It doesn't appear to just run in the background and log activity, as the article requests. (I didn't install it, so I might be wrong -- am I?)

Sysinternals' RegMon and FileMon

[Tech+Observer]

Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

Clarification of parent

[beernutz]

I hate to reply to myself, but i felt i should clarify my previous post. (WHEN will slashdot allow you to edit oyur own posts? PLEASE?)

What you do is this:

1) get the computer in the state you want it, then put InstallRite (not install watch) on the box, and tell InstallRite to take a snapshot.

2) configure InstallRite to start with windows so it will intercept all setup programs, and take before and after snapshots automatically.

3) leave the system knowing that you will have a good idea later of what has been installed since your last visit, and how to fix problems these installs may have made.

Re:Clarification of parent

WHEN will slashdot allow you to edit oyur own posts? PLEASE?

Hopefully never. There's too much room for abuse. Somebody could post something insightful, get modded up and change it to "BSD is dead" or an ASCII goatse thing, etc. etc.

It could also be used in reverse. Someone could get modded down, change their post so they get modded back up, and then revert it.

Install is only part of the problem

[GoRK]

Some of these programs create certain files and registry keys when they are installed; but many applications create MORE files and registry keys when they are first run or possibly even each time they are started... This is particularly true of spyware-containing applications that check to make sure the spyware is there and active each time they start up. Monitoring the installer is only half the battle.

HiJack This!

[PhyrePhox]

http://www.spywareinfo.com/~merijn/index.html

No admin!

[Mr.+Darl+McBride]

Mom and dad should not have administrator accounts. Get them running 2000 or XP and lock stuff down so they can't add all that crapware.

Give them an account named "install" that has admin, and explain that it's very dangerous to use that for anything but installing store-bought CD software.

Re:No admin!

[obeythefist]

Would you give them a Linux box and give them root access on it by default? No? Whyever not? ;)

Same goes for windows. Why is it that you say it's sad that it's necessary to make sure that Windows users aren't admins? Is it sad that it's best practice for Linux users to not be admins?

Seriously though. End users shouldn't be administrators, and that's something we all agree on.

Re:No admin!

[Kevster]

You obviously haven't had to administer Windows XP Home for Dad. My Dad downloads and installs software on his own all the time, and while that leads to disaster sometimes (Hotbar), it also means I don't have to run over there every time he needs a system change. He recently bought a 120 GB drive to upgrade his half-full 20 GB drive (his neighbours got a 80 GB drive and I guess he couldn't bear them having a larger hard drive than him), and asked me to install it for him, not realizing that it meant re-installing all of his software. This meant painstakingly locating all the software he downloaded to who-knows-where, and in some instances re-downloading it from a link in an ancient e-mail. I'm still not done after several visits.

That's not all. Did you know that there are only two types of users in XP Home - computer administrators and users? And you can't create new groups with the built-in utilities, since Microsoft felt that no home user would need more than those two classes of users? And you can't disable accounts, only create and delete them? And you can't even grant Users read/write access to the necessary files and folders (for badly written programs that expect to be able to write to C:\Program Files\... as a regular user) because the right-click context menu for Security doesn't exist?

Just try installing a random dozen off-the-shelf programs as Administrator and see how many work at all as a user. People here complain all the time how much better Windows is than Linux for home users, but they assume Win98 (with no real security) or WinXP used as administrator all the time.

It's sad, really, since it's far from rocket science to write programs that only need My Documents and HKCU write access to run properly. This harkens back to another current topic about whether making Linux easier to use will make it more susceptible to viruses and the like. The answer is no, so long as those who write the programs and create the distributions have the self-discipline to stick to the correct user/root separation that has always been the hallmark of Unix programming.

Re:No admin!

[ameoba]

The problem is that even locked down but still usable accounts can still install things through IE. Users that can't install or uninstall software normally get priveleges elevated while in IE.

Try it.

Use some security

[Uteck]

I doubt that your parents were using kaza, so that means that someone installed it. Set them up with a separate user account that can not install that crap. If they are only web browser, than get a different OS.
I don't want to talk my dad through this stuff, so I told him to buy a Mac. User friendly and virus proof so far. It's all he needs for web browser and reading e-mail.
Winblows should not be used by 'average' users, it is too hard to maintain and too insecure.

Seriously, you need to determine it they NEED winblows.

Re:Use some security

[Gsus411]

One, the operating system is Mac OS X, not "OS/X."

Two, what are you talking about with x86 emulation? Sure, you can already get spyware running on a Mac by running Windows in VirtualPC. I somehow doubt, however, that Apple is building something like Wine into the OS and coupling it with x86 emulation. Even so, it would be like installing Windows spyware on a Linux box under Wine. Some simply won't work because they do tweaky stuff to the system at a low level. Others might be made to work through heavy tweaking. It wouldn't be something that users just blindly install without knowing what they are doing. If any Mac spyware is to be made, it's gonna have to be native to the OS. Windows and Mac OS X are far different architecturally to do what you claim will happen.

Three, not all Mac users have lots of money. I myself am I high school student who works part time after school. My Mac is a 500 MHz iBook I bought used for $600 after working for a summer. I bought it simply because I adore Mac OS X and prefer it to any other OS. I didn't buy the iBook because it's pretty. Besides, your choice of color thing doesn't apply. This thing only came in white. The only thing Apple sells today with multiple colors are those new iPod minis.

