Good Freeware System Snapshot Tool For Windows?

Khyber writes "I'm doing a little personal research into a project that tracks what changes get made to your system every time you install a program. I know there are ways of checking through Windows Restore Points, but that's not what I'm trying to do. Instead, I'm going to start with an absolutely fresh Windows XP install, take a full snapshot of the entire installation on the hard drive, and burn that to a DVD (somewhat like a backup disc with an entire snapshot of my hard drive's current contents.) With every program I install, I'm going to take another snapshot, burn to DVD, and repeat the process until I have recreated every step taken to get to my current system state (all programs installed on a separate hard drive, all registry entries etc on the OS drive, with only snapshots of the OS drive being recorded.) The purpose for all of this I'm not legally allowed to talk about, due to confidentiality requirements. Does anybody know of such a program, preferably freeware, that will accomplish my objective, and are there tools that can be used to compare the difference in drive images?"

FOG might do it.

[millia]

Wow, quiet in here.

FOG, aka Free Open Ghosting, at www.fogproject.org, will certainly take images of your hard drives; that's not a problem.
And, I haven't played with it, but it has the capability to do install packages, so that meets the bit-by-bit portion of things.

Like most open-source packages, FOG improves constantly, and recently, it's getting better by leaps and bounds.

Re:FOG might do it.

[n1ckml007]

Windowskey + E then alt+printsrn then Ctrl-v to paste into MSPaint There's your snapshot

Re:FOG might do it.

[Moryath]

Norton Ghost is fairly cheap and Ghost Explorer will allow you to "browse" the images. I'm not entirely sure on the comparisons angle.

Trying to make an "alternative system rollback/savestate" program are we?

Re:FOG might do it.

[MrNaz]

The best snapshotting tool I have found (I'm not entirely sure if this is what you are after, as the summary is not clear) is BartPE with the DriveImageXML plugin. It's free and legal, although you need a Windows XP disc to build the tool (no really, it's free and legal).

I use it to install Windows fresh, add my apps, and then take a snapshot. If there is a virus attack or the install is otherwise dirtied, I can restore to a clean Windows install in around 10 minutes as opposed to the 2 or 3 hours it takes to get a bare metal box up and running with Windows plus all your apps.

Re:FOG might do it.

[Gazzonyx]

I've used FOG before, a few months ago, in fact. It just isn't production ready yet. IIRC, you had to install a service on the windows box, etc. The web interface was somewhat counterintuitive and left a bit to be desired. It also had a few rather annoying bugs. This may have changed since the last time I used it. I'd say that as it was a few months ago, you'll be pulling you hair out since it works just enough to let you see what it's capable of, and then falls through on delivery of said capability. Give it another few months if it isn't there yet, it will be great once it gets to RC maturity.

I always fall back to using the PartImage live CD, or a live CD that uses partimage, and then booting a VM with the parted daemon to accept the incoming system image. It will GZip the image on the fly, then you can just split(1) and burn to DVD (dual layer burners are cheap now, but use archival grade media or DVD-RAM for long term storage... you'll thank yourself for spending the few extra bucks/pounds down the road.).

Many live CDs have PartImage now, Trinity Rescue Kit, Ghost 4 Linux, Knoppix, System RescueCD (just had another release lately), and the rest of the usual suspects, as well as many forensics live CDs.

FWIW, I have used partimage to mirror a Windows install on to another drive, and then back to the original again, and since you get a gzipped img file, you can use it with KVM, Xen, VMware (after conversion to vmdk or ovf). Check out Convirt for provisioning systems from a gzipped img file. It's also not production ready, but very cool nonetheless.

Re:FOG might do it.

Norton Ghost is fairly cheap and Ghost Explorer will allow you to "browse" the images. I'm not entirely sure on the comparisons angle.

Trying to make an "alternative system rollback/savestate" program are we?

First, Ghost sucks. Not version 8, which was awesome, but the recent versions, which won't let you run ghost off the damn CD you paid for. No, you have to find an old copy and put that on a USB or other HD to run it from. B-tards.

This guy isn't trying to make his own ghost, he's trying to clone registry keys and serial numbers so he can push a software install. So he's tryign to clone Installshield, but in a way that magically provides great MSI compatibility to installers that don't already have MSI functionality.

AKA the windows tech pipe dream. And I say this after my last post was called an anti-apple troll because I suggested a $299 emachine laptop was "good enough" for most people vs a $1500 macbook :p

Oh and thanks to OP for the FOG link. Hadn't heard of it.

Captcha: atheism - the practice of not believing Steve jobs is God

Take that mods :)

Re:FOG might do it.

[kv9]

I use G4U. it can snapshot your system on a remote server and do all kinds of neat tricks.

Re:FOG might do it.

[BollocksToThis]

And I say this after my last post was called an anti-apple troll because...

To be fair, you do write a lot of crazy shit. I mean, what is up with all the gay/excrement stories?

Re:FOG might do it.

Sounds as though all the person needs is regedit to dump the MSWinRegistry to a text file.

Re:FOG might do it.

[theantipode]

I'm going to second FOG. We use it here at a small business (about 270 employees) for setting up new hires' machines. Build up an install image, sysprep, and upload it to the FOG server. We just boot new machines up with PXE, answer a few basic questions (mainly which image to use, and what the image's OS is) and it takes care of the rest.

Re:FOG might do it.

[Architect_sasyr]

It is unfortunate that acronis don't offer a free solution, but (despite this fact) I'm still going to recommend them heartily for being solid and damned good. Judging by the fact that your work is "classified" I'm guessing they could afford to shell out a few bucks for the home edition. I've also seen hack jobs put together out of FreeDOS boot disks and file transfers.

Re:FOG might do it.

[jp10558]

If he actually wants to snapshot installers, then he could try Total Uninstall? Or he could try Emco.is and their RDK which has worked decently for me.

If he actually just wants to snapshot a drive, then there's Seagate's tool that's a stripped down Acronis(free with a Seagate drive hooked up), or the full Acronis True Image(not free though)...

Re:FOG might do it.

[xseedit]

Clonezilla (www.clonezilla.org) is an Open Source cloning system with unicasting and multicasting. It's based on DRBL, Partition Image, ntfsclone, partclone, and udpcast, allows you to do bare metal backup and recovery. I like that fact that it can save images to just about anywhere (local, NFS, SMB, SSH) and that it supports any filesystem, even yet unsupported ones.

Acronis

[winterphoenix]

Depending on how long you need to keep the backup, Acronis makes some great imaging utilities with free trials

Re:Acronis

Be careful - Acronis restore doesn't work properly with many USB 2.0 external drives.

It defaults to USB 1.1 speed.

Consequently, restores from a USB drive can take literally several days.

Check the Acronis True Image forums for many tales of woe about this.

The answer seems to be to build a BartPE disc with an Acronis plugin, but the exact process is shrouded in mystery and uncertainty.

Re:Acronis

The newer versions of Acronis do in fact use BartPE/WinPE for building the bootable media, so this might no longer be an issue.

Re:Acronis

[schwinn8]

I agree - I have had no end of issues with Norton Ghost starting with version 9, but Acronis (though not free) has been utterly simple to use and totally worth it.

I could tell you...

[MikeV]

...but then I'd have to kill you. You know, confidentiality agreements and whatnot...

Re:I could tell you...

You're confusing Windows with Apple...

Re:I could tell you...

[NeverVotedBush]

Ok, then MikeV would have to throw a chair at the OP.

All better now... ;-)

I know of a free trial...

[Daryen]

The best tool I have ever used is Prism Deploy.

It isn't free, but they do have a free trial. I've tried a number of programs to package executable programs and manage Windows images, but nothing has come close.

I'm really interested to see if there are any freeware programs that come close.

Re:I know of a free trial...

[L4t3r4lu5]

We use Prism App Manager where I work to perform remote installations, and it's appalling.

Prism is based upon taking a baseline image and checking for changes after an installation, which in itself is fine. You will get an identical installation of every package each time.

The issue arrises when you use an old package on a newly patched machine, and it overwrites a patched file with an older, unpatched version. This can happen when installing Office 2007 on a machine, then running an Office 2000 package, and is a real ballache when you've just ghosted a machine. (We have to use both side-by-side for continuity in coursework packages; A poorly thought out purchasing decision by the PHB gave us all the hard work. We should have just said "We're not installing it." and taken the flak, but hey... You live and learn...)

Anyway, this is offtopic; The guy wants disk imaging, not distributed app management.

Re:I know of a free trial...

[Daryen]

I agree, this is a poor choice if your only goal is a typical black box Windows image. However, listen to what the author was trying to do:

I'm doing a little personal research into a project that tracks what changes get made to your system every time you install a program.

As you know from using it, Prism Deploy allows you to see every single file change, registry change, file deletion, and file modification that has been made since the last snapshot. Sure, you could put all of that into an executable if you want and distribute that, but you could also save it as a prism image, and use that information to create your own package, or in the author's case, whatever undisclosed nefarious purpose he has in mind.

I'm going to start with an absolutely fresh Windows XP install, take a full snapshot of the entire installation on the hard drive, and burn that to a DVD... With every program I install, I'm going to take another snapshot... all programs installed on a separate hard drive, all registry entries etc on the OS drive. [emphasis mine]

I think that prism deploy (or a similar tool) would allow him to do this with minimal work.

Re:I know of a free trial...

[L4t3r4lu5]

Upon further investigation (R'ingTFA), I see you also wish for image comparisons.

Prism certainly doesn't include this function.

Re:I know of a free trial...

I agree. I've been using Prism Deploy for almost two years now. It is excellent for taking a baseline snapshot installing a program or making other changes, and creating a package itemizing the differences afterwards.

Pricing could be the killer, though; their target market is companies wanting to manage 100 devices or more. You will probably not get them to provide you with a one machine license. If, however, you are willing to buy licensing for that many computers, you will not be disappointed by this product.

Don't bother buying the Prism Suite, though, as the patch management software is several steps down from Microsoft's free WSUS software, and has not had a major update in the two years I've used the suite.

Re:I know of a free trial...

[jp10558]

You could try the Emco.is Remote Deployment Kit - they license down to 50 PCs, and at $145 for the full Enterprise edition for those 50PCs, it's pretty cheap really.

Re:I know of a free trial...

Unfortunately, I don't get a choice. The IT Manager uses what the supplier suggests, and they bundle Prism with their Admin Kit. We just get to suck it and see.

Rsync is your friend

[frith01]

If all you need is an indication of what files
have changed, then just use rsync --only-write-batch=FILE

http://samba.anu.edu.au/ftp/rsync/rsync.html

If you need more detailed descriptions (especially for registry changes) you may want to export the registry files in a pre-script, then diff the registry entries.

