MTM2.com

I almost never run a strange program without monitoring my system with a tool like <a href=http://users.pandora.be/lucien/inctrl5.zip>InControl</a> or <a href=http://freeware4u.com/modules/mydownloads/singlefile.php?lid=234>Total Uninstall</a>, both priceless freeware.

These tools take a snapshot of your system (registry and hard drive) before you install or run something, then take a snapshot afterward and report the differences. Knowing every detail of what a program has done to your system allows you to undo anything you don't like, track the changes in individual registry entries, or otherwise allow you to remove every trace of a program from your system. Using such tools you can indentify many secretive things done by programs, such as the silent installation of copy protection drivers, spyware or adware components, odd registry entries, or just about anything. You can track what odd files are dropped in the windows folder, or the applications data folder, or whatever. You can track all files that are modified or replaced. It can be time consuming to monitor an application but the report is well worth the trouble, as it almost always gives you total control of your system.

You basically point the program to an EXE, it then takes a snapshot of your system and runs the EXE, when the program exits it will scan the system again to detect any changes. It's important that you do nothing other than run the program between snapshots otherwise you will clutter the report with things not related to the program's activities (clicking around in Explorer will make changes in your registry). I imagine that having multiple tasks actively running in the background could really clutter a report too (antivirus, firewalls, messengers, etc).

My suggestion is to always record the installation of a program. Then separately record the first run of a program. Many things are often done during the first run of a program that uninstallers don't know about or can't touch later. A few programs bear monitoring each time they are run, especially if they are the type to modify your system in some way. Also be sure to monitor an uninstall so you can compare it to the install, to make sure it didn't leave junk behind. When I want to track something the programs will not launch directly, such as an .MSI, .INF, .CHM, .HLP, .JS etc., I just track a dummy file like "c:\windows\notepad.exe", which does nothing when simply opened and closed, then immediately run whatever I wish to track.

Now, the first tool I mentioned above (IC) is the one I prefer and use the most, but you have to be familar with the registry and file system in order to make use if it's report. It only produces a text/html report so anything you'd wish to remove or change must be done manually using a registry editor or a file manager. The second program I mentioned (TUN) has the ability to undo some regsitry changes by itself, and overall is at once more user friendly and more cluttered. When I'm really suspicious of a file I will run TUN, then IC and then the program in question, then track the changes afterward. Double redundancy, like: [TUN] [IC] {program} [/IC] [/TUN]

These programs do NOT restore a system or changed files, they mostly just report things done to your system, but they are a great way to track software behavior, from the smallest registry change to full scale system changes. There are other similar programs out there, both free and commercial, but these two have served me well. I've verified both downloads linked above as clean and original so feel free to use them both.

Thanks for writing all that up. One question, though. How much disk space do the 'snapshots' take up? I mean, how do the programs store the data they use for comparison sake?

Oh, they create various temporary files in their own folders and the sizes would depend on how much you decide to track. Eight to ten megabytes total is average for me but more is certainly possible depending on the system. The first program leaves them on the disk and the second deletes them once it's made the report. There will be files at least twice the size of your registry, and the database of filenames and their properties would grow depending on how much of your drives you track.

As a rule, you'd only want to track your system drive (C:\) or key folders plus whatever folder the program is installed to, anything more would just slow the scan down unnecessarily. I mostly install to drives other than C:\ but C:\ is the only drive I track since it contains all of the the key system files and folders (I generally don't care what a program does in it's own folder).

sounds like something that just generally slows down your PC

No, Slayer, nothing of the sort.

The programs run only when you start them and they monitor the changes that other software makes to your system, so in the end they might accomplish exactly the opposite of what you are speculating about, by exposing things that could be loaded into memory without your knowledge.

The information in this thread was posted for those who might like to make use of it, basically in response to Phineus wondering what registry change is made when a particular option is toggled in a particular program -- these programs easily report such changes.

Worthy of note and providing some real world examples is the older discussion on this topic that starts HERE.


In other news, these utilities likely wouldn't reveal some seriously devious tricks done to your system, such as what Sony has been subjecting it's customers to by using black hat hacking tricks. It's stunning, and a fascinating story in it's unfolding.

At this moment the news is chock full of coverage. Keyword options: 1, 2, 3, 4

The web log where it all started: http://www.sysinternals.com/Blog/ (Entries 1, 2, 3 and 4)

I've spent hours reading about this during the last week. It's juicy.

Definitely

I am using InControl ever since Wint pointed us toward the infamous Starforce "drivers" at the end of the already mentionned thread http://forum.mtm2.com/viewtopic.php?p=16152#16152
which is still of actuality (more and more games use this scheme).

One difficulty for new useres of InControl (and the like) is to know which changes are legitimate and which not. For instance, there is always a series of harmless changes (e.g. lists of opened files, last used D3d applications etc).