I'd like to find something that would scan an installation as its happening , and then report at the end with a checklist of what the installation has done.

This checklist could then have some sort of malware analysis rating
i.e
autostart entries made *
driver installed **
exe created in sys32 ***
windows exe renamed ****
....something like that.

Then I could take a look at it , and if I didn't like the look of it , rollback the entire install.

Does anyone know of a product like that ?

I've thought of sandboxie , and rollback rx , but I don't think they have the logging I require.

MalWare Defender is what i can recomend or D+ these 2 has that abilities you need plus more

You could check out ZSoft Uninstaller.
It may have what you are looking for.


http://www.zsoft.dk/index/software_details/4

PC Armor (http://www.datadrivethru.com/pcarmor_product.asp), previously known as Spyberus, tracks installations in real time as its happening and produces a report with all registry and file changes. It can also be used to undo all changes.

I have used Spyberus (which was freeware) for some time and it worked well. I only noticed that if you keep a lot of installation packages (tracked installations) in its database it tends to slow down new installations quite a bit.

Total Uninstall is a very good example of this type of program with a lot of features - I use it myself. It can monitor an installation for all changes to the file system and registry, which can later be reversed if required. It's not free, but definitely worth considering if you don't mind paying.

Here's a link to the author's website in case you want to check it out: http://www.martau.com/

These pop to mind:

InCntrl (from pcmag I believe)
InstallSpy

-{ Quote: "MalWare Defender is what i can recomend or D+ these 2 has that abilities you need plus more" }-

I'd sure love to know how Malware Defender can roll back an install. Please explain.

-{ Quote: "I'd sure love to know how Malware Defender can roll back an install. Please explain." }-i didnt pay attention to the actual question i guez,but i use malware defender to find files/registries entries and delete them from system;D

Inctrl5 does exactly what you're asking for. It takes a full system snapshot before the install starts, launches the installer, then takes another snapshot when it's done. Afterwards, it compiles a full report of all new, altered, replaced, or deleted files and folders and all changes made to the registry. You can save the reports as text or html files. It also has a "two phase mode" that can be used to record the changes made by malicious web pages. I've used it for years and have records of every application, patch, and update on my system. It's made it possible for me to account for every file on my system, where it came from, and when.

Install Spy is similar but not quite as featured. It also has problems if the install requires a reboot (not an issue with Inctrl5).

InCtrl5 1.0
http://www.freewaregeeks.com/?page=detail&get_id=2060&category=107

TrackWinstall 1.1.4
http://www.freewaregeeks.com/?page=detail&get_id=1200&category=59

Does InCtrl5 1.0 work on WinXP Pro SP3.I think it is an old program.In the readme file it says only for win 98 and 2000.

-{ Quote: "Inctrl5 does exactly what you're asking for. It takes a full system snapshot before the install starts, launches the installer, then takes another snapshot when it's done. ..." }-

How long do these snapshots take to run?

I don't have access to an XP unit on which to try Inctrl5. The basic design of XP isn't much different than 2K so I don't see why it wouldn't work.

The amount of time used creating the snapshot will depend on the speed of your PC and the amount of data on your hard drive. On my 2K unit, each snapshot takes about 2 minutes. On systems with partitioned or multiple hard drives, you can select which drives you want monitored. If it takes too long, the snapshot can be cancelled with no ill effects. Sometimes when an install is really big, generating the report can take some time and the app can look like it's frozen. It did that when I installed Open Office on a low power unit. The report took several minutes to make.

I've never used it but doesn't WinPatrol have all of the asked for features?

Acadia

WinPatrol hasn't the useful snapshot feature.

I use System Explorer that has a good snapshot function.

Has anyone heard of a piece of software that would scan/analyze what an exe would install , without having to run the exe itself ?

And does anyone use PC armour ?

I think what you want is OLLYDBG:) .This is a analysis software.It can monitor all the actions of the software regardless of Installation software or Executive Application.And you don't have to run the Installer by yourself.

