Free file system and registry snapshot comparison programs for 64-bit (x64) Windows

Discussion in 'other software & services' started by MrBrian, Aug 17, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Recently I spent a fair amount of time researching free programs for 64-bit Windows that show file and/or registry changes between two points in time. Many of the free programs out there that fit this description unfortunately are 32-bit programs that don't see the full 64-bit system. Here are the free programs I found that see the full 64-bit system:

    1. RegShot Unicode x64
    Can show both file and registry changes. Comparisons can be done between any two snapshots. File snapshots can optionally include file hashes. Unfortunately, when run with admin privileges (which you need to do to see everything), scanning the file system always results in RegShot Unicode crashing on my computer. Thus I use only the registry snapshot functionality.

    2. RegShot x64
    Crashed during registry scan when run as admin (which you need to do to see everything), so not evaluated further.

    3. OSForensics
    Can show both file and registry changes. Comparisons can be done between any two snapshots. File snapshots (they're actually called "signatures" in the program) can optionally include file hashes. Unfortunately, a registry snapshot doesn't include registry values as far as I can tell; registry keys are included however. Thus I use only the file comparison functionality of OSForensics.

    4. TrackWinstall x64
    Can show both file and registry changes. Comparisons can be done only between a snapshot and the present time. File snapshots can optionally include file hashes. File snapshot comparison results list only which files have been added, created, and deleted; OSForensics shows more file details than TrackWinstall. The registry comparison results give an inadequate amount of details in some cases IMHO, and thus I recommend not using the registry snapshot functionality of TrackWinstall.

    5. Microsoft Windows System State Monitor x64 (found in Software Certification Toolkit x64)
    Can show both file and registry changes. Additionally, can show changes in services and drivers. Comparisons can be done only between two points in time within the current session. Cannot monitor across a reboot. File snapshots cannot include file hashes.

    6. Microsoft Windows System State Analyzer x64 (found in Software Certification Toolkit x64)
    Can show both file and registry changes. Additionally, can show changes in services and drivers. Comparisons can be done between any two snapshots. File snapshots cannot include file hashes. Snapshot creation is very slow. I couldn't assess the comparison results because the program crashed when I tried.

    7. Advanced Uninstaller Free
    Can show both file and registry changes - use the installation monitor. Comparisons can be done only between two points in time within the current session, or across a reboot. File snapshots cannot include file hashes. I noticed that file changes and deletions are not listed; this might not be a bug because file changes or deletions cannot be undone by Advanced Uninstaller Free during uninstallation of a program that was monitored during installation. Not recommended as a file snapshot comparison program because of this issue, although it might be fine for the purpose of uninstalling programs. Off topic remark: Advanced Uninstaller Free can optionally scan for leftover file and registry items during uninstallation, similar to Revo Uninstaller.

    My recommendations:
    For file system snapshots, use either OSForensics or TrackWinstall; OSForensics is better IMHO but it's also a larger download. For registry snapshots, use RegShot Unicode x64 run with admin privileges.

    If you know of other similar programs, please do tell :).
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My description of the registry snapshot feature in OSForensics was somewhat incorrect. OSForensics stores both registry keys and value names in a registry snapshot. However, OSForensics doesn't store a value's data in a registry snapshot, although it does store a value's data size. As a result, OSForensics won't be able to show if a given value's data changed if its size in bytes didn't change. Regshot Unicode doesn't have this issue.

    My recommendations from the last post are unchanged.
     
  3. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    @ MrBrian, appreciated your finded time to analyze this kind of app. to 64bits systems.

    1- Since I'm using SystemExplorer'Snapshot feature but in 32bit system, can you try it and to see if it works well in 64bits also?

    2- BTW, Advanced Uninstaller Free has an Ignore/Excluded List in their analyze installations?

    Thanks.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    System Explorer v3.06 run with admin privileges doesn't see the whole 64-bit system.

    You can test whether a given snapshot program sees the whole 64-bit system by creating a new file with Windows Explorer between snapshots in \windows\system32 (to test file system snapshot) and creating a new registry key with Regedit between snapshots directly under HKEY_LOCAL_MACHINE\SOFTWARE (to test registry snapshot). If a given snapshot program doesn't list these newly created items in a snapshot comparison, then it can't see the whole 64-bit system.

    Advanced Uninstaller Free's Installation monitor settings are described here. When uninstalling, the user is given the option of which items to undo - see here.
     
    Last edited: Aug 18, 2011
  5. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    I didn't test it since I don't have 64bit system. :D Thanks for how to be sure 64bit snapshot'compatibility about. Useful. ;)

    Tried now Advanced Uninstaller Free and it doesn't have Ignore/Excluded List indeed; to unchecked a posteriori isn't the better solution.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another program that might be helpful to some is System Change Log (free for personal use, not free for business use). System Change Log isn't technically a file snapshot comparison program. Instead, it monitors the operating system's USN Journal for file events. System Change Log can write its log to either a text file and/or Windows Event Viewer. You can specify which folders to monitor, and also which files to include or exclude.
    The website states that this is a 30-day trial, but it's on the honor system and there is no nagging.

