LastActivityView reveals too much.

Discussion in 'privacy problems' started by zmechys, Feb 14, 2013.

  1. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    Yes, I've re-installed Windows 8 twice and all my stuff was gone.
    Re-installing the OS is a radical procedure.
    My question is more about regular, daily procedures to clean unnecessary traces of the concerned power users, because probably about 80% plus of all computer users don't even think about.
     
  2. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    By researching things (example: searching for information on Windows computer forensics), monitoring the filesystem/registry operations performed by certain tools (example: running SysInternal's ProcMon to see what LastActivityView examines), etc one can try to zero in on where sensitive information is stored and the mechanism behind it (which may or may not be configurable). Through such research and/or testing one can also try to determine if it is safe to delete certain things, or at least if the consequences of doing so are tolerable.

    A good developer would make their cleaning tool flexible and provide a way for users to configure it to delete additional registry keys, files, etc. Perhaps you will find that capability in other cleaners if you look. Those that know how to program and those that are willing to learn how could easily whip up their own tool for performing such generally simple tasks.

    The bag* entries would likely be easy pickings for a program that is trying to spy on you (did your anti-malware tool warn you when LastActivityView tried to read them?) so you'd have to be sure to prevent it from being phoned home. Be aware that other programs you might think are trustworthy (Windows metrics, cloud AV programs, etc) may be collecting similar information through other means and phoning it home (in at least some scenarios). So if that concerns you be sure to try to research and address that as well.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Interesting, as in my case it didn't reveal that much !

    It only showed selected installs & only certain folders i'd opened, but not All ? since i re-installed XP/SP2 in 2010. Absolutely no show of countless PDF's i've downloaded & read, or similar numbers of Metapad instances i've created & opened & saved/altered etc. Also no TrueCrypt volumes that had been created/opened/saved/deleted etc ! No Axcrypt created etc files/folders showing either :D

    Nothing of a private/confidential etc history nature was exposed = ;)

    I disabled PreFetch & PagingFile & IconCache from day 1, so i'm not sure if this is connected ?

    There must be thousands of things i've done on this comp since 2010, but thankfully regular cleaning with for eg, CleanDiskSecurity/CCleaner/MruBlaster/BleachBit/RegSeeker/ appears to be very effective = :thumb:
     
  5. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    1. My various anti-malware programs did not warn me about LastActivityView.
    I needed to login as Administrator on Windows 8 and that's it. On Windows 7 is even easier.

    2. You've touched a very interesting subject for me about "other programs may be collecting similar information through their means".
    Let's say, your firewall asked you if you would allow your AV access the Internet.
    But of course. It needs to get updated.
    What kind of info is being sent to the owner of that AV? Nobody knows.
    Can your HIPS, EMET, etc. prevent it? No.

    3. "A good developer would make their cleaning tool flexible and provide a way for users to configure it to delete additional registry keys, files, etc."

    So far, I could not find that good developer.
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Last edited: Feb 16, 2013
  7. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    Thank you for the link.
    It's a lot of reading and learning, even crashing my computer.
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Well if you can't find an existing cleaner that is already programmed to clean something (I noticed CloneRanger's post) then yes you'll have to roll up your sleeves. Notice, for example, the whole section of the CCleaner docs pertaining to Advanced Usage and the .INI files. There is another section on "How to add other areas of Windows for CCleaner to clean". It could be that you need to use that approach, rather than the "How to add your own program for CCleaner to clean" approach, when trying to delete system keys. I don't know. I was/am merely trying to show you an example. It is up to you to take it from there. Good luck, take your time. You seriously do not want to delete the wrong thing!
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Lets back up a bit and look at this problem. This is actually 2 separate but related problems.
    1, Where are all these usage tracks (MRUs) stored and how can they be removed?
    2, Since Windows continuously stores such data, how do you keep from having to do this constantly.

    A solution that addresses both of these problems well enough will probably have to be custom made for your PC. That said, you don't have to be a coder to do it. If you're proficient with the registry and good enough with command line to write a batch file, you can make a solution that fits your needs.

    Start with the standard precautions, a full system backup. If you've separated your data from the OS itself, making a restoring system images only takes a few minutes. If you can work with a virtual copy of your system in VirtualBox or equivalent, even better. Make sure the system backup works. Try restoring the OS to another hard drive to make sure. Nothing is more frustrating that finding out that your system backup doesn't work.