-{ Quote: "Does InCtrl5 1.0 work on WinXP Pro SP3.I think it is an old program.In the readme file it says only for win 98 and 2000." }-

Yep works fine of XP Pro SP3

-{ Quote: "How long do these snapshots take to run?" }-

It actually does not save the snapshots, just assesses a pre and post installation situation, on an E5200@3Ghz it takes max 20 seonds.

Here is a blog post on Raymond.cc (http://www.raymond.cc/blog/archives/2009/02/28/tracking-registry-and-files-changes-when-installing-software-in-windows/) that lists a bunch.

From the ones listed i've used SpyMe Tools, RegShot and Total Uninstall. The best is Total Uninstall, it's a little pricey at $40 for a Pro license but it's a great tool. The other freeware tools listed serve the purpose as a monitor though.

-{ Quote: "Has anyone heard of a piece of software that would scan/analyze what an exe would install , without having to run the exe itself ?
" }-

You could upload it to Anubis (http://anubis.iseclab.org) if it's under 8MB but probably the better solution would be to setup a VM or Dual Boot and install it on that and use one of the free analyzers above. If the program is ok, install it on your actual OS.

ive been looking at a software like this as well, is ZSoft Uninstaller compatible with Windows 7? and between Total Uninstall and ZSoft Uninstaller which do u think is easier to use and more effective? ZSoft says it supports the ability to continue the uninstallation process after reboots (which some programs require after an uninstall) this sounds like a very important feature and was wondering if Total Uninstall can also do this?

Another vote for InCtrl5 which works flawlessly as designed. I also tested spyberus a while ago which I liked, but it had some issues with some other security apps.

/C.

-{ Quote: "ive been looking at a software like this as well, is ZSoft Uninstaller compatible with Windows 7? and between Total Uninstall and ZSoft Uninstaller which do u think is easier to use and more effective? ZSoft says it supports the ability to continue the uninstallation process after reboots (which some programs require after an uninstall) this sounds like a very important feature and was wondering if Total Uninstall can also do this?" }-
I haven't used ZSoft so I can't say how it compares to Total Uninstall 5. To answer your other question, Total Uninstall can continue both the installation process and the uninstallation process after a reboot. I suggest you try both programs for yourself and see which you like better.

Regard ZSoft, Total Uninstall etc as a more flashier variant of MS "Add and Remove". InCtrl5, Spyberus/PC Armor etc are a different beast, where Spyberus/PC Armor is an enhanced InCtrl5. Deduction is different from experience/recording.

/C.

-{ Quote: "ive been looking at a software like this as well, is ZSoft Uninstaller compatible with Windows 7? and between Total Uninstall and ZSoft Uninstaller which do u think is easier to use and more effective? ZSoft says it supports the ability to continue the uninstallation process after reboots (which some programs require after an uninstall) this sounds like a very important feature and was wondering if Total Uninstall can also do this?" }-

Total Uninstall is the better of the two hands down, although at $40 for the Pro version the price tag is up there a little. But after your wallet recovers, you begin to see it's money well spent.

Yes it covers reboot installs as well as being Win7 compatible.

Definitely download the trial and give it a shot, just be sure to read up on the Advanced "Monitored Install" component before using it.

-{ Quote: "I think what you want is OLLYDBG:) .This is a analysis software.It can monitor all the actions of the software regardless of Installation software or Executive Application.And you don't have to run the Installer by yourself." }-

Thanks , will take a look at that.

-{ Quote: "Total Uninstall is the better of the two hands down, although at $40 for the Pro version the price tag is up there a little. But after your wallet recovers, you begin to see it's money well spent.

Yes it covers reboot installs as well as being Win7 compatible.

Definitely download the trial and give it a shot, just be sure to read up on the Advanced "Monitored Install" component before using it." }-

so how is better than ZSoft? their descriptions seem very similar? any technical details or anything?

-{ Quote: "so how is better than ZSoft? their descriptions seem very similar? any technical details or anything?" }-

Mainly more options, it's been months since i had ZSoft installed so my memory is hazy on specifics but at the time i had both installed side by side and came to the conclusion Total Uninstall was worth the cost.