DIY

The hard drive snapshot/comparison is easy enough with any number of *nix tools. The most straightforward would be cp and diff. In short: have a clean copy with an export of the registry (IMPORTANT!) in a fixed location. Make your changes, re-dump the registry. Reboot to Linux, copy everything, then create a diff with the original clean copy. As far as I know, that would be sufficient.

Re:DIY

[tomhudson]

Instead of just making a copy after each install, make your copy after you install a program, then copy the original "clean" image back to the drive. Otherwise, you'll never know if a second program would have installed some files that the first program already installed.

Re:DIY

[blincoln]

While that is a better approach, I would argue that the entire concept of using a diff to try to determine what an installer is doing is usually a bad idea.

It can be useful for troubleshooting, but most people (and software vendors) try this kind of thing to build "repackaging" installer-builders. It's a terrible idea.

An installer may do completely different things depending on the system configuration. There is the factor you mention about existing file versions. If the user chooses a different install path/install options, has different OS components or software, etc. etc. that can potentially change things like registry keys or even the data inside binary files.

Unless you're building for an environment that is 100% standardized on a particular model of device, with a consistent OS version/patch level, there's just no point. Use the vendor's own MSI's or other installers in silent mode - that's what they're there for!

Using this type of approach for a pseudo-uninstall is equally dangerous, for similar reasons. Because Windows is such a hack-job for backwards compatibility purposes (which I think is the only option MS has, due to the public's perception that issues with backwards compatibility are their fault rather than the fault of terrible software developers), the only safe way to do this kind of thing that I can think of is what Vista does with its Windows-on-Windows (ew!) file and registry virtualization. It's a huge space hog, it's a waste of RAM (IMO), but it works.

Re:DIY

[tomhudson]

I think we can agree that the registry is 100% Microsofts' fault :-)

It was one of those design decisions that "sort of" seemed to make sense (if you were drunk enough), but that in retrospect was just plain wrong.

That said, a diff of the entire filesystem between a virgin install and any particular program could be useful, especially when tracking down files modified bye spyware or malware installs.

Do it from your Linux partition

The easiest way is to run dual boot Fedora/XP. It will take you all of a couple of hours to install Fedora/Ubuntu/Whatever from a Live CD, partitioning the drive as required during the install. You can then backup the whole Win partition without Windows locking any files and what-not. Another approach is to add in another disk for that purpose, maybe a USB thumbdrive if your OS can boot from it.
The other approach is to use a VM machine. There are some cut-down versions of XP designed to work well in them.

Re:Do it from your Linux partition

Every default installation of any Linux system should contain dd to backup a partition, a diff tool to find out the differences, and a patch tool to patch a system from one state to another.

WinINSTALL?

[dsginter]

WinINSTALL LE

Download

easy:

[pinky99]

knoppix + dd

Re:easy:

[TheLink]

I used to use knoppix + dd + lzop

e.g.
time dd if=/dev/sda bs=131072 conv=noerror | lzop -c > /mnt/backupdrive/20081111-machine1-sda.img.lzo

(WARNING!!! Achtung!!! Do NOT typo the if=/dev/sda and make it of=/dev/sda there is a very big difference ;) )

gzip might be fast enough on modern CPUs to give near max disk speeds.
But I still only get about 33-35MB/sec with gzip on my core 2 duo for the first 1000 blocks of my drive (even cached!). lzop is much faster.

The conv=noerror is to tell dd to ignore read errors. If you are getting read errors, that's the time when you probably want to try to get as much data from the drive before it stops working, rather than try again from scratch and add the conv=noerror flag ;).

bs=131072 gives me OK enough speeds. Figure out what works best for your system - may be different for RAID etc.

time is to help you figure out if something fishy happened - e.g. it finished a bit too quickly ;).

Re:easy:

[Fweeky]

dd_rescue > conv=noerror. It'll read in big blocks and when one fails, it'll drop the block size and retry, so you don't lose a 128k chunk when there's only one unreadable 512 byte sector.

Re:easy:

[TheLink]

Sorry!

Should be conv=noerror,sync

Xen?

[SanLouBlues]

Sounds like a virtual environment is exactly what you need.

Re:Xen?

You could use vmware converter to turn your physical machine into a virtual machine then continue to make your changes to the virtual machine only and use the features of the vm-host (vmware/virtual box/virtualPC/etc..) to track the changes.

I have a vague recollection that it's possible to track changes with the vm-host but I guess it all falls down if not. Do any vm hosts offer this?

Re:Xen?

[Khyber]

No, I do not need a virtual environment.

I want to do this on a level THE REGULAR COMPUTER USER CAN ACHIEVE. This needs to be easily and SIMPLY explained and proven in a court of law. As the machine I will be doing this test on will be the same machine admitted as evidence, it will be much simpler to have it all contained within a pure windows environment.

ANYTHING requiring Linux or Unix will not be that simple, period, as this only involves the Windows OS and the BEST evidence is a direct comparison through the Windows OS itself (i.e. what Windows reports as having changed)

I've almost gotten what I need from a built-in windows tool - the ol' DIR command. DIR /b /s /A:AHRS > File.txt but I need a comparison tool that will show me the differences (like a grep for windows) so I can track what got changed, how it was changed, and WHY.

Registry comparison tools would be helpful as well.

Re:Xen?

[jp10558]

I think Total Uninstall will track all changes and show them, including registry changes between two scans it does. So you'd do a scan, do an install, scan again save that. Rinse and repeat... Not free, but $35 or so is cheap, and totally windows, though you do need to first install Total Uninstall...

Re:Xen?

[Khyber]

That would be nice except I wish to have *ONLY* the original OS install, and the programs which I will be installing, nothing more.

Got anything that would work on a USB stick so the OS install isn't touched besides from what I plan on installing on it for the demonstration? Preferably freeware and will work in Windows itself (the comparison tool, whether it be for drive images or just filechange logs) so the average juror can understand it easier?

Re:Xen?

I hope you're not running that off the host's OS, that's going to screw up a bunch of dates, and (with the state of modern spyware) can alter the contents of the system on every boot anyway.

          Honestly, anything involving Linux *can* be simple, period. mount the filesystem read-only and nothing can be written to the disk being forensicized.
          Use a LiveCD
mount your filesystem, READ ONLY in /foo
cd /foo
ls -alR > /tmp/filelist
find /foo -type f -exec md5sum ; > /tmp/md5list
          To know what has changed, diff -C4 /tmp/older-md5list /tmp/md5list
          Back up these files at your leisure. These are the only files that have changed. dvd burning under Linux is not a big deal anymore in case you think it is.

          To find out *exactly* what changed, you're going to have to look at the files. To find out *why* you'll have to restore to the previous point, run your next step under a debugger, or wine. That's a whole 'nother can of worms.

          I haven't looked into them, but there's forensic Linux distros I've heard about, you pop in a CD and do your thing. if you're doing this for legal purposes, I'd advise you to familiarize yourself with this, and see if it fits your needs. You can treat it as a black box, get 'er done, and show the results under windows if you want.

Re:Xen?

There is a grep for windows; the entire GNU toolchain is available for windows.

Re:Xen?

Have you looked at sandboxie? http://www.sandboxie.com/

You install apps in their own sandbox, and they are able to transparantly interact with normal system files. The trick is that changes are confined to the sandbox.

It's also free, if I rememe

Re:Xen?

[jp10558]

Not that I know of... Perhaps Filemon/Regmon from sysinternals? But not nearly as easy to understand as Total Uninstall is. . .

Why?

[ledow]

Personally, I use Ghost for imaging and if I want to find out what a program is doing, I run sysinternals File Monitor and Registry Monitor. They're real-time and don't record in a nice format but nothing really beats them on Windows. They've helped me diagnose hundreds of horrible modern and ancient installation programs used in an educational environment to allow network installation (why, exactly, do you need write access to C:\WINDOWS to run a Shockwave-based game for toddlers, etc.?).

Linux/Unix has this much easier because it allows you to monitor EVERYTHING without massive binary blobs having settings stored in them, having settings locked to particular machines, etc. or things generally getting in your way. Windows, it's a pain in the proverbial.

Even a lot of the professional MSI-Builders with their "discovery" modes are absolutely useless at working out what was actually a vital change and what was just the installer playing about, or the user changing their screensaver / explorer view preferences while they installed etc. I spend half my life cleaning MSI's of unnecessary cruft and inserting the entries that they miss. About 50% of automated install captures like this are useless for deployment to a different machine.

Basically, despite the "secrecy" around your particular purpose (why did you have to mention that at all... it makes no difference to what you want and adds nothing to our knowledge), it's probably not worth the hassle. Before and after snapshots, or package the programs and MSI's and you'll find out everything you need along the way, with an actual, practical result at the end. Trying to diff a filesystem/registry image in any way is madness and is only useful if you can get a *perfectly* clean machine, a VERY good automated program to do it brilliantly, where you'll end up with a lot of cruft that isn't related to the program installation at all (e.g. event log entries, temporary files, taskbar icons saving their settings etc.).

Virtualization

[pipatron]

Do the install in a virtual machine like VirtualBox or similar. Then you can do as many snapshots you like directly.

Re:Virtualization

virtual box has very loor snapshot capability compared yo vmware.

Duh!

Live Linux CD + dd + sdiff

How tough was that?

Re:Duh!

[L4t3r4lu5]

1. Download Linux Live CD (700mb).
2. Boot to Linux Live CD. Find out your hardware isn't supported as MoBo is new.
3. Download different Live CD.
4. Repeat 2 and 3.
5. Find Live CD which allows you to boot X. You're not a console monkey, so you need a GUI.
6a. Wireless network doesn't work "out of the box." Find / make 30m patch lead to go from back of PC downstairs to your router. Download NDISWrapper and firmware. Configure wireless networking. Alternatively;
6b. Look online for help using dd and sdiff, as you've never, ever heard of these applications.
7. Read three different forums full of "OMG go bk 2 winbl0wz, n00b!11" posts regarding the same issue until you find one person who has managed to pry the information you need out of somebody with a small sense of community.
8. Take image of Windows partition. Make coffee while you wait.

Total time to complete, with downloading images: 9 hours 40 minutes.

Total time to reinstall Windows XP, patch, and install games: 5 hours.

THAT'S how tough it is. We're not all Linux users.

Re:Duh!

[Curmudgeonlyoldbloke]

Live Linux CD + dd + sdiff

How tough was that?

The question is "Livecd + dd + sdiff what?"