    If a registry backup app like ERUNT works on your OS, use it. As long as you can get back to where you started from, there's no risk in experimenting with the registry. It's actually an excellent learning experience. On my 98 unit, I used TestRun. It creates a duplicate of the existing registry while keeping the original out of harms way, taking all of the risk out of registry tweaking. Because of the way NT systems boot, an app like TestRun won't work on them, but the ideas behind it can be used. More on this later.

    First problem, finding the usage tracks.
    Once you have your system and registry backups ready, it's time to find the MRUs. This is a time consuming process that will need to be repeated for different aspects of the OS itself and for individual applications that log too much. Tools like Sysinternals Process monitor (or filemon and regmon) will display what files, folders and registry keys an application is accessing. The downside to these apps is the amount of data they show you. The output is thousands of lines. Shut down everything that you don't need, including any real time AVs or be prepared to look thru at least twice as much output. Process/file/reg monitor all have the ability to filter out the activity of individual processes. Use them to reduce the amount of data you need to look through. With the monitoring tools running, launch LastActivityView. The Process Monitors output will display all of the registry keys, files, etc that LastActivityView checked. A percentage of those keys will be storing MRUs. Others will be configuration settings. You can also use the monitoring utilities with apps like C_Cleaner, MRU blaster, etc to see exactly what they're deleting. The monitoring utilities can save the output to file. Save its results for the different checking and cleaning apps. It will be very useful for writing your own cleaning script or batch file if you want to go that route.

    Install monitors like Inctrl5 can be used to locate new and changed registry keys. For the most part, it does work on XP. I have no idea what is similar for vista, 7, or 8. I have no intention of ever using those. Normally, such apps monitor the install process. Some like Inctrl5 will let you take snapshots manually at any given time and then compare them. With the system idle, take a snapshot. Then open a couple folders with explorer. Take another snapshot. Inctrl5 will show you which keys changed. Used in this manner, the changes displayed will be primarily MRUs. Inctrl5 (and probably others) will let you save this data in several formats, text, cvs, html. By running all installs, updates, first runs, etc through an install monitor like Inctrl5 I can account for every file on my system.
    Second problem, removing the tracks and stopping the logging.

    For most people, this will be too long and tedious to be worthwhile. When an operating system is designed to be a spy and a snitch, finding everything is a slow process, especially the tracks stored in the registry.

    Fortunately, you only have to do this once. Not all of the usage tracks are in the registry. Some of it is in folders like the history, temporary internet files, and recent, for each user account. These can be wiped with apps like Eraser. Each user account also contains several index.dat files. These also contain a lot of usage tracks, both from local uses plus everything done with Internet Explorer. These are usually hidden and locked, and can't be wiped while Windows is running. They can be removed from another OS or with a batch file launched from HKLM....RunOnce. The OS will automatically generate new ones of standard sizes but they will be empty.

    Alternate data streams (ADS) are another place that usage data get stored. Some types of spyware/malware can also be installed in ADS. This is designed into the NTFS file system. I'm not aware of any easy way to prevent their being used this way or for the user to be alerted to the fact. On XP, the problem can be completely avoided by installing it on FAT32 or by converting the file system to FAT32 afterwards. A while back, I saw a webpage that detailed putting Vista on FAT32 but never tried it. I have no idea if it would work with Win 7 or 8. This is a tradeoff. FAT32 file systems don't separate users or accommodate file permissions. FAT32 can't handle files over 4GB, not an issue on a system partition but it can be on a data partition with movies and virtual systems. FAT32 is supposedly more prone to data loss from corruption. This was a much bigger problem on old hardware than it is now. On newer hardware, it rarely ever happens. I've used FAT32 for OS partitions for better than 10 years and have never lost data from file corruption. Either way, it's a decision a user needs to make for themselves.

    Once located, the MRUs stored in the registry itself can be removed, either with the individual cleaning tools or with a batch file/script that performs the same functions. The Windows registry editor can run from command line and does accept specific entries and switches. See here for more info. A batch file nothing more than a text file that contains a specific list of instructions that are executed in the order listed. This site has a nice explanation of how this works and the syntax for it. Each registry location containing MRUs requires a specific entry in the batch file to remove it. The saved records from the install and process monitoring tools contain these locations. Once each MRU containing location is found and added to the batch file, one only needs to run the batch file to remove them all. The same batch file can also make use of the delete command to clean recent, temp, and other folders. It can also launch the command line component of Eraser to overwrite files/folders instead of just deleting them.