But beauty is in the eye of the beholder, so what i would personally do is install ZSoft then use it to monitor the install of Total Uninstall. This way if you don't consider spending the money is justified you can nuke Total Uninstall with ZSoft and you lose nothing. :)

-{ Quote: "Mainly more options, it's been months since i had ZSoft installed so my memory is hazy on specifics but at the time i had both installed side by side and came to the conclusion Total Uninstall was worth the cost.

But beauty is in the eye of the beholder, so what i would personally do is install ZSoft then use it to monitor the install of Total Uninstall. This way if you don't consider spending the money is justified you can nuke Total Uninstall with ZSoft and you lose nothing. :)" }-

i dont really care for flashy with this, i just need to know that ZSoft will monitor an install completely and remove it completely. i just wish it was able to analyze already install programs some way :-\

-{ Quote: "i just wish it was able to analyze already install programs some way :-\" }-
Total Uninstall can do this. The uninstall is not as complete as if Total Uninstall had been used to monitor the installation in the first place, but it still does a pretty good job and it will remove a number of file and registry items left behind by the program's own uninstaller.

-{ Quote: "Total Uninstall can do this. The uninstall is not as complete as if Total Uninstall had been used to monitor the installation in the first place, but it still does a pretty good job and it will remove a number of file and registry items left behind by the program's own uninstaller." }-

Revo Uninstaller can do this as well, though I'm not sure how well it compares to Total Uninstall. I previously used Total Uninstall but it tended to be a bit too thorough in removing all changes between snapshots, removing things I suspect were not directly related to the program install. I would be very wary about uninstalling any program based on a 'snapshot' approach.

-{ Quote: "Revo Uninstaller can do this as well, though I'm not sure how well it compares to Total Uninstall. I previously used Total Uninstall but it tended to be a bit too thorough in removing all changes between snapshots, removing things I suspect were not directly related to the program install. I would be very wary about uninstalling any program based on a 'snapshot' approach." }-

Yes it can be very comprehensive, that's why i mentioned earlier to read the info regarding monitored installs before using it. There's 4 built in profiles for analysis, safe, normal, advanced and patch/update/plugin plus you can create your own and use the numerous sliders to adjust sensitivities of all the files/registry detection components.

You can also exclude things permanently from detection/removal, basically background programs that may be active while you are doing an install like AV's, Firewalls, mouse drivers etc. Also you can run through a learning mode which helps the program learn your system, i guess similar to a HIPS learning/rules mode.

But the basic rule of thumb is don't run needless programs in the background while monitoring an install, just your security software which you exclude and you will get a highly accurate snapshot of changes which in turn results in a perfect uninstall.

So it does do very granular detection and removal, but some time/testing is needed to fully understand it's features and capabilities.

-{ Quote: "

So it does do very granular detection and removal, but some time/testing is needed to fully understand it's features and capabilities." }-

I would also add that the version I used was a few years old and I see Total Uninstall has had a lot of development since then. It is indeed a powerful tool and bearing in mind your comments I think I'll take it for another spin and this time read the manual properly :)

im testing out Total Uninstall, seems good at first glance.

-{ Quote: " ( ... ) i just wish it was able to analyze already install programs some way :-\" }-
ZSoft Beta does this yet.

I use it instead similar Revo feature. And of course their excellent analyzed log (snapshot based) to do a complete uninstall.

-{ Quote: "im testing out Total Uninstall, seems good at first glance." }-
From my own experience, I suggest that when using Total Uninstall to uninstall a program that was installed using a monitored install, you aways first use the program's own uninstaller and just use Total Uninstall with the "clean up" profile afterwards to get rid of any remnants not removed by the uninstaller. It's much safer and less likely to lead to problems.

Using Total Uninstall with the "total uninstall" profile to reverse all of the incremental changes recorded between two snapshots as an alternative to using the program's own uninstaller is not guaranteed to work, especially with programs that have a complex installation sequence.