You seem to think performance is all that matters for some reason. If I wanted performance, I'd be trying to get big iron from Cray, NEC, SGI, IBM, or Sun. Maybe even huge linux based clusters. Why don't I have these kinds of things? One, I don't have the money. Two, I don't have a need for that kind of performance. This little iBook here meets my needs perfectly. It is small enough for me to carry around to all my classes, powerful enough to do the admin work I do after school, and it's a *nix environment where I can play around. It's a godsend in my Cisco cert classes. Not to mention how nifty Cocoa is....

WinInstall LE

[sybarite]

I use WinInstall LE for this purpose. It is included on the Windows 2000 Server CD and can also be downloaded from here... It is used primarily to repackage an application install as a MSI file, but it produces a text file that shows all file system and registry changes between the before and after snapshots.

dangers

[x0n]

Looking out for new/modifed files isn't always going to help you unfortunately. Badly written application installers will stomp on common DLLs, overwriting them with their own particular version. Sometimes they'll just upgrade the common DLL with a later -- and mostly compatible -- version. If you go just looking to remove the files that have been "touched" after the install, you run the risk of removing a DLL that was previously in use by other applications. Welcome to what is affectionately known as "DLL Hell".

The real culprits here are the crappy installers. The sooner all Windows apps are installed using MSI (microsoft installer) services, the easier it will be to audit and rollback, and monitor what is going on. MSI's scope is enormous: it is fully transactional; it audits/logs everything, and it supports every option you could wish for. However, because of this, it is inherently complex and not everyone is using the API: it's gone through 3 versions already.

Once Windows is built entirely on a JIT'ed .NET subsystem (hand me my shotgun Jeeves: there's another flock of pigs overhead), all DLLs will be able to sit in side-by-side more whereby multiple versions can exist; however, this is a long ways away.

- Oisin

Cheapo method

[Jahf]

Set up a daily scheduled event (yes, Windows can do that) that runs a batch file that:

dir /s :

for each drive and then export a copy of the registry (I believe the Windows registry tools will export from a command-line, if not Perl could do so easily).

Keep 2 days of files, the current day and the previous day. At the end of the batch run a diff (I think DOS had a diff utility under a different name, if not get one of the ported versions of the real diff) and just store the diffs of the 2 days long term.

Perhaps once per month keep 1 full copy of the dir and registry results, cleaning them up on a yearly basis perhaps, just as a referrence in case you need to shuffle through the diff'ed results.

Windows System Restore

[flabbergast]

This is dependent on what your folks are running, but you if you're concerned about removing what they've installed (purposefully or inadvertently) you may want to reinstall Windows, get everything setup properly and then run System Restore to save the system state at that moment. This way, when they call you telling you "XYZ is happening! Gator has taken over everything!" you can run system restore and roll back to where you were before, and scold your parents that if they install more crap, they'll get more of the same. I realize this might seem overkill, but it does get to the root of the problem rather quickly (having to get rid of all the crap inexperienced users installed)

Deep Freeze

[sparkie]

Doesn't 'track' anything per say, however, on each reboot, the machine goes back to the state it was before hand.

I use it at work, and give the employees limited access to specific folders, and have trained them to save their files in those few spots.

This way, only when they have approached me, and requested a particular application, i.e. winamp, excel, word, what have you they can have it installed and leave it permanently.

It's cut the spyware / adware / whatever to near zero. Webshots being the largest of the problem.

Anyways you can check out deep freeze at http://www.deepfreezeusa.com/index.htm

Right answer, wrong question.

[b00m3rang]

The question was what software can be used to track filesystem and registry changes, not what tools will remove the spyware.

In Control 5, from PC Magazine

[bluephone]

While PCMag has made their old utilities available by online subscription only, theere are a few folks on the net who have copies up of some of them. One utility that's FANTASTIC for tracking file/registry/ini-file changes/creations/removals is called In Control 5, or InCtrl5. Super simple to use, with multiple report formats (TXT, HTML, CSV, etc.) and I love it. Works on all Windows versions because it's totally non-invasive. If you can't find it, email me and I'll make a copy available. They're all free, and were freely available, they just restrict the downloads now to squeeze more money from the now discontinues Utility section (one of the last really useful parts of the magazine).

Total uninstall

[mst76]

I believe Total Uninstall does exactly what you want. A warning though, for most programs, you do not really want to monitor all changes manually, that's just a lot of work. And that's why there are such things as installers in the first place.

GFI

[SuiteSisterMary]

You can get a sort of 'tripwire for Windows,' as well as other security tools, from www.gfi.com.

Re:Tactical Nuke - Auditing...

[obeythefist]

Couldn't think of anything else?

There are many, many tools that can be used to manage a single workstation.

The easiest way is to build the system then take an image. You could use System Restore points (free with Windows), or you could use Ghost or other utilities. Then simply rebuild the o/s from the image (less than an hour with decent hardware) every time you visit.

If they need to install or use different software then that of course will need to be managed, and new images/system restore points will need to be added, but this is a small price to pay compared to trying to manage a messed up system, due to the complexity that Windows carries with it.

Likewise it's very easy to prevent users from running MSIE, and provide safer browsers like Opera or Mozilla. Also you can provide a safer email client like Pegasus or similar that won't automatically run viruses when they arrive. You can use a firewall and free A/V software like AVG to prevent new viruses. Spyware blocking tools can also be used to prevent malware from being installed.

All of this stuff can be done without pain.

Host based IDS

[cocowalla]

Why not use a host-based intrusion detection system? They track changes made to the filesystem/registry.

Ionx's Data Sentinel (http://www.ionx.co.uk) is a great one for Windows. I use it at work, and it's the dogs'. Very simple to setup and use, if you can spare the 199.99, I highly recommend it.

There's probably some free (but more basic) ones out there too.