    After you've got all of the MRUs removed from the registry, make a backup copy of it with ERUNT or by copying the individual files. With an MRU-free registry backup made, cleaning the registry becomes as simple as restoring the backup. This clean backup will need updating when you update your system. In order to maintain it, updating and installing both apps and system updates should be a manually performed process. As before, it's a tradeoff between convenience and privacy and the user has to find the balance that suits them.

    Earlier, I mentioned using TestRun, to create a duplicate registry on 9X systems. TestRun is nothing more than a collection of batch files that copy, rename, and swap the individual registry files. Later on, I modified these batch files to include the autostart folders and key system files, and to work with multiple user profiles. I then added an entry to the autoexec.bat file to run one of the files before Windows started. By doing this, Windows always started with a clean, optimized, MRU-free registry. This is one of the reasons my 98 install makes XP feel like it's slow and sluggish. Besides getting rid of usage tracks, this completely removed any malware that added itself to the registry. If I chose to do so, I could have turned this into a complete 'reboot to restore" system for 98. While it's not possible to do this from within an NT system, it can be done from outside of it. On a system that dual boots XP and 98 (or DOS), it can be done from 98. It might require an NTFS for DOS utility if XP isn't on FAT32. The same thing could be done to the NT system from Linux whether installed or a live CD. With a little work, it could be automated from a bootloader. There's lots of possibilities when you look at it from outside of Windows. The hardest part is making the clean starting point. Just take your time and be sure that your backup works. If you can build this in a virtual environment, so much the better.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A lot of Windows logging and babysitting can be controlled or disabled via registry settings. Many of these don't appear on any interface. X-setup pro gives the user access to many of these settings. I'm not sure if it works with 7 or 8 but does work quite well with XP.
     
  11. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    noone_particular

    Thank for your very informative post.
    It's like taking a minimum two-semester college course with a lot of prerequisites and strong computer programming skills.
    I've started reading about ADS:

    http://www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html

    http://www.infosecwriters.com/texts.php?op=display&id=53

    I've found a command line tool called LADS (List Alternate Data Streams) at Frank Heyne Software
    http://www.heysoft.de/en/information/ntfs-ads.php
     
    Last edited: Feb 16, 2013
  12. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    Last edited: Feb 16, 2013
  13. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Yes, he tried to tell people R-Wipe&Clean has already found a way to wipe this. They deleted (or rather edited) his post. It's all about OUR product - not being helpful. Too bad the way that guy was treated there. I have found CCleaner to be buggier and less compelling for me than it used to be. On MY system, it's fully encrypted and I don't really care about all these cleaners....but still...
     
  14. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America

    I don't know why R-Wipe@Clean didn't work for me,may be I deselected something important.Need to check again.

    edit:yup,R-wipe nuked it :) (clean items under USER_NAME->Stored explorer view settings)

    any idea how to completely disable this logging?


    http://computer-forensics.sans.org/blog/2011/07/05/shellbags/comment-page-1/?reply-to-comment=13026
     
    Last edited: Feb 16, 2013
  15. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    Why would a software that shows the traces left on your system be "evil"? I'd say it is very helpful, because it shows you the places (registry and files) that you need to clean up! :)
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You've got this backwards. It's the operating system that records everything that you open, every folder you navigate to, every site that you visit, etc, the stores this data. These tools expose that behavior and the data the operating system stores. If there's an "evil" here, it's the Windows registry itself. If it wasn't for tools like these and the people who dissected the Windows registry, we'd know far less about just how much Windows spies on its users. Be glad that these tools are available to all of us. If the evil is collecting and storing records of all we do, then these tools are exposing that evil. By studying what they do and where they look, they give us the ability to undo it.
     
  17. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    My greatest appreciation to the developer, Nir Sofer, of the program that opened my eyes about my Windows computers.
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I forgot to mention that, every install i've done with XP, has been with a FAT32 C drive. Also i disabled Indexing.

    Ran http://www.nirsoft.net/utils/shell_bags_view.html posted by aklies14 :thumb: & again it showed a number of entries, but by no means anywhere near all i've done on here.

    Spot on :thumb:

    Ditto :thumb: He's made available a lot of useful tools etc for many years, & All for free too ;)
     
  19. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    Hello,



    The next version of PrivaZer ( v1.8 )
    will be able to prevent from activity recovery
    which could be performed by means of dedicated software like LastActivityView.

    We still have some work to do to finalize this new version.
    We are looking for people to evaluate/test it before it can be publicly released.

