«

"Vanguard" <> wrote in news:UaCdnRjy-
:

> "Dustin Cook" <> wrote in
> message news:Xns998CE424F858CHHI2948AJD832@69.28.186.121.. .
>> "Vanguard" <> wrote in
>> news::
>>
>>> "none" wrote in message
>>> news:0sidnb5gdramKlzbnZ2dnUVZ_j-...
>>>>
>>>> "Vanguard" wrote:
>>>>>
>>>>> "hmmm" wrote ...
>>>>>>
>>>>>> I'm looking to see what files comprise the compacted exe file
>>>>>> before
>>>>>> I install it.
>>>>>
>>>>> You won't tell what files created after running an .exe. Seeing
>>>>> what
>>>>> files are in a .zip file, even one wrapped with the self-extract
>>>>> .exe
>>>>> code, only shows you the files needed to do the INSTALL. It
>>>>> shows
>>>>> you
>>>>> nothing about what files actually get CREATED by the install.
>>>>>
>>>>> Use VMWare Server, VPC, ShadowSurfer, or Windows SteadyState to
>>>>> see
>>>>> what gets installed (provided you have a tool to log the current
>>>>> state
>>>>> and then show you the difference after the install).
>>>>
>>>> Thanks for the info. You refreshed my memory and I recall that
>>>> even
>>>> the
>>>> filenames that are extracted are shortened versions of what is
>>>> actually
>>>> installed.
>>>>
>>>> What is the best tool that will create a snapshot (filename,
>>>> version
>>>> #,
>>>> date and time created) of all the OS files, and then do a compare
>>>> for
>>>> changes afterward. I know Nirsoft.net has something similar, but
>>>> that's
>>>> just for dll files.
>>>
>>> The install program can create files, it can use the included files
>>> along with other data to construct the *new* files created during
>>> the
>>> install, or it can modify a file after extraction, even an .exe.
>>> Some
>>> but not all files in the .zip file may end up in the installation.
>>> Some files are not in the .zip file and are created or modified.
>>>
>>> I use an old program called InstallWatch from epsilonSquared.com to
>>> track changes to my system from an install. You take a snapshot
>>> before, do the install, and then analyze the current state (after
>>> install) against the snapshot. I don't bother loading it to use
>>> its
>>> auto-detect mechanism to track installs. I just manually do a
>>> snapshot, install, and do the analyze afterward. There might be
>>> better programs around but this usually fits my need. This one
>>> hasn't
>>> been updated in several years. ZSoft's Uninstaller is newer (more
>>> recently updated) but its recorded log of system changes for
>>> analyzing
>>> an install is much harder to read than the tree hierarchy shown in
>>> InstallWatch. I just tried ZSoft Uninstaller in a VM using VMWare
>>> Server and didn't care for it, plus I don't want an alternative
>>> uninstaller.
>>>
>>>
>>
>> Have you tried Sandboxie?
>>
>> I find it's an invaluable tool for analyzing software.
>
>
> Yep, got Sandboxie. However, I find virtual machines more reliable
> and secure for testing installations of unknown software. Neither
> Sandboxies or VMWare will tell you what got changed by an installtion.

Actually, Sandboxie will leave every single file created/modified by the
installation as well as a copy of the modified registry hive. All of this
information is available in the sandbox when you terminate the processes.

I'm confused as to why you don't think this would give you the
information on what was changed then?

> You only get the option to undo whatever changes were made (by getting
> rid of the VM).