It's easy to get a dd image of a running machine this way (and just as easy to do it using virtualisation-solution-of-your-choice, as everyone who isn't saying "just use dd" is saying).

It's slightly less easy to work out which files have been added, which modified, and which deleted , since you last did it. You'll also need to work out which were changes due to the new software that you installed, and which due to stuff that happens anyway. Changes to text files you may be able to work out what they're for by looking at them, but changes to binary files you can't.

You also need to treat the Windows registry as one or more "files", which you can read with dd, but if you want to get any sense out of it you're going to need to dump it to text first and compare those

The really difficult bit is going through the sheer volume of data that you'll create doing this. How do you know that application a requires component c but didn't install it according to your diff because application b had already installed it?

As part of my job I'll occasionally need to test the effect of a bit of new software in slightly different configurations and then retest it in the same configurations to make sure that it still does what it's supposed to do. Something like VMware is great for this (quicker than dd, because you're not booting off a CD every time you want to make a copy). Neither will help you analyze what's changed between image a and image b though.

Re:Duh!

[mrfriendly]

I'm going for +5 Informative: http://en.wikipedia.org/wiki/Diff http://en.wikipedia.org/wiki/Dd_(Unix) At least by doing this you will educate yourself along the way. If you are opposed to self-education, here is another wikipedia entry for you: http://en.wikipedia.org/wiki/Ignorance

Re:Duh!

[couchslug]

"THAT'S how tough it is. We're not all Linux users."

I'll buy the live CD distro churning (BTDT), but among the reasons I enjoy Linux is that there are plenty of helpful folks who DIDN'T give me the "GTFO newfag" treatment.

It's easy to find newbie forums and lurk before posting, and it was easy back in 1999 when I didn't know shit about computers let alone Linux.

"Total time to complete, with downloading images: 9 hours 40 minutes."

Seems reasonable, since learning new stuff is involved. Once ya are edumacated you have many more options at your disposal.

"Total time to reinstall Windows XP, patch, and install games: 5 hours."

No empowerment or tools for future use that way...

If you prefer Win-centric solutions it's worth spending the time to learn Ghost via the Radified tutorial, how to build and use a live WinPE/BartPE CD to rescue your stuff prior to a nuke-and-pave, how to slipstream your XP install disk, how to have your updates handy on DVD by using the offline update tool, etc, etc. That takes longer than 5 hours too. :)

Re:Duh!

You could've even used this cool new whizbang "WWW" dothingy people are calling Google:
    howto dd backup image

All sarcasm aside, I've found articles and wikis the best first stop for general knowledge (which dd definitely is), and forums for digging into quirks of the situation.

If you leave this with nothing else, here's a dd tip:

  1. Open man page ("man dd" command)
  2. Find out how and use a multi-MB buffer for input & output (ibs/obs).

A good one pre-installed with windows...

[Auroch]

Well, I havn't read the article, but just hit prt-scr! Although, some computers require you too hit function+prt scr. Of course, linux and OSX have better screen shot tools built in. Linux also has GIMP, which does shots! Yup, clearly the answer is 'switch to linux'!

Seriously, do we even need an article on this?

... I wonder how important the article is after all, but I'm too lazy to read it ... *sigh*

Re:A good one pre-installed with windows...

[cosmocain]

you know, there's just one word to describe that answer:

ERM?!

Re:A good one pre-installed with windows...

try reading the summary at least ;)

Re:A good one pre-installed with windows...

[cosmocain]

okay, it might be "DUH!" as well...

i knew i would end up talking to myself - but i didn't see it coming that fast.

Re:A good one pre-installed with windows...

if you're kidding, this is funny. if you're not, well, you're funny.

Re:A good one pre-installed with windows...

The ratio of exclamation marks to text is high enough to say that yes, they're kidding (and in this case succeeding in being funny, although that doesn't always follow).

Regshot at sourceforge

[metaphorplay]

I would recommend regshot at sourceforge. GPL'd.

Linux live cd

[Judinous]

1. Install program on Windows 2. Boot to linux live cd of your choice 3. cat inputdevice > outputdevice 4. Repeat steps 1-3 as needed 5. diff 6. ????? 7. NDA'd

NTBackup

NTBackup

Re:NTBackup

[L4t3r4lu5]

Mod parent -1 Sadist.

I'd use xVM

[florin]

You might of course just use any hard drive imaging tool, but this is rather slow and clumsy, and it will use a lot of disk space (which isn't necessarily a problem if you really wanna burn a DVD every time). It might be easier and quicker to use one that supports incremental backups. I like Acronis True Image a lot but it is not free.

If you mainly want to document changes done to a running system over time, virtualisation products might fit your purposes well. Most of them have some sort of ability to make snapshots. The popular free VMware Server only allows a single snapshot, but Sun's xVM is every bit as good and does multiple snapshots easily.

Re:I'd use xVM

Ditto. In my opinion, your methodology is insane and unlikely to produce anything of value -- Windows really is huge, and much of the data you're interested is locked away past the filesystem level of abstraction -- but doing it with a VM makes a lot more sense than doing it on actual hardware. You can switch between states easily. You can retain easily-bootable, read-only copies of previous states (say, if you want to dump the registry). In any event, you don't tie up an entire computer for this project, and you don't rely on booting the target computer to fish information out of it.

Seriously, virtualize.

Re:I'd use xVM

[Khyber]

virtualization takes TOO LONG.

I'm going to be demoing this LIVE in court. That's NOT FEASIBLE AT ALL.

I've got most of what I need - I just need a GREP tool for windows. DIR /b /s /a:AHRS > file.txt is fine for almost everything. I need a comparison tool.

Does the command I listed above happen to record filesizes as well? The faster and quicker I can make this happen in court, the better off EVERYONE will be. It's gotta be simple enough for a JURY OF MINDLESS IDIOTS TO UNDERSTAND.

In other words - LINUX, UNIX, etc IS FUCKING USELESS FOR MY REQUIRED TASK.

Re:I'd use xVM

[jp10558]

If you don't like my previous suggestion, you might try Cygwin? Then you do have grep...

Re:I'd use xVM

[GNU(slash)Nickname]

Whoa, dude. Switch to decaf.

If all you wanted was grep for Windows, why didn't you just say so? 3 seconds in Google gets you about 6 different ones to try.

Then again, if you are trying to compare two filelists, diffutils might be a better fit.

I prefer the gnuwin32 variants myself.

Re:I'd use xVM

[Khyber]

cygwin might work.

So many suggestions, I'm having problems deciding which woudl be better:

my original suggestion - the DIR command with all the extended parameters outputting to a text file - can be used to demonstrate changes made to the system and be used for demos

Anon-inspired idea: Dual boot XP on separate hard drives within the same system, C as base comparison control, D with the software causing the problem - easier hardware forensics analysis and comparison

Majorly recommended but not feasible for the average person/juror/tech-incompetent judge - Virtualization.

Re:I'd use xVM

[kitgerrits]

ehm do you mean the 'fc' (File Compare) command that comes with windows, by any chance?

If you need more, you might want to download a Windows version of 'diff', hte standard UN*X tool for this sort of thing.
It's available at:
http://unxutils.sourceforge.net/

Just copy diff.exe from the zipfile to c:\windows and you're set to go.

Example: diff c:\oldregistry.reg c:\newregistry.reg

Once, you've enjoyed 'diff', you might want to look into 'find' in the same Zipfile.
Example: find c:\ -ctime -2
This will report all files that have been created within the last 2 days

Enjoy!

Re:I'd use xVM

[karnal]

Why not two identical systems? I have a feeling even "dual booting" may not prove your point since the average person probably doesn't know what that even means.

Re:I'd use xVM

With all of your anger and impatience, have you realized just how long ANY clean machine setup will take, especially stopping to take snapshots along the way? There is no way in hell you're going to get a jury to pay attention to the process of installing Windows, taking a snapshot, installing a program, taking a snapshot, and then diff'ing the two.
Your best bet may actually BE virtualization - where you can start up a virtual clean machine that's been created previously - perhaps one that's just a minute away from finishing its Windows installation (I assume you need to demonstrate that you're installing Windows), install your program and do your differentiation.
Or perhaps a tool that will in real-time tell you exactly what changes are being made to the computer - perhaps along the lines of a constantly-running antivirus or something similar - I know there are GPL tools like that available somewhere. The results from those are surprisingly easy to comprehend, and that would be very fast for your purposes, no snapshots required.
Also, grep is not a comparison tool - it is a search tool. diff is the program you're trying to condescendingly tell people to find for you.

Re:I'd use xVM

Well fuck you then. Good luck in court *rolls eyes*.
        You're getting pissy is not going to make someone "make DIR fast". It's not. And "grep for Windows?" Give me a break. Find it yourself if you're going to blow your top.

Re:I'd use xVM

umm ? use cygwin grep for windows.

Re:I'd use xVM

[Khyber]

going deeper than that, actually.

The system, without too much detail revealed.

1. Install fresh copy of XP on a full-formatted hard drive.
2. figure out a reliable way to either DIR /B /S /A:ASRH > file.txt from a USB stick or make a RELIABLE image of the drive (at that stage, about 2 GB in size) with EVERYTHING, hidden, system, etc folders and files accounted for, all without needing to install another program directly to the drive I'm trying to image.
3. Install the program that I believe causes the conflict.
4. Repeat step 2 for the now-changed contents of the drive.
5. Rinse, lather, repeat until I get past my burning capability (thankfully I install very little on my machine since I only do music, internet, and minor gaming, mainly emulation of consoles.)
6. Use some program to compare the differences in results to point out where the problem in theory lies, then demonstrate that the problem itself lies within this program using that gathered data.

The problem is I need this to be easy enough that an average mindless computer user can do it themselves and discover what's going on. That's the hardest part of all.

Re:I'd use xVM

[Khyber]

Great suggestion - however I need this to be easy for the average clueless American computer user to be able to do and come to the same conclusion. I've outlined the details in a few of my responses to this thread, the most recent and updated idea/system in mind is in response to GNU above.

Re:I'd use xVM

[Khyber]

Previous creation = possibility of tampering of evidence. No thanks. Something cleaner and faster, as I'm going to have to demonstrate this step by step. The jury can listen to other arguments while the install happens right there in the courtroom in front of them. The transcriptionist can easily re-read the record of events without any issues.

Re:I'd use xVM

[acheron12]

http://www.google.com/search?q=grep+for+windows

Re:I'd use xVM

[Stray7Xi]

I think the way you asked your question lead to confusion, since it appears you don't care about file contents.

