Archive: Installer dirties up the registry. Help
Installer dirties up the registry. Help
I am not using any registry calls, yet I find that after running the NSIS programs, it leaves all kinds of tracks in the registry. There are many plugins that decide to write to the registry and leave info behind. Is there a way to keep my installer program from writing anything to registry at all?
And if i can't keep it from writing to the registry, can I find out what it did write (without my permission) and then delete those keys?
Originally posted by torparkIf you can't tell that yourself how do you know that it even writes to registry? :p
And if i can't keep it from writing to the registry, can I find out what it did write (without my permission) and then delete those keys?
I can tell because I ran a registry compare on a clean VM of WinXP before and after. Here are some examples left:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
HKLM\System\CurrentControlSet\Control\DeviceClasses
HKLM\System\CurrentControlSet\Control\DeviceClasses
HKLM\System\CurrentControlSet\Control\DeviceClasses\
{6994ad04-93ef-11d0-a3cc-00a0c9223196}\##?#ISAPNP#TBA03b0#FFFFFFFF#
{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters
HKCU\Software\Microsoft\Multimedia\Audio
HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\
HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\
HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
file: WINDOWS/system32: gdiplus.dll
and all stuff with visible boxes gets sent here:
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
plugins used:
newadvsplash, bass, chngvrbl, createmutex, execdos, findprofdll, inetload, killprocdll, math, messagebox, nxs, passdialog, realprogress, time, nsexec
You don't need to worry about these records, they are all normal windows activities, have nothing to do with nsis.
Run any other application that you have e.g. winrar and you'll see similar new records.
Well I want to make it where my installer leaves no traces behind, as it will be run off of USB. I don't want forensics to come along and say that my program was run on this machine.
Like Red Wine said those are all normal windows registry activities. And and if you delete those registry keys (writen without your permission) you might wreck your system.
knowing windows will help you.
If you speak of any TOR-app - it's a bit of paranoia you have.
Or you really have suspicious mind.
examining windows is like a open book to some people - but
dont try too fool forensics - they have the better tricks.
If you are that worried about registry entries you can use RegShot to get an image of the registry once you start your program (save it somewhere), then use UndoReg to undo any registry changes. You may have to use something like AutoIt to script the whole process since these tools may not offer an unattended mode. However there will always be volatile cache activity that you won't be able to remove ...
I don't want forensics to come along and say that my program was run on this machine.Does this mean that you are trying to hide something? Are you sure that this is legal? And are you sure that this is the place to ask such questions?
Yeah, this is for a popular tor application. So yes, I don't want to leave tracks in any system if I can manage it. And certainly not anything that would help forensics. You can check out my app Torpark at www.Torrify.com
And obviously the problem with UndoIt is that someone might make legitimate installations or changes with other programs and this would wipe it out.
track registry with regmon
http://www.microsoft.com/technet/sys...on/Regmon.mspx