Are we talking about the same thing here? Sandboxie doesn't allow changes
to remain, so there is no undoing them.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: vethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

"Dustin Cook" <> wrote in
message news:Xns998D801488A3CHHI2948AJD832@69.28.186.121.. .
> "Vanguard" <> wrote in news:UaCdnRjy-
> :
>
>> "Dustin Cook" <> wrote in
>> message news:Xns998CE424F858CHHI2948AJD832@69.28.186.121.. .
>>> "Vanguard" <> wrote in
>>> news::
>>>
>>>> "none" wrote in message
>>>> news:0sidnb5gdramKlzbnZ2dnUVZ_j-...
>>>>>
>>>>> "Vanguard" wrote:
>>>>>>
>>>>>> "hmmm" wrote ...
>>>>>>>
>>>>>>> I'm looking to see what files comprise the compacted exe file
>>>>>>> before
>>>>>>> I install it.
>>>>>>
>>>>>> You won't tell what files created after running an .exe.
>>>>>> Seeing
>>>>>> what
>>>>>> files are in a .zip file, even one wrapped with the
>>>>>> self-extract
>>>>>> .exe
>>>>>> code, only shows you the files needed to do the INSTALL. It
>>>>>> shows
>>>>>> you
>>>>>> nothing about what files actually get CREATED by the install.
>>>>>>
>>>>>> Use VMWare Server, VPC, ShadowSurfer, or Windows SteadyState to
>>>>>> see
>>>>>> what gets installed (provided you have a tool to log the
>>>>>> current
>>>>>> state
>>>>>> and then show you the difference after the install).
>>>>>
>>>>> Thanks for the info. You refreshed my memory and I recall that
>>>>> even
>>>>> the
>>>>> filenames that are extracted are shortened versions of what is
>>>>> actually
>>>>> installed.
>>>>>
>>>>> What is the best tool that will create a snapshot (filename,
>>>>> version
>>>>> #,
>>>>> date and time created) of all the OS files, and then do a
>>>>> compare
>>>>> for
>>>>> changes afterward. I know Nirsoft.net has something similar,
>>>>> but
>>>>> that's
>>>>> just for dll files.
>>>>
>>>> The install program can create files, it can use the included
>>>> files
>>>> along with other data to construct the *new* files created during
>>>> the
>>>> install, or it can modify a file after extraction, even an .exe.
>>>> Some
>>>> but not all files in the .zip file may end up in the
>>>> installation.
>>>> Some files are not in the .zip file and are created or modified.
>>>>
>>>> I use an old program called InstallWatch from epsilonSquared.com
>>>> to
>>>> track changes to my system from an install. You take a snapshot
>>>> before, do the install, and then analyze the current state (after
>>>> install) against the snapshot. I don't bother loading it to use
>>>> its
>>>> auto-detect mechanism to track installs. I just manually do a
>>>> snapshot, install, and do the analyze afterward. There might be
>>>> better programs around but this usually fits my need. This one
>>>> hasn't
>>>> been updated in several years. ZSoft's Uninstaller is newer
>>>> (more
>>>> recently updated) but its recorded log of system changes for
>>>> analyzing
>>>> an install is much harder to read than the tree hierarchy shown
>>>> in
>>>> InstallWatch. I just tried ZSoft Uninstaller in a VM using
>>>> VMWare
>>>> Server and didn't care for it, plus I don't want an alternative
>>>> uninstaller.
>>>>
>>>>
>>>
>>> Have you tried Sandboxie?
>>>
>>> I find it's an invaluable tool for analyzing software.
>>
>>
>> Yep, got Sandboxie. However, I find virtual machines more reliable
>> and secure for testing installations of unknown software. Neither
>> Sandboxies or VMWare will tell you what got changed by an
>> installtion.
>
> Actually, Sandboxie will leave every single file created/modified by
> the
> installation as well as a copy of the modified registry hive. All of
> this
> information is available in the sandbox when you terminate the
> processes.
>
> I'm confused as to why you don't think this would give you the
> information on what was changed then?