If all you want is diff, install diff, don't install cygwin if you're only going to use a couple tools. Most GNU tools have a windows build. http://gnuwin32.sourceforge.net/packages/diffutils.htm

Some antivirus will hook write events (I know Avast can for example, I'm assuming Kaspersky can too), they do this to ask permission (allow? deny?), however if you set up the logging right, you could get a list of every file modified without it doing dialog. However if you're working against a rootkit, it may do a hook itself and skip the antivirus alltogether. However Kaspersky is pretty robust, so it could probably flag other suspicious events, which could be nice if you're trying to emphasize the software as malware. Most of Kaspersky's behavior settings are off by default.

If you want hashes of files, you could try a forensics tool like encase. But it will examine even unallocated parts of hard drive (so use a small HDD).

Partimage

[horatio]

I was looking into taking a snapshot of a fresh+patched windows install because I was tired of reformatting and then spending hours reinstalling+patching.

I checked out http://www.partimage.org/ which seems to be the tool targeting what you're trying to do.

For me, it didn't work out because the only apparent way to burn an image to disc is to have DVD+RW media and I didn't have the patience to wait until I could get to the store to buy the rewritables.

Re:Partimage

[dfdashh]

While partimage is excellent software for cloning/backing partitions at a high level, it does have its drawbacks. Specifically, it can't restore to a larger partition directly - you'd first have to restore to the same size partition and resize it (while not a big problem, it is still a hindrance for me at least). This makes it a little tricky for when your old disk fails and you want to upgrade capacity when you restore.

Take a look at DAR for your purposes.

Re:Partimage

[ternarybit]

Try PING (PartImage is Not Ghost) -- ping.windowsdream.com

Very flexible, lots of driver support, backup from/to CD, HDD, USB drive, FTP or network share, and GPL'ed. Active forum, too.

DD

[jgtg32a]

Just use DD it's easy

http://www.ss64.com/bash/dd.html

Re:DD

[ratboy666]

Sure, I'll "second" that.

Make sure the disk is zeroed prior to installing anything (dd if=/dev/zero of=/dev/sdb -- replacing sdb with whatever the drive actually is).

The partition the drive and install your software.

To capture -- dd if=/dev/sdb | bzip2 >image.bz2

I would use bzip2 instead of gzip for the slightly better compression. It would be possible to "delta" two images, but you didn't ask about it.

This presumes unix (linux), possibly as a "live cd"; it may be workable with "cygwin".

It is ALSO possible to capture just a single partition. Indeed, I would recommend this approach. Assuming you are using the first partition, partition the drive first. dd if=/dev/zero of=/dev/sdb1 to zero the drive. Install into that partition, and then dd if=dev/sdb1 | bzip2 >image.bz2 to capture.

MAKE SURE THE RECEIVING FILE SYSTEM IS NOT FAT32! You need something that will allow large files. ntfs or ext2/3 or something like that will work.

The image.bz2 file can be decompressed and used with (say) VMware directly, or it can be mounted (mount -t ntfs -o loop image /mnt would work under linux).

Re:DD

[L4t3r4lu5]

Yeah, just like GP said... Easy!

http://www.linux4dummies.com/WTFisSDBandhowdoIfindoutwhatmydriveactuallyis?

Re:DD

[ratboy666]

Easy... is relative. Let's try to remove Unix (Linux) from the equation:

There is a weird convention used with Windows for direct drive access:

http://support.microsoft.com/kb/100027

\\.\PhysicalDriveN for physical drives (0, 1, 2...), or \\.\X: for logical drives (C, D, E...). Of course, the mapping between physical and logical isn't particularly clear, given the partition tables on the physical devices.

Under Unix (linux, here) /dev/sdx is physical drive x (a b c...), /dev/sdxn (1 2 3...) is a partition. Its indeed a bit easier (insertion of an "earlier" physical drive doesn't change the designations of other drives).

But, even so, as "Administrator" on Windows, if you know the physical or logical drive, you can use the "COPY" command to duplicate the drive (I think -- never dared).

COPY \\.\E: C:\IMAGE
REM THERE IS NO STANDARD COMPRESSOR UNDER WINDOWS, USE ZIP

"TYPE" may work to stream the data, oh, and you still have to replace \\.\E: with the designator for the partition (whatever it is).

Does this help?

Linux LiveCD

[Lord+Byron+II]

Get a Linux live CD and an external USB drive. Use rsync on the virgin installation and then you can use rsync to only archive the changes from that point on. If you are really stuck on having DVDs at the end of this, you can then merge the two rsyncs (the original with the changes) and burn that to disk.

Horribly Inefficient

[Ralish]

What you're aiming to do is perfectly valid but the method you describe in order to achieve your goal is horribly inefficient; I'd be hard pushed to think of a more time-consuming and difficult way to achieve your goal. My tip:

This sounds like an absolutely ideal scenario where you could benefit from virtualisation technology. Install the system you wish to "monitor" in a virtual machine. I come from the VMware world, and I can say that the snapshots feature of VMware Workstation would do exactly what it sounds like you want. Whenever you wish to capture an image of the present state of the machine, take a snapshot. Further, you can take as many snapshots as you please, these snapshots can be built on previous snapshots, and you can even have branching snapshots. Icing on the cake: only the differences since the last snapshot will be saved, so you'll save a huge amount of data versus burning complete snapshots to DVD.

What next? Simple, mount the snapshots as a drive on the host machine and diff them using the tool of your choice. I use WinDiff for basic directory/file comparison, but there's a multitude of options out there. The only problem I can imagine would be you probably can't mount multiple snapshots simultaneously from the same virtual disk, but you could get around this by just making a copy of the VHD on your HD and mounting the second snapshot off that.

By the way, there's likely other virtualisation products out there (e.g. VirtualBox) that can achieve what I described above, I'm purely using VMware Workstation as an example as it's my virtualiser of choice. Further, VMware Workstation is not free, VBox is.

Re:Horribly Inefficient

[orabidoo]

confirmed. VirtualBox does a great job and is freeware (there's even a GPL version).

even better, run VirtualBox on linux and create windows instances, then you have the best of both worlds: linux stability and security, and access to windows applications.

Re:Horribly Inefficient

[hAckz0r]

I have to agree about the VirtualBox as a solution. If he makes a snapshot and restarts from that snapshot each time he could save a lot of time, and a separate snapshot OS/image could even be used for actually performing the delta imaging and comparison. The WinDiff on the other hand may be under powered depending on his actual purpose. If he is examining malware code he will need some more powerful tools to see what was actually changed, such as hidden NTFS data streams, raw disk sectors, etc. In that case some forensic tools might be a better bet in looking for that hidden information.

Forensic Toolkit could help there

http://www.foundstone.com/us/resources/proddesc/forensictoolkit.htm
http://www.foundstone.com/us/resources-free-tools.asp

There are lots of other Open Source forensic tools as well but this may get them started.

Re:Horribly Inefficient

[HTH+NE1]

Also, unless you're only ever installing on the system and no one ever actually uses it, you'll probably want to take snapshots immediately before installation as well as immediately after. Things change just from day-to-day use. You wouldn't want a restore after a bad install to lose all your work since the previous install.

Re:Horribly Inefficient

Another option, given sufficient storage, would be to make copies of a baseline VM image. Make your changes on different copies and then mount as need to make comparisons.

Re:Horribly Inefficient

[Reziac]

Tell me if I'm making shit up, but wouldn't it be possible to do it like this?

Run two VMs.
Install your setup in both.
Add apps to the 2nd VM.
Do a DIFF of the two running VMs.

Dupe the 2nd VM to a 3rd VM, rinse and repeat the further steps.

And so on, saving the DIFF info between generations of VMs.

And only save DVD snapshots of each VM for "in case the process dies before I'm done, so I don't have to start over" and for archival documentation, but don't waste time DIFFing DVDs (which has gotta be WAY slower than DIFFing active VMs).

 

Re:Horribly Inefficient

[Khyber]

Virtualization is useless in a live demo in front of a jury that has NO CLUE what virtualization/Linux/Unix is.

I must keep this simple and to the level the regular juror will understand.

The full process goes like this.

1: Install Windows on a freshly full-formatted HD.
2: DIR /b /s /A:ASRH > file.txt to get a listing of every file present, hidden, system, read-only, etc.
3: Install a program with a DRM feature
4: Repeat step 2, then check with some form of GREP for windows or something to compare the two written output files.
5. Demonstrate the damages caused by said DRM after installation to a jury.

All this virtualization crap will take TOO FUCKING LONG. As of this point, all I need is a windows tool to compare the two output files, go to those files mentioned in the comparison, and demonstrate the point trying to be made in court.

Re:Horribly Inefficient

You really come off as an ungrateful whiner with your all caps and swearing. Considering you're asking a lot of people for free advice on something, maybe you could act with a bit more respect and some manners.

Re:Horribly Inefficient

Well, the cash outlay for a copy of Trueimage (about $50 US for the home version which is all you'll need so long as you stick to basic NTFS partitions) isn't that bad.

Make a base build, image it, etc.

For real-time comparison of the two output files, I'd use Beyond Compare, which would also permit you to compare two drives' file systems directly as well (either chained together, or 2 identical computers, one with a before, and one with an after, image).

HTH. HAND.

Re:Horribly Inefficient

Install cygwin as part of your system install, then do $ cd /cygdrive/c $ find . -type f -exec ls -al {} \; >~/before.txt Then install your DRM, run the find again, piping it to ~/after.txt. ls -al gives you date and size so any diff of the text files will show you the differences immediately.

Re:Horribly Inefficient

[Khyber]

Now *THAT* might be an idea!

Dual-boot environment - Two copies of Windows XP on separate hard drives would be almost perfect for hardware forensics analysis. I'm mainly dealing with software issues, but the issue I am addressing in court has been known to cause hardware problems as well. This might be a more useful approach.

Thanks for the brilliant idea!

Re:Horribly Inefficient

Thanks for the brilliant idea!

Original AC here (Honest! *grin*) - Gosh, thanks :)

A few other things I forgot to put in my original post: Beyond Compare v3 has a portable install - you'll probably want to use that in conjunction with Bart's PE (either on CDs or bootable USB memory sticks): That way you can boot from something other than the hard drives in question, and also avoid any issues that might result from so doing.

If you're going to do it in real-time in a courtroom I'd suggest cheap laptops instead of PCs, easier to transport, no need for external monitors, etc. - just make sure that they are the same model. A USB 2.0 hard drive is a also good idea - image the first laptop to it as a file, then restore that to the other, etc. It also gives you a place to store multiple iterations of the image if necessary. I'd make backup images of both laptops once I had them the way I wanted them, just in case. In addition, with this setup, you could do it in front of a judge/jury in under half an hour, if you had to.

