Unless you used an install monitor that takes snapshots of the registry and file system, changes made to services, settings, etc, and used it on both the actual install and the first run of the application, it's very difficult to know if you found all the traces. The uninstallers are notorious for leaving pieces behind, often deliberately. Pirated or cracked apps are just one example of how leftover traces can be a problem. Other potential problem apps could include torrent and file sharing software. Depending on where you're at and what course things follow given recent revelations about government spying/snooping, apps like Tor, encryption, decentralized communication apps, Bitcoin, and apps that are legit but are considered "hacking tools" could all be problems. On the older operating systems, finding and removing all of the usage tracks was relatively easy. On a 9X system for example, a fairly simple batch file run at startup or shutdown could remove most all of it automatically. The tools needed for the task were already part of the operating system. One doesn't need to look any farther than the Privazer app to see how much this has changed. There's so much of it stored in so many places. As good as Privazer is, it's likely that there's tracks and traces left that it isn't finding, especially those left by individual applications. This assumes that you will have the time and opportunity to use it. In certain circumstances and a growing number of places, if you can't accomplish it in a matter of a few seconds, it won't be sufficient. You can't restore an image or run Privazer if they turn up at your door. While this is far fetched (at the moment) in a lot of places, in others, it's a reality. I suspect that this will become reality in a lot more places very soon. I also wonder how long it will be before apps like these will become illegal on the grounds that they destroy evidence. That's one of the reasons I prefer the older operating systems. They store fewer usage tracks, it's easier to find them, and much easier to disable or remove the offending components.
That is correct, however I was talking about a specific registry key (the one detected by LastActivityView). And if I am not mistaking, it is exactly the one that determines if the program is shown in "Add/Remove programs". So while an application can leave unwanted traces, if it doesn't appear in "Add/Remove programs", the specific key that I was referring to is deleted. I also agree with you here, restoring the image or cleaning up is not something you can do in an instant, but if you do this let's say once a week, then you will have only a week of traces on your computer, and also plausible deniability (because it is a part of your regular maintenance policy). As for "them" turning up at your door, I operate on the assumption that at that moment you kind of lost the battle, or at best your life got a lot more complicated...
There's more than one location that LastActivityView and the Add\Remove programs dialog uses for this information. While most of it comes from the uninstall keys under HKLM and HKCU, some items shown in Add/Remove programs didn't have entries there. I believe that we have somewhat different purposes in this regard. For me, deleting traces of something that was installed before is a non-issue. The PCs I have were all bought used. They've all been nuked, repartitioned, and reformatted. For me, the issue is more often eliminating traces of apps that still exist on the system, like something that's installed on an encrypted partition. Some will call this paranoid, which would be very disheartening considering recent events and revelations. I'm expecting that entire categories of apps will become illegal in the not too distant future, apps that remove user activity records, apps for encrypted or covert communications, etc. Maybe I missed something, but I seem to recall not long ago, possibly in Germany, that the authorities raided homes of people just for running Tor exit nodes. I suspect that we're going to see a lot more of this, especially if you're part of decentralized anonymity networks. I'm also convinced that the authorities are using fabricated "child porn" charges as a means to force decryption. The "occupy wall street" protesters were classified as low level terrorists, which (in the governments eyes) justifies whatever they choose to do. Unfortunately, Windows is an all too willing informant that either needs to be tamed (older versions) or avoided entirely.
At least for LastActivityView, there are only two registry keys (I didn't consider them different because one is for the current user and the other one is global): Source: http://www.nirsoft.net/utils/computer_activity_view.html
The only real solution is to create an encrypted container... Run it inside a RamDrisk (a memory hard disk) which dies after each shutdown. As your memory is volatile, the data in it dies and no trace is visible. as your data is contained inside an encrypted container they are SOL even if they know about it... Heck even better keep the encrypted container on some usb thumb d drive then run it only on RamDrives. Free encrypted container software http://www.truecrypt.org/ Note Keep the password very large and the key off the box like say inside a thumb d drive Free Ramdisk software http://www.softperfect.com/products/ramdisk/ Now educate yourself better and you may have a fighting chance against the snoops Security these days is a matter of intelligence and not one of convenience...
Hello, new PrivaZer v2.2 deletes Windows Event Logs to defeat last activity viewers using .evt and .evtx files to generate timelines. http://privazer.com/download.php
100% agree with the above, in fact been posting lately about this exact thing. I plan on getting as many portable apps and putting on a pen drive (encrypted drive with tc) or on the hdd in an encrypted file and then simply copy the portable apps to a ram drive, perhaps copy to a running virtual boxed os (within the ram drive) and then run them directly from there itself. I just need to have a cut off switch or if they if an adversary attempted data recovery the ram is volatile so after 10 seconds all is lost!
thanks just tried this and it is working fine, if PrivaZer had a auto run option on every hour.... that would be perfect
Hello, [UPDATE] New Shellbag Analyzer & Cleaner v1.20 http://privazer.com/download-shellbag-analyzer-shellbag-cleaner.php Changelog : - minor bug fixes - language support added
[UPDATE] New Shellbag Analyzer & Cleaner v1.21 http://privazer.com/download-shellbag-analyzer-shellbag-cleaner.php Changelog : - Improved UI - Minor bug fixes ShellBags keys may contain information concerning your activities on folders : 1. names and paths of folders you opened on your PCs (even if the folder has been deleted) 2. detailed timestamp info, creation time, modification time, access time
..restoring from a sector-by-sector backup image. To just erase and re-write files isn't enough. Remnants of the old logs can migrate into areas of the disk not touched in a file-by-file restore. Also the sector-by-sector backup should be done after you've zero'd out the un-used areas and completed your "pristine cleaning".
Hello Tarnak, please use PrivaZer to clean your activity history and scramble dates... Then runLastActivityView to check. Okay? Download it from here : http://privazer.com/download.php Keep us informed.
Hello Blacknight, could you send us a screenshot or an export of LastActivityView to support@privazer.com or post it here?
I am comfortable with living with the voices. I once used ccleaner, quite awhile ago, and it mucked up something in XP. So, I am wary of this type of software.
Hello, we checked your screenshots and there is no privacy issue. First screenshot, you sent us, shows up opened folders "history" ("View folder in Explorer"). 1. "Last visit" dates are all scrambled by PrivaZer (see screenshot below) 2. deleted folders do not appear in the list because references are securely deleted from the list by PrivaZer. Folders displayed by lastActivityView are folders still existing on your drive. So, as those folders exists on your drive and their "last visit dates" are scrambled, there is no privacy issue. Second screenshot, you sent us, shows up installed software and installation date. As those programs are still installed on your PC, I do not see any privacy issue. Does it help?
Thanks for your so fast answer. Actually I too assumed that they were not really risks for my privacy: just it is stuff on my HD. Only I was afraid that it was a general sign that PrivaZer was not effective on my pc. Solved.
Hello to all here, new ShellBag AnalyZer + Cleaner v1.23 released with optimized memory usage : http://privazer.com/download-shellbag-analyzer-shellbag-cleaner.php Thanks
hi could be empty Code: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache ?
Run some cleaners, and then Privazer for the last one. Install and enable Shadow Defender and do a bunch of work on your computer. Then reboot and see what traces can be found. I know that Shell Bag Cleaner can't find anything. I tried another piece of software too and not a spec of anything showed up except whatever shows up just by turning on my computer.
Right click on the reg key > Permissions > Add > Type in "Everyone" > Push "Check Name" and "OK" > For Everyone, set "Deny" for all permissions. HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