I don't see any tracking information. I can explore the sandbox but
that shows me its current state, not what changes were made to get
there. As a test, I reconfigured Sandboxie to *not* automatically
perform cleanup on exit of the VM. I then opened IE in a sandbox,
deleted the TIF files, and changed the home page URL for the browser.
When I try to look at the contents of the sandbox, I'm told it is
empty but I explore anyway to find subfolders for the apps (for IE and
OE, I run them in their own sandbox by using the "/box:<name>"
command-line parameter). I go under those subfolders but there is no
logs showing changes (and the registry files are unreadable). What I
get to see is the state of the sandbox, not what changes were made to
get there.

So just where to I find a log of changes from the initial state of the
sandbox to record all changes made thus far to get to its current
state?

>> You only get the option to undo whatever changes were made (by
>> getting
>> rid of the VM).
>
> Are we talking about the same thing here? Sandboxie doesn't allow
> changes
> to remain, so there is no undoing them.

Exactly. As I said, you exit the VM and whatever changes were made
(in the VM) are lost.

"Vanguard" <> wrote in
news::

> "Dustin Cook" <> wrote in
> message news:Xns998D801488A3CHHI2948AJD832@69.28.186.121.. .
>> "Vanguard" <> wrote in news:UaCdnRjy-
>> :
>>
>>> "Dustin Cook" <> wrote in
>>> message news:Xns998CE424F858CHHI2948AJD832@69.28.186.121.. .
>>>> "Vanguard" <> wrote in
>>>> news::
>>>>
>>>>> "none" wrote in message
>>>>> news:0sidnb5gdramKlzbnZ2dnUVZ_j-...
>>>>>>
>>>>>> "Vanguard" wrote:
>>>>>>>
>>>>>>> "hmmm" wrote ...
>>>>>>>>
>>>>>>>> I'm looking to see what files comprise the compacted exe file
>>>>>>>> before
>>>>>>>> I install it.
>>>>>>>
>>>>>>> You won't tell what files created after running an .exe.
>>>>>>> Seeing
>>>>>>> what
>>>>>>> files are in a .zip file, even one wrapped with the
>>>>>>> self-extract
>>>>>>> .exe
>>>>>>> code, only shows you the files needed to do the INSTALL. It
>>>>>>> shows
>>>>>>> you
>>>>>>> nothing about what files actually get CREATED by the install.
>>>>>>>
>>>>>>> Use VMWare Server, VPC, ShadowSurfer, or Windows SteadyState to
>>>>>>> see
>>>>>>> what gets installed (provided you have a tool to log the
>>>>>>> current
>>>>>>> state
>>>>>>> and then show you the difference after the install).
>>>>>>
>>>>>> Thanks for the info. You refreshed my memory and I recall that
>>>>>> even
>>>>>> the
>>>>>> filenames that are extracted are shortened versions of what is
>>>>>> actually
>>>>>> installed.
>>>>>>
>>>>>> What is the best tool that will create a snapshot (filename,
>>>>>> version
>>>>>> #,
>>>>>> date and time created) of all the OS files, and then do a
>>>>>> compare
>>>>>> for
>>>>>> changes afterward. I know Nirsoft.net has something similar,
>>>>>> but
>>>>>> that's
>>>>>> just for dll files.
>>>>>
>>>>> The install program can create files, it can use the included
>>>>> files
>>>>> along with other data to construct the *new* files created during
>>>>> the
>>>>> install, or it can modify a file after extraction, even an .exe.
>>>>> Some
>>>>> but not all files in the .zip file may end up in the
>>>>> installation.
>>>>> Some files are not in the .zip file and are created or modified.
>>>>>
>>>>> I use an old program called InstallWatch from epsilonSquared.com
>>>>> to
>>>>> track changes to my system from an install. You take a snapshot
>>>>> before, do the install, and then analyze the current state (after
>>>>> install) against the snapshot. I don't bother loading it to use
>>>>> its
>>>>> auto-detect mechanism to track installs. I just manually do a
>>>>> snapshot, install, and do the analyze afterward. There might be
>>>>> better programs around but this usually fits my need. This one
>>>>> hasn't
>>>>> been updated in several years. ZSoft's Uninstaller is newer
>>>>> (more
>>>>> recently updated) but its recorded log of system changes for
>>>>> analyzing
>>>>> an install is much harder to read than the tree hierarchy shown
>>>>> in
>>>>> InstallWatch. I just tried ZSoft Uninstaller in a VM using
>>>>> VMWare
>>>>> Server and didn't care for it, plus I don't want an alternative
>>>>> uninstaller.
>>>>>
>>>>>
>>>>
>>>> Have you tried Sandboxie?
>>>>
>>>> I find it's an invaluable tool for analyzing software.
>>>
>>>
>>> Yep, got Sandboxie. However, I find virtual machines more reliable
>>> and secure for testing installations of unknown software. Neither
>>> Sandboxies or VMWare will tell you what got changed by an
>>> installtion.
>>
>> Actually, Sandboxie will leave every single file created/modified by
>> the
>> installation as well as a copy of the modified registry hive. All of
>> this
>> information is available in the sandbox when you terminate the
>> processes.
>>
>> I'm confused as to why you don't think this would give you the
>> information on what was changed then?
>
> I don't see any tracking information. I can explore the sandbox but
> that shows me its current state, not what changes were made to get