You'll need an Ethernet crossover cable, too, to connect the computers together to create a 2-node network if you want to show the two drives side-by-side on one screen. And a way for the jury to be able to see all of this... VGA projector? SVHS output to a television/monitor? The latter would permit the demonstration to be recorded to videotape...

Well, that's all the advice I have - good luck!

Re:Horribly Inefficient

[Khyber]

Great input, I wish I could mod you up for this (possible slashdot feature in the future, creators of ask slashdot stories mod up the information they found helpful and useful alongside the other moderators?)

I think while laptops would be easier all the way, they are pricey and we need to demonstrate on a machine well-capable of handling the system requirements for the software we're testing. That does get kind of expensive given the game requirements. (If you thought it was SPORE, sorry, not the problem in question, not nearly intensive enough.)

You brought about another thought but after careful consideration I believe it's not feasible. However, you do bring to light another idea after consideration of the system I thought of and rejected.

Can the MBR be modified to allow of a multiple-install of the same image across multiple drives? I am not that technical, so that absolutely falls into the range of non-applicable for regular computer users. However, with the proper technical assistant to help me translate from geek to layman, we might be able to show that "Here are the differences, here are the tested functions in a clean environment, and here are the same functions in the infected environment."

If I could modify an MBR quickly enough to just point it to another bootable partition on another physical drive, that'd be AWESOME. It'd save me on the two identical computer idea.

Re:Horribly Inefficient

try WinGrep? Google says you can find it here http://www.wingrep.com/download.htm or gpl'd grep for windows http://gnuwin32.sourceforge.net/packages/grep.htm

Re:Horribly Inefficient

[SouLShadow]

ok, short answer: 1 computer, 2 identical, new hard drives, 1 windows installation to first drive and 1 disk image (of first drive) copied to second drive. use bios options to select boot drive.

i'm no windows guru, but I've been following all your posts and i think this might be your best bet. not only can you boot and run either instance, but you can access the other hard drive from within windows to preform file comparisons.
sure, it's slightly more complicated then i make it seem and your goals may require some additional work, but it's probably the simplest solution to the problem you've expressed.
hope this helps.

Re:Horribly Inefficient

[neonfrog]

A good generic file comparison tool I've used is Beyond Compare:

http://www.scootersoftware.com/

Has a 30-day trial and a reasonable cost.

Why I'm replying to your ungrateful and horrible impoliteness is beyond me, though. I really like how you didn't say that virtualization wouldn't work in your original question, nor did you mention the scenario/target audience, yet you are insulting those who couldn't read your mind. Well done!

Re:Horribly Inefficient

[Alsee]

I think you may run into problems if you try running off an image on a different drive/partition. Windows generally looks at what drive letter it is on. If you have the base install on the C drive and boot an image on the D drive all of the registry entries and other stuff are still going to point to the C drive. Trouble.

I think what you need is two identical drives, and then physically swap the connectors so that the C drive becomes D and D becomes C. Then you can still work with a single PC.

You might want to arrange something special maybe mounting the drives on a piece of wood outside of the case or something for easy access, with longer drive cables. Swapping the connections to the two drives isn't very hard. There should be a couple of people on a jury with the minimal skills to pull and insert drive cables.

It also shouldn't be too hard for most people to follow what is happening, just be sure to put clear labels on the cables and the drives. Label one cable as the C active operating system cable and the other as the D with some term indicating it is is the second inactive drive, and clearly label the two drives appropriately.

I'm not sure if you always want two drives attached and to work by swapping the cables, or maybe only attach one at a time during the demos and DRM installation, and then to boot with both attached for the comparison step. It's tough to say which is conceptually simpler for the jury. What is going on in the first two steps is simpler and clearer if you only attach one drive at a time, however then they have to follow the idea of attaching both and how that works. It might be simpler to always connect both and to swap - then there's only two hardware configurations to follow (C:clean D:DRM and C:DRM D:clean, rather than three C:clean, C:DRM, plus C: D: dualdrive).

-

Re:Horribly Inefficient

[Khyber]

I've dropped the idea of using an image. i think it'd be simpler to just Install Windows on both hard drives individually so there's a record in the MBR of an install on C and an install on D. Then infect the D drive with DRM. From there it should be easy enough to use some USB or CD-bootable tool to compare what got changed between the two drives.

Still thinking about the old DIR /B /S /A:ASRH > File.txt, but need more time to figure out how to implement it, if I should at all. I could run it from the clean Windows install and check on the infected install.

That's a lot of work just to keep windows working.

Consider that when you think about the additional cost of a MAC or the learning curve of Linux....

liveCD

[F�an�ro]

Just boot from a liveCD, then clone the drive?

That would make sure that your clone is consistent, and since you cannot continue working with the pc while the cloning is in progress (that would certainly make it inconsistent), there is not much disadvantage in rebooting.

If you want to get fancy, install a second OS, and make a script that upon booting that OS automatically clones the first OS and then reboots. Any linux can do this easily.

Since you also have a second drive, the burning to dvd can happen later.

Already free and included in Vista

It is called the Shadow Copy. It will give you snapshots of the drive state periodically and all the changes (this is not Restore Points). More info can be found here...

http://sansforensics.wordpress.com/2008/10/10/shadow-forensics/

Re:Already free and included in Vista

[fiordhraoi]

It is called the Shadow Copy. It will give you snapshots of the drive state periodically and all the changes (this is not Restore Points). More info can be found here...

http://sansforensics.wordpress.com/2008/10/10/shadow-forensics/

Shadow copies do NOT track system changes. They track file changes only. Also, they would be unreliable for this sort of thing as the length of file retention is inherently unstable - the oldest shadow files are constantly being overwritten with the newest.

mtree

http://blogs.techrepublic.com.com/security/?p=283

Clonezilla

Clonezilla works well to take snapshots. http://www.clonezilla.org It's written around ntfsclone.

If you are just doing one machine, the Live CD works fairly well. Otherwise, FOG is a prettier server environment.

Installrite

http://www.epsilonsquared.com/

It will log and report all changes installs make.

i use becose of family (children f* evithin up in)

[Hugorm]

i Use http://www.clonezilla.org/ to backup the HD. nomaly i only backup the patision were the system is on, a 100GB HD i take 20 GB for the backup then it don't take me 3-10h to install windows + programmers + setup then it only take 10 mins. to get back on and the children can play agen. fist time i say to my border nothing can go rung it took him 10 mins to fuck windows up :) he was 6 at that time

Shockwave installs system files for it to run

[Joe+The+Dragon]

Shockwave installs system files for it to run

C:\WINDOWS\system32\Adobe\Shockwave 11

the game may of needed to install a Xtra for Shockwave

C:\WINDOWS\system32\Adobe\Shockwave 11\Xtras

So sorry,

I've already patented that.

Love,

Bill G.

Novell Zenworks for Desktops Snapshot Utility

www.novell.com

Re:Novell Zenworks for Desktops Snapshot Utility

[DaPh00z]

While this is not free as requested by the original askslashdot poster, I would also mention SnAppshot from Novell. It sounds like it will be exactly what he/she is looking for. I've used it in the past to snap an OS, install software or reconfigure something, and then snap again to list all of the registry and file changes. It worked really well and made it possible to script some automation into our task of configuring a large number of workstations.

Wise Package Studio

Wise Package Studio will let you install apps watching exactly what changes are made to the system - also, you can repackage the app installer pretty much automagically to then remove exactly what was installed - effectively rolling the system back to it's pre-app-install state. Comes w/ a 30 day free trial and there's plenty of documentation/guides/tutorials if you look.

dd + cygin

[pak9rabid]

Try cygin + dd.

Macrium Reflect

[Darksun]

Is free for personal use, makes images, creates a boot cd for recovery. very slick program.

Personal Research + Confidentiality Req. = ?!?!

What did you do? Sign an NDA with yourself?

Microsoft BDD

[Taywen]

Check out the Microsoft Business Desktop Deployment software. Free and pretty easy to setup and use.

sysprep

[Junta]

Is there a reason why sysprep wouldn't work? It's already on your system I would wager.

Re:sysprep

[orclevegam]

For us that spend a little less time in the Windows world care to enlighten us on what sysprep is? I'm familiar with a few of the less used Windows applications, but I've never heard of sysprep before.

Re:sysprep

[Junta]

c:\windows=system32\sysprep.exe

It basically prepares a system for image capture. I suppose that was incomplete.

imagex is what I meant. It's the ms tool to archive up a system and apply, doing whatever magic microsoft blesses for imaging a system. It's akin to a cpio, except it has an xml index to multiple images (which can have inter-image references).

Re:sysprep

For us that spend a little less time in the Windows world care to enlighten us on what sysprep is?

Sysprep is the Windows System Preparation tool, and one of the things that it can do is remove the SIDs (Security Identifiers) from the Windows Registry - when you next boot, a new, unique, SID is generated for the computer, if the option to do so was selected (and usually you want to).

Generally, you make an image of the hard drive after Sysprep shuts the computer down, and then deploy that image onto new computers.

How to Use Sysprep: An Introduction is a pretty good place to read up on it.

PING (Partimage is not Ghost)

http://ping.windowsdream.com/
Can backup/restore partitions over a network or to a CD/DVD, maybe it's what you need.

Full Drive Image

Try http://www.feyrer.de/g4u/ It does full drive imaging at block level, and is free. It gzips the image, but you can unzip them and do a binary compare against them. Though storing complete drive images like this is going to be awfully painful, especially if you plan to burn them off to DVD.. As for the compare, there are a few free tools around there.

g4l

[digitalhermit]

There's a tool called Ghost 4 Linux that might do what you need. You boot with the g4l disk on your backup target. You can then specify a remote server or a local storage device to create the image backup. It doesn't matter what OS is being stored as it's a physical image.

Files can be very large because it copies sectors, not files, so even deleted files can take space. To minimize this there are some disk zero utilities that will zero out the unused space on your drive.

I use it often for backing up my Windows laptops.

Sounds like you need a packaging solution?

[miffo.swe]

From what i can understand what you really want to do is compare the differences between the installations of different apps? If thats the case any old MSI packaging solution will do the trick much better and with much greater detail. They almost all have a very handy function for tracking every single thing an application does on your computer. Some, like Emcos, are very easy to use and have a very clear and consistend interface for displaying the changes made. I assume youre not after what Windows XP does but rather what installations does.

For example, buy Emco Package Manager, install it on your pristine XP install. Start Emco and put it in recording mode. Do an installation / alteration / run your evil application of choice and stop the recording. Then you have all the alterations on screen easily readable.