    Contact us if you would like to test it ?
     
    Last edited: Feb 20, 2013
  20. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    yeah, there's also ADS Scanner by Pointstone, ADS Spy by Merijn, AlternateStreamView by (that evil, lol) NirSoft, StreamFinder by Werner Rumpeltesz, and probably a dozen more too.

    why don't you just run MRU Blaster once and see if you like the results -
    then maybe you will reconsider if that's the correct path to take.
     
  21. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    I use it regularly but my MRU-Blaster never finds anything.

    MRU-Blaster.PNG
     
  22. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    I hope it's a joke.
    NirSoft is like a lone hero from Hollywood movies figting against the evil empire.
     
  23. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    lol, i've been using nirsoft stuff for at least 5-6 years. you're the one acting
    like LastActivityView is some kind of spyware designed to rat you out. i don't
    know what it is you're so concerned about anyone finding but if you worried
    about the police or something there's no doubt they have much more
    sophisticated and thorough forensics tools than any freeware app from Nirsoft.

    re: MRU Blaster, i tried that program about 2 years ago and it wiped out my
    Start Menu history and a few other things that pi$$ed me (my fault for not
    reading up on what would be deleted) and about that time i began to realize
    that trying to delete every single one of these logs and files and registry
    entries and MRU lists that just get regenerated over and over again isn't
    the answer. And if you're really worried about privacy you might look into
    what info is being leaked thru your browser -
    things like CPU ID, HDD serial #, partition ID, these things are possible thru
    WMI on windows and d-bus i think its called on linux. they are also using
    machine fingerprinting and browser fingerprinting techniques to track you
    so that deleting cookies or blocking cookies does nothing.
    Your ISP is likely snooping on your traffic and your
    DNS requests, your geolocation being given away by your browser as well as
    Thunderbird by default, and on and on. a few years ago i used to think i was
    outsmarting the trackers and snoops by deleting cookies, and then flash
    cookies and cache and history and using ghostery and ccleaner but they are
    five steps ahead because there's big money involved.

    btw, Nirsoft is not the lone hero, there are many others - TAILS, TOR, on
    and on.
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Right. Segregation of "incompatible activities" (whatever you don't want linked) on different hardware is best. Using VMs is probably OK for most purposes, but VMs do see some host hardware properties.

    Right again. And again, segregation is the answer: using different chains of VPNs and Tor for your various incompatible activities.
     
  25. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    I think you have quoted someone else’s comments:
    Originally Posted by zmechys
    My greatest appreciation to the developer, Nir Sofer, of the program that opened my eyes about my Windows computers.
    I believe that computer security specialists are way too serious; therefore, here is my disclaimer:
    I am not a “bad” guy and I don’t want serious people from n0SuchA8ency to plant a keylogger on my computer when Zemana Antilogger (paid version) does not work on my Windows 8 64-bit system.
    Here is my IP address : 192.168.1.2
    (It’s a joke)
    Dear Snoop3, please don’t get distracted from the subject deliberately or not.
    1. In this thread, I don’t give a damn “what leaks through my browser”.
    2. In this thread, I want to know what is the purpose for Windows OS to store info about my
    (a) Listening to Justin Bieber’s song three years ago (the file deleted three years ago),
    (b) Reading an e-book about knitting two years ago (the file deleted two years ago),
    (c) Connecting to an external hard drive that I lost two and a half years ago.
    (Disclaimer: The examples are a creature of my imagination. I'm not a Bieber fan)


    I paid money to purchase the computer and Windows OS; therefore, I want to know why Windows OS is recording that kind of data.

    Did the C++ Windows programmers forget to do the necessary cleanup?
    Did the Windows OS programmers get the instructions from their bosses, Bill Gates to record everything?
    Does knowing about “my listening to Bieber’s song three years ago” help me to start Windows XP after I get
    a black screen with a message like : “Windows could not start because the following file is missing or corrupt: …, etc…?
    If somebody decides to take his or her computer to any repair shop, could that personal data be accessed by the repair technicians? If yes, is it OK with you?

    Now, it’s my computer and I want to delete that kind of info.
    Why is it so difficult to delete “my listening to Bieber’s song” three years ago, even with commercially available cleaners?

    To sum up.
    It’s my computer and I can drop it, I can thrash it, I can destroy it, or can try to erase any info from my computer that I decide to be irrelevant. It has nothing to do with any kind of LEA.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.