-{ Quote: "From my own experience, I suggest that when using Total Uninstall to uninstall a program that was installed using a monitored install, you aways first use the program's own uninstaller and just use Total Uninstall with the "clean up" profile afterwards to get rid of any remnants not removed by the uninstaller. It's much safer and less likely to lead to problems.

Using Total Uninstall with the "total uninstall" profile to reverse all of the incremental changes recorded between two snapshots as an alternative to using the program's own uninstaller is not guaranteed to work, especially with programs that have a complex installation sequence." }-

ill remember that.

thanks for all the suggestions!

I would also recommend Total Uninstall 5. Does a perfect job at catching any changes during an install, even when a reboot is required in between.

But you must also be careful, configure it to run the program's own uninstall first, and then first check out what's left behind, and delete the stuff you know is from the install itself by your own, ( right-click leftovers, and choose "Delete completely").

NEVER do a fully automated uninstall, cause whatever may be happening behind your back installing a program, being it your Anti-Virus that updated silently, or whatever windows component, you could end up with a pretty fu**ed-up system afterward.

So, my way of uninstalling, via Total Uninstall, run first program's own uninstaller, and then remove the rest manually from within TU.

Interesting thread since it turns out that Total Uninstall is a "pure installation monitor tool", but it's not recommended to be used to uninstall applications. I hope I don't forget that last part.

-{ Quote: "Interesting thread since it turns out that Total Uninstall is a "pure installation monitor tool", but it's not recommended to be used to uninstall applications. I hope I don't forget that last part." }-
Well, the problem ain't that Total Uninstall doesn't do a great job, but just like any others it works with snapshots, If you do your Pre-Install snapshot, then install your program, and then wait a bit too long before doing your Post-Install snapshot, some other stuff could got done on your system, for example, Windows Update having updated stuff, or virusscanner was busy updating signatures, with lots of services doing stuff constantly behind your back, etc....

Therefor my recommendation to always check what TU would recommend to remove after the program's main uninstaller finished. You should do so with any installation monitor, since your whole c:\ drive and registry is checked for changes, and no single monitor has that special magic skill to recognize what program made what specific changes.

If correctly configured, the uninstall procedure within TU will first run the program's own uninstaller if present, and then present you with what's still left, you have the choice to keep or delete what's still left.

Anyway, my recommendation still stands, allthough not free, Total Uninstall is by for the most clever, thorough one of them all.

-{ Quote: "Interesting thread since it turns out that Total Uninstall is a "pure installation monitor tool", but it's not recommended to be used to uninstall applications. I hope I don't forget that last part." }-

The OP asked for a pure installation monitor then stated in the first post "Then I could take a look at it , and if I didn't like the look of it , rollback the entire install."

Total Uninstall does exactly this, as for not using it to uninstall applications.. Well "everything" i uninstall i use it, it gets rid if the entire application and it's associated files without issue and does an impressive job.

But i took the time out to learn it's features and capabilities, because indeed you can remove things which you didn't intend with the advanced "Monitored" component.

Having taken another look at Total Uninstall I think my recommendation is similar to others. TU is great for monitoring the install so you can see exactly what is being installed, but for uninstalling I would only recommend using first the programs own uninstall application and then using TU for clean-up. This can be configured as the default method in TU. However, I would also add that you should only uninstall the program using the "Monitored Progams" approach (even if you are launching the programs built in uninstall first and then using TU for cleanup) where there have been no reboots required during the install or will be required during the uninstall process. If a reboot has taken place then there is all sorts of entries in the snapshot that are not related to the program install and you could cause some damage as files/registry entries are removed and added back in during the uninstall.

The Standard edition of Total Uninstall (comparisson here (http://www.martau.com/total-uninstall-professional-vs-standard.php) ) will be available at 51% discount 29 september at bits dujour.
http://www.bitsdujour.com/software/total-uninstall-5-standard-edition/

-{ Quote: "Having taken another look at Total Uninstall I think my recommendation is similar to others. TU is great for monitoring the install so you can see exactly what is being installed, but for uninstalling I would only recommend using first the programs own uninstall application and then using TU for clean-up. This can be configured as the default method in TU. However, I would also add that you should only uninstall the program using the "Monitored Progams" approach (even if you are launching the programs built in uninstall first and then using TU for cleanup) where there have been no reboots required during the install or will be required during the uninstall process. If a reboot has taken place then there is all sorts of entries in the snapshot that are not related to the program install and you could cause some damage as files/registry entries are removed and added back in during the uninstall." }-

Yes it's easy to wind up with unrelated entries in a snapshot, for example i just monitored the install of eWallet from BitsduJour because i'm thinking of buying it (virtumonde's fault for sending me there :)).