If you compare the files inside the sandbox with the real counterparts,
outside the sandbox, you have your changes list.

> there. As a test, I reconfigured Sandboxie to *not* automatically
> perform cleanup on exit of the VM. I then opened IE in a sandbox,
> deleted the TIF files, and changed the home page URL for the browser.
> When I try to look at the contents of the sandbox, I'm told it is
> empty but I explore anyway to find subfolders for the apps (for IE and


Of course it has, temporary internet files n such.


> OE, I run them in their own sandbox by using the "/box:<name>"
> command-line parameter). I go under those subfolders but there is no
> logs showing changes (and the registry files are unreadable). What I
> get to see is the state of the sandbox, not what changes were made to
> get there.

Those registry files are hardly unreadable. You can mount/open them using
regedit. It's a real copy of the registry with any/all
modifications/additions made since the execution of the sandboxed
program.

> So just where to I find a log of changes from the initial state of the
> sandbox to record all changes made thus far to get to its current
> state?

The registry provides the keys/information on what's been changed since
execution of the program. You can view it, using regedit as it's a
registry hive file. You will find all files it's either created or
modified since installation, and you can compare them with the originals
located in the real folders.

Everything you ask and more is available to you via sandboxie. Your
failure to understand what your doing with the provided information
doesn't change that.

> Exactly. As I said, you exit the VM and whatever changes were made
> (in the VM) are lost.

Not lost, no. preserved if you like, in the sandbox. Ready for your
analysis. Provided your competent enough to perform one.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: vethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

"Dustin Cook" wrote in message
news:Xns998EA87D63A2CHHI2948AJD832@69.28.186.121.. .
> "Vanguard" wrote:
>
>> "Dustin Cook" <> wrote in
>>>>> Have you tried Sandboxie?
>>>>>
>>>>> I find it's an invaluable tool for analyzing software.
>>>>
>>>>
>>>> Neither Sandboxie or VMWare will tell you what got changed by an
>>>> installtion.
>>>
>>> Actually, Sandboxie will leave every single file created/modified
>>> by
>>> the
>>> installation as well as a copy of the modified registry hive. All
>>> of
>>> this
>>> information is available in the sandbox when you terminate the
>>> processes.
>>>
>>> I'm confused as to why you don't think this would give you the
>>> information on what was changed then?
>>
>> I don't see any tracking information. I can explore the sandbox
>> but
>> that shows me its current state, not what changes were made to get
>
> If you compare the files inside the sandbox with the real
> counterparts,
> outside the sandbox, you have your changes list.

Yes, that can be done manually. I don't relish having to do a manual
directory compare to find files that are missing (deleted), new
(created), or modified even when using something like windiff.

