Every time you select or deselect an option and check or uncheck a checkbox on a software or even on Windows, the settings is either saved to a file or to the registry. Either method will allow the settings to be remembered so that the next time you run the software, it is set the way you want it to be. This process is normally being done silently without showing the user visibly what it does in background, and that is actually what a software is meant to do, simplifying jobs.
Have you ever wondered how does some people manage to trace or detect what files are being modified or changed? Software reverse engineers are able to analyze the binary code using a debugger such as OllyDbg to see what it does without even running the software but it is not easy to use a debugger. The next option is to use a software called SysTracer to track file and registry changes in your computer.
I have been using SysTracer for a very long time to track changes made by a software on my computer. SysTracer is able to record changes on:
changed files and folders modified registry entries system services system drivers applications that are configured to run at computer startup running processes loaded dlls
To use SysTracer, you will have to first create a snapshot which will probably take a few seconds to a few minutes to complete depending on the amount of files on your computer before you make any changes on the software that you want to trace. Once the snapshot has been created, make the changes on the software and then followed by creating another snapshot. Now that you have two snapshots, the first one without the changes as baseline and the second with the changes, theoretically comparing the snapshots will reveal the differences.
One example is I used SysTracer to check where is the password being saved to when I enable password protection in avast! to prevent unauthorized changes. Through a simple analysis and a few trial and error, I easily found out that avast! saves the encrypted password to aswResp.dat file. So to reset the password, all I need to do is delete that file and it resets the password. Here is a short walk-through with screenshots on how to use SysTracer.
1. Run SysTracer and click the Take snapshot button located at right hand side of Snapshots tab.
2. Full scan is the best option but takes longer as it will scan all drives and registry. If you only want to scan the system drive, select Only selected items and check the items that you want to include in scanning. Click the Start button and don’t do anything on the computer.
3. When the snapshot has been taken, you will be notified via a small window telling you how long it took to create the snapshot, the amount of registry keys, registry values, folders, files, applications and DLLs.
4. Click the OK button and you will be brought back to the SysTracer Snapshots tab with the information of the snapshot that you’ve just taken.
5. Now you can start making changes on the software that you want to track the changes.
6. Create another new snapshot by going through step 1-4 again. When you see another snapshot listed in the Snapshot tab, click the Compare button and you will be forwarded to the Registry tab. Select Only differences and it will show you what data that has been changed. You can also view the Files tab which show the changed files.
If you are a network administrator, the Remote scanning feature will be very useful for you to detect if the user on another computer in the network has installed any unauthorized third party software or even a malware infection. SysTracer will be installed as service on the client computer without any user interface and the process (SysTracerSrv.exe) takes very little resources when idle. Enabling the remote scanning feature requires a separate client computer license.
In my opinion, it is best to create snapshots on a clean Windows computer using SysTracer for comparison because it takes lesser time to scan the whole hard drive and registry and also it doesn’t log other third party software changes, making it easier for you to locate the correct changed data.
SysTracer is a shareware and is currently having a special promotional pricing until February 29, 2012 with up to 30% off by using the following coupon PROMO-30. Stefan Tudorica from BlueProject Software, the company that develops SysTracer has generously offered 20 PRO computer licenses to be given away to raymond.cc verified members. Head on to our raffle page to join the lucky draw. Winners will be randomly and automatically chosen by the giveaway system in 48 hours.