I intentionally left Outlook running, and hit Send/Receive during eWallet's install:

212439

As you can see, it captured my Outlook and Archive .pst files because they had "activity" during the install. This could wind up toasting over 1GB of emails if i wasn't careful. But it's easy to exclude it from the log, or add it to the scan exclude list so it never gets in the road again. Here you can see i've added the Agnitum folder so it can stay active but won't get caught up in the logs.

212440

Now regarding reboot installs/captures you can make TU "learn" what goes on at reboot by doing a training reboot so it knows what's normal and what to ignore. Then when you install a program that needs a reboot, TU can spot the differences and generate a good log of just the program.

Everyone's system is different from the moment we start adding programs/files and changing settings, so any installation monitor will probably catch unrelated stuff so it needs to be taught a little.

As i mentioned before, the rule of thumb is have the bare minimum software running when monitoring an install. Shut down browsers, chat programs and yes Outlook lol. Just leave you security software running, and have it fully excluded (both filesystem and registry) and you will get accurate results.

-{ Quote: "If a reboot has taken place then there is all sorts of entries in the snapshot that are not related to the program install and you could cause some damage as files/registry entries are removed and added back in during the uninstall." }-
I use ZSoft with installations that need to reboot and never had such annoyance.

Like say TU'developer:

Background changes that are caught in the install log are not so dangerous as you may think.
There is about changed files that TU don't uninstall anyway and modified registry values that you can be sure will not crash any program if will be restored to a value that was before.

To use the Ignore List is adviced. E.g. I'm using WinPatrol real time and I set their registry entries to Ignore List.

I also use firstly own uninstall application and then using ZSoft for clean-up with their analyzed log. ZSoft'developer adviced that also.

The reason for not doing a "total uninstall" to reverse the incremental changes tracked between snapshots has little to do with unwanted background noise captured during the monitoring. As other people have pointed out, changes that are not part of the installation can easily be deleted from the installation log before uninstalling and excluded from future scans.

The fact is that the installation process can't always be accurately modelled by comparing before and after snapshots. For example, suppose you apply an operating system or program upgrade that starts off by backing up a number of executables and DLL's into a backup folder. In order to uninstall the upgrade later and revert to the previous version those files will have to be restored from the backup folder. Total Uninstall will log the fact that a new folder was created during the installation. If you do a "total uninstall" it will simply reverse the change and delete the backup folder containing files that need to be recovered, resulting in a complete mess and possibly an unbootable system.

The bottom line is that while Total Uninstall can reverse changes to the registry, it can't always reverse the file system back to the state it was in prior to the install. That's why I recommend always using the program's own uninstaller first then using Total Uninstall in clean-up mode to get rid of the remants left behind. Only the program's own uninstaller knows what has to be done to uninstall a program. A snapshot monitor, however sophisticated, will sometimes get it wrong.

I've used Total Uninstall ever since Version 3 and I think it's a great program, but I only use it in clean-up mode for safety. There are no disadvantages to using it this way as it still does an excellent job of removing all leftover traces, without the risk of breaking anything.

pegr: Thanks for that lucid description.

One tool is best if you're monitoring the initial install, another (Revo) is better if the initial install was not monitored.

One reason to use the program's own uninstaller first is it doesn't allow their uninstaller to rewrite anything into the registry. Of course, it goes without saying that using a program's uninstaller only, leaves all kinds of things on your system. Especially if it was trialware.



edited stupid grammatical error

-{ Quote: "pegr: Thanks for that lucid description." }-
Glad you found it useful. :)

Regards