Acronis TrueImage

[jrronimo]

My weapon of choice is Acronis TrueImage. Allows for complete drive imaging over a network, etc. They offer BartPE files so you can make a boot disc, though.

I use the boot CD all the time for rescue and recovery.

Re:Acronis TrueImage

[maxume]

My retail box come with a boot cd.

I'm supposed to download the update and make my own though (but I haven't had any problems, so I haven't done it).

Freeware

[SteveHencye]

I would try something on download.com or just try a good google search. Seems like an interesting project. Good luck. -Steve

Two suggestions

[bhoar]

I don't have any free tools to recommend. With that in mind...

1. Many of VMWare's commercial tools have built in capabilities for storing multiple revisions of a computer configuration in as little space as possible - each different install can be a change set keyed off a previous install. Of course, you have to stick to virtual machines for this to work.

2. For my day to day personal Windows hardware I use DriveSnapshot ( http://www.drivesnapshot.de/en/home.htm ). It can perform image backups of the running system (even the boot disk). In addition, it gives you the ability to perform Differential backups which store only the changes from the root backup. It also is able to reduce IO on the differential backup by a) only reading allocated space on the source drive and b) storing a hash file for each root backup so that you don't need to perform as much IO on the backup target volume.

You can download a 30-day-ish trial for free. After 30 days, you can still restore from those backups, but if you want to continue to back up, you need to buy it.

It has some super sneaky hackerish administrator-friendly capabilities. e.g. the same executable runs in both windows as a GUI and DOS (even a DOS floppy) as a command line, you can create network boot disks for network restores from a samba share, etc.

And lastly, the author (Tom) is good at responding to email.

-brendan

some sticky points

[BillAtHRST]

While there are a number of ways to capture and diff information (VM's probably being the best), the diff's may be a bit hard to interpret, depending on what you're trying to identify -- otherwise diff's will just show you that two files have different bit patterns, but what do those bits mean?
Two areas immediately spring to mind:

- the registry is probably the most important object you want to monitor, so you'll need to somehow export the registry into a diff-able format.

- windows also uses "structured storage" (basically a filesystem in a file) for a lot of things -- you'll also need to be able to export those somehow?

Easier approach?

Get Process Monitor from Microsoft; it monitors files, registry and process/thread activity (the last of these not so interesting to you for this). There's filters you can apply so you don't have to see all the failed attempts to read registry keys.

It won't help you if your program does stuff at shutdown/startup though.

Re:Easier approach?

[Khyber]

Process Monitor is blocked by the issue I'm encountering.

Several Options

* DriveImage XML is free for personal use

* Archos True Image is not free ($50) but does support incremental image backups (which would be very useful for your needs.)

* If you have a Seagate Drive, you can use DiskWizard from Seagate (which is a version of Archos True Image.)

Process Monitor

[alancronin]

Either use VMWare or a tool called Process Explorer / Process Monitor. These will do what you need.

ZFS

[DiSKiLLeR]

If only Windows ran on ZFS :(

Us Solaris peeps do *exactly* this. Take a snapshot immediately after install, take another snapshot after configuring the system, take any additional snapshots later...

I would post an output from zfs list showing all the snapshots taken on the root filesystem, but unfortunately slashdot's lameness filter REFUSES to cooperate telling me to use fewer junk characters :(

FreeBSD http://wiki.freebsd.org/ZFS and MacOSX http://www.apple.com/macosx/snowleopard/ will soon have proper ZFS with boot support.... and Linux's ZFS-Fuse Implementation is great. Hell, it won't be long before Windows will be the only (worthwhile) OS that will be without ZFS soon.... maybe Microsoft should abandon WinFS (oh yeah, they did) and just port ZFS over.

Re:ZFS

[Fweeky]

FreeBSD's UFS2 supports snapshots too, though they're not as effecient as you might like.

I'm pretty sure NTFS supports snapshots in the form of the volume shadow copy service, but they're not as clearly exposed to the user.

This isn't exactly free...

...but it seems like everyone else is out of ideas.

www.martau.com - Total Uninstall

There's a free trial, though. It lets you launch an installer inside of itself and records every registry, file, etc that is changed, added or removed by the installer (can have other uses besides installers of course).

Confidentiality agreement for personal project?

You know that the American legal system has gotten out of hand when one has to worry about breaching a confidentiality agreement for personal research.

WDS - ImageX - Mount WIMs and compare files

[Marble68]

Have you tried the free partition imaging tool from Microsoft, WDS? Build a server with DHCP, install WDS and configure PXE boot. Then, after each step, you can boot off the network and create a WIM file. The nice thing is you can mount the WIm files on "mount points" which appear as folders. This is very handy as you can then do deep analysis of the files at a bit level. You could literally compare two folders and all contents and tag only the files that have changed. of note: WDS and ImageX only capture the files. If you are doing rootkit or virus research, some of these may do some funky stuff with the file system which may not be picked up by ImageX. But Otherwise; this is a free solution with the added benefit of using the same tool (imagex) to allow you to "mount" a WIM file for analysis. HTH! Marble68

Anonymous Coward

SpyMe tools: http://www.lcibrossolutions.com/spyme_tools.htm

rdiff-backup

use rdiff-backup for windows

only stores the diffs

makes full reports of the files that have changed each time!

macrium reflect

I'm using macrium reflect for a similar purpose

Why did this even get posted?

dd, partimage, ntbackup, mkisofs, etc. There are dozens of free options to take incremental backups or snapshots of your system.

partimage seems like it might be what you're looking for specifically. I like to use the system rescue cd (http://www.sysresccd.org/), which has partimage, for this sort of thing.

Imgdeploy and ImageX are free

[jwillis84]

Microsoft one upon a time used a version of Powerquest Deploycenter or something like it.

They bundled a tiny copy in ADS 1.0(Active Deployment Services or something like that) as imgdeploy, at 512 KB its likely to be the smallest utility you can find for free (as in cost not code) from a commercial software company that can do basically anything ghost can do. It's block based so it should fairly flexible operating system wise. The only difficult thing is downloading the large wrapper that is ADS 1.0 and sifting through it just to get the imgdeploy.exe. The same binary does capture and deploy.

If you have a mini-me operating system like the winpe, bart or something you could wrap a .hta application to give it a smiley interface, otherwise you can figure out how to use it from the cmd prompt usage message. You don't really have to read the docs.

In ADS 1.1 I believe they replaced this with ImageX which is a small utility for creating wimages.. think swim-sandwiches.. and you'll get the pronounciation. Wimages based on the .wim (no I'm not kidding ;-) whimsical isn't it?) are file based and go hand in hand with Vista installations. They might be more to your liking if your thinking incrementals since they are file based.

There is a tar like utility for windows called str or something that is very tiny and does the streaming archive thing.

There are a bazillion answers to this.. but those should get you started.. and don't forget Bacula if you have a fast gig switch.. you probably need to get the images off and on your hard disk fairly fast.

Regsnap will get your registry changes.

[Airioch]

Regsnap from LastBit Software will snapshot the entire registry and system file
lists (if you want it to) and save it out to a file. Once you make your changes
or installations you can snapshot it again and then directly compare the two files
and generate a difference file of all the changes to the system. It's a fairly
useful utility for capturing what installers/applications do to windows based
systems. Unfortunately it's not free.

Microsoft provides imagex to do the job - FREE!

I know everyone hate Microsoft, but they actually provide a free imaging tool which includes the ability to edit those images.

http://technet.microsoft.com/en-us/library/cc722145.aspx

Microsoft provides even more tools, all free.

Re:ZFS on FUSE

[danpritts]

So you say "ZFS-Fuse is great".

You're the first person i've heard say that; everywhere else i see "horribly slow" and similar comments.

I take it you've actually used ZFS under FUSE on linux?

Anonymous Coward

You don't need any of those crap programs. www.epsilonsquared.com
get intallrite

It's free.

takes a snapshot of registry, ini files, file system etc... you install everything u want. (you can do every step after the bare xp install if you want, although i recommend after drivers are in properly.

it makes a single self exe file, click and you're done. Office 2003 for example took like 1 min to install tops.

want to deploy across the network? just make an oldschool batchfile and use PSEXEC from the microsoft PSTOOLS suite. (glad they bought out a good company :) )

IstallWatch is another useful one, when you want to see what those pesky setup files are up to in case you want to make some "adjustment's" later ;)

This wouldn't happen to do with...

Securom or anti-piracy measures would it?

imagex?

Microsoft has a tool like this called imagex, which is a free download. AFAIK you can even use Windows Setup from Vista to install said snapshot. And yes I believe it can install XP images too.

if people are going to put up not free options

[Anarke_Incarnate]

then you have to look at drivesnapshot. Drivesnapshot.de is the website, it isnt "cheap" but not expensive and worth EVERY penny. This plus the software at runtime.org for data recovery and you are set for $200

I wish I could remember what it was called!

I used to work for a company in the UK and we did something very similar.
There was very old little app we ran on a VM install of XP (native company wide OS).
You'd use it to snapshot the system, then install the program, do anotehr snapshot and compare.
It would show you all the registry changes, LL's, system writes, and application files.

Using that info we'd create cumstom packages to allow AD to roll them out to machines as requested over the network.

The software was hideously old. Garrish GFX and for the life of me I cannot remmebr what it was called.
The IT dept there has been outsource to IBM now and no one remains else I'd ask them and still be using it to this day!!

Damn annoying when you know the tool exists, but google is no help :o/

Total Uninstall 3

You want Total Uninstall. I'm using Total Uninstall 3 and it does a scan before and after, and tells you summary and detail of all the changes, so that you can completely roll back or just see what files/folders/registry items were affected.

installwatch pro?

[dinkdinkdink]

I have used the freeware installwatch pro software for similar purposes. It is not perfect, but allows you to take a snapshot of all files and reg keys prior to performing 'some' action (browser option change, software install, etc.). After you finish the action, you perform another snapshot and it traps the deltas across filesystem - file add, delete, modify - including .ini changes and also reg key add/del/change activities.... It also stores the deltas by whatever you wish to name the change, for future reference.. Installwatch Pro - http://epsilonsquared.com/ They have another tool, install rite, which I am unfamiliar with...

clonezilla live is your friend

clonezilla live is a live cd, you can boot from live cd on your computer, and backup the disk or partition to the another mounted partition or remote nfs, samba, sshfs....

Re:i use becose of family (children f* evithin up

Are you sure *you're* not six years old?

Very not free but...

[Seraphim_72]

Sounds to me that you might look into the API of Thinstall. It has to keep track of all changes so that it can run a packager. I have played with a few apps that have been created from it and they seem to work great. I imagine that if the API is good getting to that info and even tweaking it might be possible.