The sandbox does not provide a *log* of deletions, creations, and
modifications. I would have to go hunting for them by doing all those
manual compares you speak of. Then I would have to save my own log of
all these changes so that I could later refer to that saved log if I
needed to later investigate on what changes were made without having
to go through the entire process again. I would have to repeat the
manual exercise of doing all those file and registry comparisons for
each "snapshot" at which I wanted to analyze what happened to get to
that state. If I sandboxed or used a VM to monitor an install, I
snapshot before the install (because the VM is not in the same state
as the real host), after the install, after running the program, and
after uninstalling the program. That's 4 snapshots minimum, and 4
times I would have to do all that manual comparing along with manual
logging of what I found. While I could manually log all those
changes, having to then compare between, say, the pre-install state to
the after first-run state (to see what the program changed) or
pre-install state to the after-UNinstall state (to see what garbage
gets left behind) is still more manual effort to generate logs of
those differences.

> Those registry files are hardly unreadable. You can mount/open them
> using
> regedit. It's a real copy of the registry with any/all
> modifications/additions made since the execution of the sandboxed
> program.

When I attempt to open the RegHive file (outside the sandbox), a
message pops up saying that contents of this file will get "added" to
my current registry. The popup is unclear if this means a separate
hive load will occur or if it is like importing a .reg file that would
merge its contents into my registry. Instead I open regedit and then
use the File -> Load Hive function. So now I get to see those
registry entries. The user has to be careful how to look at RegHive.

Thanks for that tip about using regedit. I didn't know what the
RegHive file was for since the help for Sandboxie is not searchable
(its a web site rather than a local help file with search capability).
Of course, we're back to performing a manual comparison and with no
logging.

> Everything you ask and more is available to you via sandboxie. Your
> failure to understand what your doing with the provided information
> doesn't change that.

Available is not the same as easy (or fast). I've seen plenty of
programmers that think a workaround is a reasonable solution.
Workarounds are not substitutes for ease-of-use features.
InstallWatch or several of the uninstall tools that take snapshots and
provide the comparisons between them along with logging is certainly
easier than manually digging around to generate the same info and also
log it.

If I didn't have a dishwasher, yes, then I would have to do the dishes
by hand. So washing was "available". But I do have a dishwasher so I
use it to facilitate accomplishing the same task. I use InstallWatch
or other tools to tell me the differences between one, or more,
snapshots so that I don't have to manually perform the "available"
methods (plus I get logging rather than doing it through "available"
manual means).

However, thanks for the info regarding how Sandboxie retains info on
the *current* state of its sandbox. I've only begun using Sandboxie a
little while ago and haven't had time to dig down into it, but then
most of my trialing and snapshot logging has been done using VMWare
even though Sandboxie was installed at the time. It's a pity the help
is on a web site rather than in a searchable help file. A lot of time
can be wasted trying to dig around through web or wiki pages trying to
find a topic only to find it isn't discussed or you merely missed
finding it.

"Vanguard" <> wrote in
news:

> "Dustin Cook" wrote in message
> news:Xns998EA87D63A2CHHI2948AJD832@69.28.186.121.. .
>> "Vanguard" wrote:
>>
>>> "Dustin Cook" <> wrote in
>>>>>> Have you tried Sandboxie?
>>>>>>
>>>>>> I find it's an invaluable tool for analyzing software.
>>>>>
>>>>>
>>>>> Neither Sandboxie or VMWare will tell you what got changed by an
>>>>> installtion.
>>>>
>>>> Actually, Sandboxie will leave every single file created/modified
>>>> by
>>>> the
>>>> installation as well as a copy of the modified registry hive. All
>>>> of
>>>> this
>>>> information is available in the sandbox when you terminate the
>>>> processes.
>>>>
>>>> I'm confused as to why you don't think this would give you the
>>>> information on what was changed then?
>>>
>>> I don't see any tracking information. I can explore the sandbox
>>> but
>>> that shows me its current state, not what changes were made to get
>>
>> If you compare the files inside the sandbox with the real
>> counterparts,
>> outside the sandbox, you have your changes list.
>
> Yes, that can be done manually. I don't relish having to do a manual
> directory compare to find files that are missing (deleted), new
> (created), or modified even when using something like windiff.
>
> The sandbox does not provide a *log* of deletions, creations, and
> modifications. I would have to go hunting for them by doing all those
> manual compares you speak of. Then I would have to save my own log of
> all these changes so that I could later refer to that saved log if I
> needed to later investigate on what changes were made without having
> to go through the entire process again. I would have to repeat the
> manual exercise of doing all those file and registry comparisons for
> each "snapshot" at which I wanted to analyze what happened to get to
> that state. If I sandboxed or used a VM to monitor an install, I
> snapshot before the install (because the VM is not in the same state
> as the real host), after the install, after running the program, and
> after uninstalling the program. That's 4 snapshots minimum, and 4
> times I would have to do all that manual comparing along with manual
> logging of what I found. While I could manually log all those
> changes, having to then compare between, say, the pre-install state to
> the after first-run state (to see what the program changed) or
> pre-install state to the after-UNinstall state (to see what garbage
> gets left behind) is still more manual effort to generate logs of
> those differences.
>
>> Those registry files are hardly unreadable. You can mount/open them
>> using
>> regedit. It's a real copy of the registry with any/all
>> modifications/additions made since the execution of the sandboxed
>> program.
>
> When I attempt to open the RegHive file (outside the sandbox), a
> message pops up saying that contents of this file will get "added" to
> my current registry. The popup is unclear if this means a separate
> hive load will occur or if it is like importing a .reg file that would
> merge its contents into my registry. Instead I open regedit and then
> use the File -> Load Hive function. So now I get to see those
> registry entries. The user has to be careful how to look at RegHive.
>
> Thanks for that tip about using regedit. I didn't know what the
> RegHive file was for since the help for Sandboxie is not searchable
> (its a web site rather than a local help file with search capability).
> Of course, we're back to performing a manual comparison and with no
> logging.
>
>> Everything you ask and more is available to you via sandboxie. Your
>> failure to understand what your doing with the provided information
>> doesn't change that.


> Available is not the same as easy (or fast). I've seen plenty of
> programmers that think a workaround is a reasonable solution.
> Workarounds are not substitutes for ease-of-use features.

LOL! I guess I had that one coming.


> InstallWatch or several of the uninstall tools that take snapshots and
> provide the comparisons between them along with logging is certainly
> easier than manually digging around to generate the same info and also
> log it.
>
> If I didn't have a dishwasher, yes, then I would have to do the dishes
> by hand. So washing was "available". But I do have a dishwasher so I
> use it to facilitate accomplishing the same task. I use InstallWatch
> or other tools to tell me the differences between one, or more,
> snapshots so that I don't have to manually perform the "available"
> methods (plus I get logging rather than doing it through "available"
> manual means).
>
> However, thanks for the info regarding how Sandboxie retains info on
> the *current* state of its sandbox. I've only begun using Sandboxie a

Your welcome. My apologies if I seemed short in my previous post.
I've been having fun with sandboxie for awhile now. It's handy, but
agreed, you do have to do a bit of manual work for the information you
want.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: vethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

"Dustin Cook" wrote in message
news:Xns99906E29C1677HHI2948AJD832@69.28.186.121.. .
>
> Your welcome. My apologies if I seemed short in my previous post.
> I've been having fun with sandboxie for awhile now. It's handy, but
> agreed, you do have to do a bit of manual work for the information
> you
> want.


If I came off as being an expert on SandBoxie in my first post(s),
sorry. I'm just trying to figure it out now. Don't have the time
right to dig into it. Busy learning more Perl, SQL, and Exchange.