Sera

regsnap/ntbackup differential

Regsnap .. for comparing two points in time of the registry. It has the ability to create redo and undo .reg files which is quite handy.

NTBackup can use volume shadow copies and is included in XP/2003 etc. You could then restore these two or more images to a central point and do a comparison. You can also create a 'DIFF' file, which in your scenario, I believe would suit you best. i.e., NTBackup will only backup the changes from the first point in time, effectively negating the need to do some kind of md5/checksum verification of changes in the filesystem. You can simply restore the file changes to a location -- the registry will almost certainly have changed and so as such the regsnap tool i mentioned earlier.

regsnap is commercial but will run for a trial period.

goodluck

Might I offer an alternative? A little Off-Topic

[psychrow]

I have been using a Windows XP setup based around Faronic's Deep Freeze for the past few months now and my system is, for the most part, "bulletproof". (Believe me... I also cringe whenever anyone uses that phrase unintelligently, but until I see otherwise, this is how I term this setup)

Let me start with a little understanding of what exactly Deep Freeze does... because this is the part that I didn't grasp fully until a few months ago. It can setup a drive, or drives on your system to be what is called "frozen". Frozen meaning any changes done to the system are removed upon next boot.

The altered state of frozen is what is termed appropriately as "Thawed". Thawed meaning any changes done to thawed drives are retained.

My setup is quite simple. I have a 3 drive, 4 partition setup, which is arranged as follows:

• C:\ System Drive (frozen)
• G:\ Games Drive (thawed)
• P:\ Program Files Drive (thawed)
• S:\ Storage Drive (thawed)

The system drive is the only frozen drive, all information that I would need to change on a regular to semi-regular basis is moved onto other drives.

• All games are installed onto the games drive while in thawed mode, allowing for limited changes to the registry
• Program Files is physically moved onto the P:\ drive through registry hacking, and again all programs are installed in thawed mode also.
• My Documents is moved permanently to the S:\ Drive
  • I have my Outlook mail store in a folder inside of My Documents, allowing for any new mail to be retained.
• All Firefox bookmarks are saved offsite to my personal server using Foxmarks
• AVG is installed on the C:\ Drive, along with other antimalware programs.
  • They update daily, but I have a weekly regimen to repeat in thawed mode and make sure all programs updates are kept.
• Defragmenting your system drive is something that rarely needs to happen.
• You retain that fresh version of Windows XP, without having to reinstallâ¦
• I also fully utilize my flash drives for random crap.

So if all of my files I need are moved onto other drives, and I have a frozen system, barring physical drive failure, almost any software change I do not want to happen, can easily be repaired by rebooting.

Thus the reason I call this my "bulletproof" setup.

Please offer your comments. :)

If you have a confidentiality requirement...

If your project has confidentiality requirements, that means it's not a FOSS project, it's some funded project, in which case there's budget to go to the store and buy Ghost. So, use Ghost.

Anonymous Coward

DriveImageXML - Outstanding product that will image your machine live (VSS support). I use it routinely and love it. Oh, and it's free to use.

http://www.runtime.org/driveimage-xml.htm

Virtual PC 2007 - also think outside Just Imaging

[TheNetAvenger]

Taking an initial and progressive snapshots are a good idea to start with and a VM tool will let you do this if you are just monitoring what software is doing. Go with Virtual PC 2007, it is free and will let you take the VHD images and later remount them as secondary drives on a VM to compare them.

However depending on your end goal, it might be better to 'also' just data mine the changes to the system. Use http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx (Process Explorer) as it tracks all the changes, including read/writes to everything on the OS from the File System to the registry specifically.

Process Explorer has been around for a while and is kept updated. It is a valuable tool for tracking what install software is doing on your system, what it is changing and touch and although it can produce huge logs of data, doing a bit of dataming on this data can produce a lot of information about system changes. (It is something crackers even use to see what keys or files are changed to store random information to unlock software, etc.)

On Windows, this is the key tool for monitoring the system all the way down.

So Virtual PC 2007 for VHD images and Process Explorer (always running) storing the data of all the changes.

This should give you everything you need.

Application Virtualization

[Stuke]

How about looking at application virtualization technologies like Altiris's Software Virtualization Solution (SVS)? SVS allows you to capture the install of an application and see the files and registry changes it makes when installing an application. You can then save the application and all of its files and reg entries as a single file. Going further it also captures any changes made while running an application, which is also something you need to consider as some apps make further changes after running the first time. SVS is for enterprises though you can also download and use a personal version with all the same capabilities and features of the enterprise version. I use it for most applications on my home system and it is especially good for trying out new applications since you can simply delete the captured application after your done with it as easily as you delete a file! Once you have all your applications captured this way rebuilding a system is as easy as installing the OS or an image and reimporting the captured application files. Very quick and very easy! Check it out! http://juice.altiris.com/node/86

Altiris SVS (Software Virtualization Solution)?

[lumenistan]

Not exactly what you were asking for, but once you have imaged the system with whatever tool you choose, you can use SVS to virtualize your software installs. There is a free personal edition, but it is also scalable to a full server deployment where you can create, push out and manage virtualized software packages.

Resources:
http://svsdownloads.com/
http://juice.altiris.com/ev

-lumenistan

Re:Altiris SVS (Software Virtualization Solution)?

[Stuke]

This is exactly what he is looking for - a tool that will allow him to capture changes made to a system when an application gets installed. I don't understand why everyone is looking at system imaging tools. I understand he has asked for imaging tools to create his snapshots and then another tool to compare them but that is way too complicated and of little value. What happens if he wants app #1 and app #3 but not app #2 on his system?

Live Snapshots

Many posters have already listed excellent tools for creating a snapshot offline.

From what you've described, however, it sounds like you might be interested in something that can take a snapshot of a Windows PC while Windows is running.

DriveImage XML is free for personal use
http://www.runtime.org/driveimage-xml.htm

If you need something commercial and you don't mind spending $40, then Image for Windows is also an excellent choice:
http://www.terabyteunlimited.com/purchase-image-for-windows.htm

Possibly free OEM version for Seagate drives

[WoTG]

I just found out about this yesterday, and I have not tried it myself yet, but apparently, Seagate has an OEM version of TrueImage for use with Seagate hard drives. They call it "Seagate DiscWizard". I really don't know if they've kept the cool live disc image feature or not... I'll find out later today when I try it.

Anyone mention PING yet?

[jcluthe]

http://ping.windowsdream.com/ Works great!

dd

there is only one: dd

Symantec System Restore

Sysmantec Live System Restore (the desktop version) costs 50 bucks and can be set to take an image based on triggered events. It rocks and I use it everywhere on tons of clients PCs. Totally worth the cash.

Ghost 4 Linux is crap for this purpose. I've used it many time to clone things, but it is an offline clone tool. Plus if you are going to use G4U's crappy interface, you might as well boot with Knoppix and just use dd.

Symantec's System Restore takes live hot snapshots and can restore an entire PC in an hour or so. It can restore individual files or the whole machine. You can even build a custom restore disk that pulls in all of your obscure drivers.

Guess I am too old

I keep thinking dd the disk. XP without crap is about 1.5G. A DVD is about 4.7G. Of course, that would only work if you limit Windows to about 4.7G, but why else would you have it unless you wanted to play games? The rest of your disk is partitioned for Linux or data storage, right?

Drive snapshot

http://www.drivesnapshot.de/en/

Works great, you can restore snapshots from inside Bart PE. Simple to use.

Your going about it the wrong way...

[w0mprat]

You shouldn't be looking for a freeware system snapshot, you should be looking to use something like SVS mentioned above. It's a absolute delight to be able to have this kind of control in a operating system (kicks a package managers ass! *ducks*). It's not just application virtualisation: A compelling trick you can do with SVS is to back up your SVS installation and all it's data layers (and a few registry settings) you can then completely wipe your Windows installation back to a baseline image and all you need to do is put back registry settings and if you've done a complete format you'll need to copy back your hidden \fsldr folder and the Altiris application.

You can put your virtualised data on a seperate partition or hard drive even.

It also beats DRM (securerom foiled!) and activation features in software and games. Time trial software can be defeated too, you simply reset the data layer to the way it was when the app or game was installed. If you move PCs you don't need to re-activate the application you can just export it and import it.

It pisses me off that OSes don't work this way right from day one (Linux gets it's right somewhat - it doesn't need this in the way Windows so desperatly does).

This solves the problems with Windows becoming bogged down over time. This has made XP and Vista (only works in 32bit) [almost heh] pain free for me.

SVS doesn't work for OS updates or applications that like to install their own drivers or other low-level system changes that require a reboot - although on occasion I've got this working (ie. VMWare Workstation).

Wow

Bitter much?

Re:That's a lot of work just to keep windows worki

Consider that when you think about the additional cost of a MAC or the learning curve of Linux....

I seriously doubt that keeping Windows working is the point of this little exercise. For starters, that wouldn't require any sort of confidentiality. Second, Windows is pretty stable to begin with, unless you're experimenting with malware, which would be a good reason for doing what he wants to do.

Gparted

Gnome Partition Editor has a live image one can boot from and backup/resize partitions. I have used it several times on windows systems without any issues.

http://gparted.sourceforge.net/

Troll

Boot to Linux Live CD. Find out your hardware isn't supported

Or spend 30 seconds reading install guide for distos to select correct software before downloading the ISO and install linux in 20 minutes!

IMHO, only one choice - Partimage

* go to www.sysresccd.org
* download the latest bootable ISO
* run partimage
* bob's your auntie's live in lover

seriously, this thing rocks. it's fast, can compress disk images, can write disk images over the network, and is totally open source.
 

Best one Ever

CloneZille

Boot from Live CD or Network and Image away!

Drive Snapshot

[pyohe]

Drive Snapshot http://www.drivesnapshot.de/en/ It's not freeware, but it works great and it has a differential snapshot function. You should be able to create a snapshot of your master install. Install the next software package. Make a differential snapshot. Shake and repeat. When you're done, you'll be able to mount the different snapshots using Drive Snapshot's Viewer and make comparisons between the installs, etc. Have fun!

Do my work, I can't tell you why

[nacturation]

No kidding. The story seems a bit too much like "do my job for me". It says it's just a "personal research project" but if it really were personal, then there wouldn't be "confidentiality requirements". Maybe this guy's a RIAA/MPAA stooge and wants to more efficiently look for P2P software or something.

Re:Do my work, I can't tell you why

Given my recent posting history, you'd be a goddamned fool to even think that.

I'm just looking for a tool that'll do my job - I'm not looking for anyone to do my job for me - I just want a legally and freely acquirable (AND RELIABLE) program to do this.

But hey, if you'd rather us not help us win against this company and you'd like to be ass-raped by DRM for the rest of your life - FEEL FREE.

Re:Do my work, I can't tell you why

[Bill,+Shooter+of+Bul]

Sorry, it does look like a " do my job for me" question. Its not general enough to be of use to many other people. The fun way to do it, would be to run windows in a virtual machine and just back up the virtual hard drive at each stage. The whole confidentiality part makes me think you aren't doing it for good. But considering you are asking slashdot for advice, I'm not too worried that you'll succeed in doing anything that can't be undone.

Re:Do my work, I can't tell you why

I'm just looking for a tool that'll do my job - I'm not looking for anyone to do my job for me

This sentence doesn't parse in your favor, I'm afraid.

ass-raped by DRM for the rest of your life

I'm mildly curious as to why you're permitting others to insert DRM'd CDs into your anus? Wait, never mind - cancel that: On second thought, I don't want to know.

Re:Do my work, I can't tell you why

[kabloom]

Maybe he's doing it to prove the existance of a DRM rootkit for a legal challenge, and he has some kind of attorney-client privelage. But then he should talk to forensics experts, not Slashdot.

Re:Do my work, I can't tell you why

[nacturation]

But hey, if you'd rather us not help us win against this company and you'd like to be ass-raped by DRM for the rest of your life - FEEL FREE.

Stooping so low as to use a false dichotomy? You lose.

Use Free VirtualBox, or commercial ShadowProtect..

I suggest you download VirtualBox (it's free!) from Sun, and install XP within a virtual machine. VirtualBox will let you take snapshots of that machine at various points.

If you have to do this with a real physical machine, then instead, use full sector-based imaging product like StorageCraft's ShadowProtect, Acronis' True Image, Symantec's Ghost (aka Backup Exec System Recovery), Paragon Drive Backup, etc. I prefer ShadowProtect because it's the fastest and in my tests it's also the most reliable.

Are separate imaging and compare acceptable?

[happypenguin]

If it is acceptable to you that you don't do the comparison of the before/after state by comparing the disk images, you could use any of the many disk image tools that have already been mentioned to make the disk images, and use PC Magazine's InCtrl5 utility (http://www.pcmag.com/article2/0,2817,25475,00.asp) to generate the report of what changed during an installation.

From reading your request, it seem that InCtrl5 will give you a report of all the changes you are asking about. It just goes about it differently than the way you are asking. Read their description of InCtrl5 and see for yourself whether it gives you what you want. The source is included, so you can study the code to see exactly what it is doing, should you want to check into it in detail. It is NOT open source, though, so if your plan is to make something you can distribute, using InCtrl5 probably isn't suitable for that. I don't know whether the source included is enough for you to make modifications and rebuild purely for your own use. (I think their license doesn't permit even that, but I doubt they would make a fuss about that, even if they could tell you did so.)

It might not be the answer you are looking for, but it seems to me it is worth your time to take a few minutes to check into it.

How about Application Virtualization

Its not free but there are technologies that capture all the file io and registry io that an application installation performs (or while the application is running for that matter) into a layer that can be turned on and off at will. Essentially doing what you want to do on separate drives, but instead on a single file system. Altiris has this (now called Symantec Juice) and I believe Microsoft has it as well. Good luck..

Driveimage XML + BartPE?

[sdsucks]

http://www.runtime.org/peb.htm

or dd & diff?

Freeware

DriveImageXML ? Should be relatively easy to compare differences just going through the xml index.

deep freeze

[nocomment]

http://www.faronics.com/html/Deepfreeze.asp

Ghost sux

I know one of the developers for the original of Ghost and not even he will use Ghost anymore. He now uses, and recommends, imaging software from Acronis (www.acronis.com). Of course, this is not free, but it's great software.

Drive Snapshot

It's good. It has a 30 day trial. It's not that expensive. It's fast.
http://www.drivesnapshot.de/en/index.htm

and...
you can use windiff to compare snapshots.

Re:That's a lot of work just to keep windows worki

[hedwards]

I seriously doubt that keeping Windows working is the point of this little exercise. For starters, that wouldn't require any sort of confidentiality. Second, Windows is pretty stable to begin with, unless you're experimenting with malware, which would be a good reason for doing what he wants to do.

You must be knew here, having Windows is a good reason for confidentiality.

Check the whole disk into VCS

Well, Check the whole C:\ into Subversion. Commit the changes after each software install.

Problem solved :-)

Forensic Discovery, Windows Services for UNIX

[not_hylas(+)]

Windows Services for UNIX 3.5:

http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx

http://technet.microsoft.com/en-us/magazine/cc160802.aspx

Utilities
SFU comes with more than 300 UNIX utilities as part of the Interix subsystem, with additional utilities available either from InteropSystems or by compiling from available source code. These utilities cover all the major UNIX utilities and areasâ"everything from addr to yaccâ"and behave exactly as you and your UNIX users would expect them to behave.
The utilities include familiar text processing tools, including grep, less, awk, sed, pr, and tr, batch processing tools such as at, cron, and batch, as well as job control tools like ps, nice, kill, and so on. They're all there and they work exactly as you would expect. Even the man command is just as ugly (but infinitely useful) as it's always been.
Utilities such as ps and kill work against both Interix and Win32 processes, making SFU particularly appealing for the system administrator. Need to find and kill all instances of a particular process? The script to do it in Interix is straightforward, whether the process is running in the Win32 subsystem or the Interix subsystem.
As a simplistic but useful example, suppose you have an unknown number of copies of a process running on a machine with SFU. Figure 2 shows a script that will kill them. This script would work exactly the same running on a UNIX or Linux system.

Free Grep and Tail tools for Windows:

http://blogs.officezealot.com/marc/archive/2004/01/31/2046.aspx

Real Digital Forensics:

http://www.jonesdykstra.com/index.php/real-digital-forensics-mainmenu-54

Forensic Discovery:

Wietse Venema:

http://www.porcupine.org/forensics/

Forensic Discovery (he posts it for free, but worth buying)
http://www.porcupine.org/forensics/forensic-discovery/

ftp://ftp.porcupine.org/pub/security/index.html

Dan Farmer:

http://www.fish2.com/security/

Easy to do, but not how u want...

Installrite
Installwatch

these 2 progs should still be around, just use them to watch the changes that happen during install of an app, then you can create either a package or just a list of changes.

Then use either FOG Project or a partimage distro to make your whole HD image.

This is the poormans equivelant of WISE Packaging Tools.

Clonezilla

Clonezilla is rather good at what it does.
It also only backs up the FILES on an NTFS partition (Like ghost) so you don't have huge images containing mostly free space.

http://clonezilla.org/

Clonezilla

Clonezilla ..or use a virutal machine like VirtualBox as previously mentioned.

Both are free. I use both myself.

Here's a few freeware tools

[speedwaystar]

SelfImage 1.2.1.92
SelfImage is a disk imaging program for Windows. It's capable of making an image file of any hard disk or partition on your system. It can even make images of partitions that Windows doesn't recognize or assign a drive letter to (ie: Linux partitions). Perfect for the dual-boot system.
http://fileforum.betanews.com/detail/SelfImage/1134441375/1

DiskTools ImageMaker 1.1
DiskTools ImageMaker is a lightweight disk backup software. It enables you to make exact images of your entire hard drive, or separate partitions on a hard drive, to disk files. The images then may be restored to the initial or any other hard drive or volume, regardless of a file system it is formatted in.
http://fileforum.betanews.com/detail/DiskTools_ImageMaker/1055944044/1

DriveImage XML 2.01
# Backup logical drives and partitions to image files
# Browse these images, view and extract files
# Restore these images to the same or a different drive
# Copy directly from drive to drive
# Schedule automatic backups with your Task Scheduler
Image creation uses Microsoft's Volume Shadow Services (VSS), allowing you to create safe "hot images" even from drives currently in use.
Images are stored in XML files, allowing you to process them with 3rd party tools.
http://www.runtime.org/driveimage-xml.htm\

ODIN 0.11 Beta
ODIN is a utility for easy backup of hard drive volumes or complete hard drives under Windows. A disk image can be created or restored. Only used clusters can be backuped, compression on the fly is possible.
http://odin-win.sourceforge.net/

Go simple...

You can use Perl or Python to write a simple script that logs the entire hard disk, including hidden and system files. You can pull version and size info, among other things.

Save the results in a text file, you can easily do the same with the registry in windows...

Then install whatever, then run the same program again...then a quick compare of the files will reveal EXACTLY what changed on the system.

NO COST, just a little time (very little...both languages will do it in about 10 lines of code.)

Ermm...

Bill, is that you?!

Why not use the Windows port of grep ?

I know there is at least one port.

I found it about 2 years ago, but don't have the link right now. (Google is your friend.)

Or am I missing something ?

ISOdx

ISOdx does that! http://isodxsolutions.com/

Grep for Windows

[sbillard]

>type filename.ext | find /i "searchstring"

Where filename.ext is the file name and
/i means "ignore case". omit this is want case-sensitivity grepping for:
"searchstring"

anyone already says CloneZilla?

[figarogdl]

http://www.clonezilla.org/ basically you must download the ISO LiveCD, burn it to a CD, boot from it, and make an image to another drive, usb, ssh server, nfs, etc. also the resulting image can be compressed. I've just imaged a 40GB partition with 22.5GB used to a 5.12GB archive bzip2 compressed, it took 90mins aprox.

you gonna be da wormface

InCtrl5, Version 1.0
Copyright (c) 2000 Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First Published in PC Magazine, US Edition, December 5, 2000, v19n21
http://www.pcmag.com/utilities/

I got this in 2000 and it works well with WinXP. I haven't looked at the website in years. It was freeware then. I wonder if one of my old reports will show up in this horrible travesty, nay, crime against humanity, of a website? Ah, well, I'll just mangle the plain but functional report into plain text:

No. Shocking! The lameness filter!

p.s. A captcha like 'breakup' is why your lame board is spammed like a Hawaiian wedding by losers like me.

VMware

[GWBasic]

Use VMware. It has a snapshot feature that takes a snapshot of a VM, and then records the changes to the VM. I use it when I test an installer; I roll back the snapshot when I'm complete. (Disclaimer: I work for VMware)

bzr

[philsf]

you could probably easilly setup a svn or bzr local repository with little to no effort.

1 - Install windows
2 - install bzr, setup /windows and /program files as bzr branches (bzr init; bzr add; bzr commit -m "start fresh". RTFM)
3 - install app
4 - commit
5 - repeat 3-4 untill you run out of apps