    When I tried to run the program's Control Panel applet, nothing happened. However, you can access the applet by running file \windows\system32\scl.cpl with admin privileges. The text log, if this option is enabled, is found at \windows\system32\scl.log.

    To give you an idea of what the text log file looks like, here is a snippet from my computer:
    Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe\x86\setup.exe file deleted
    Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe\x86 folder deleted
    Sat Aug 27 2011 12:12:23 Info: C:\Temp\System Change Log v3.1 hehe folder deleted
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:12:30 Info: C:\ProgramData\PrevxCSI\csidb.csi file modified
    Sat Aug 27 2011 12:13:03 Info: C:\Temp\New folder folder created
    Sat Aug 27 2011 12:13:05 Info: C:\Temp\New folder folder renamed to hehe
    Sat Aug 27 2011 12:13:15 Info: C:\Temp\System Change Log v3.1\Setup.exe file renamed to C:\Temp\hehe\Setup.exe
     
    Last edited: Aug 27, 2011
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A note about System Change Log: it doesn't log file system changes recorded in the USN Journal when System Change Log's service isn't running.

    Here are free programs which let you view the contents of the USN Journal:
    1. Windows Journal Parser
    2. Eyes on NTFS
    3. parser-usnjrnl - terminated with error when I tried it; to use, first copy the file \$Extend\Usnjrnl:$j to a new file using NTFS File Copy Utility
    4. EnScript to parse USNJRNL - couldn't try because I don't have EnCase

    Windows Journal Parser seems more thorough than Eyes on NTFS in my limited testing. Unlike System Change Log, Windows Journal Parser doesn't show a file's path.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks again for the tips :thumb:

    I used the Windows System State Monitor in my sandbox-redirect setup for Chromium.

    1. Start Windows System State Monitor
    2. Do some browsing
    - logging into Wilders Security
    - Adding a bookmark
    - Adding a extension
    - Viewing an Internet movie
    - Viewing a PDF
    - Buying a music file on a store, to the point of
    starting the Ideal payment service until confirmation through external calculator
    - Downloading an executable
    - Saving an image to the desktop

    3. Add the program (in this case Chromium) to GeSWall as untrusted program
    * repeat above actions
    * scan for untrusted files

    4. Fine tuning GeSWall (making it behave like sandboxie)
    * export GeSWall logs
    * export file scan of GeSWall
    * compare those with the initial Windows State Monitor
    * fine tune GeSWall console rules

    => Policy sandbox with SBIE application virtualisation around Chromium's sandbox :cool: backed up by my UAC settings (only elevate signed programs, which Chromium is not) = tripple sandbox which only uses 0.01% CPU realtime :D

    => Under UAC the command menu of GesWall to change a downloaded file from untrusted to trusted does not work. GeSWall has a disadvantage compared to DefenseWall (which has total untrusted file control), when you copy or move a file from one partition to another GeSWall forgets the untrusted file marker (Windows does the same for mandatory rights assignment with icacls.exe). Funny thing the 1806 deny execute marker of the ADS sticks!
     
    Last edited: Aug 28, 2011
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Thanks for making this thread, will add new programs to the list later.

    Where is the website for RegShot Unicode and Windows System State Monitor (Software Certification Toolkit)? Third-party is fine as long as there's an adequate description and valid download links.
     
    Last edited: Aug 31, 2011
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome J_L, and thank you also for the great list :).

    The usual online reference for RegShot Unicode is hxxp://regshot.ru/20/, but I'm not sure if it's located there anymore. I got my copy of RegShot Unicode from hxxp://www.woodmann.com/collaborative/tools/index.php/Regshot_Unicode. By the way, RegShot Unicode apparently isn't an officially santioned fork of RegShot.

    The Software Certification Toolkit is found at http://msdn.microsoft.com/en-us/library/dd744769(v=vs.85).aspx. Note that there are separate downloads for x86 and x64.

    While in beta, OSForensics has an expiration date. When the final free version is released, an expiration date shouldn't be present as far as I know.
     
    Last edited: Aug 31, 2011
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yet Another Registry Utility is another free program which can compare registry snapshots. Unfortunately, as of v1.14, in my limited testing any two registry snapshots are considered to have no differences, even if registry changes have been made in between the two compared snapshots. Also, the program compares individual registry hive files instead of the whole registry at once. I included mention of Yet Another Registry Utility here because the comparison feature might work properly in the future, when this thread may have already been closed due to inactivity.
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    You're welcome.

    I'll add the second link, missed the download link before.

    Doesn't provide an adequate description, and I've only found reviews for Windows System State Analyzer. Might as well add that instead then.

    I see.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From a member of the Windows Server Logo Program (see thread http://social.msdn.microsoft.com/Fo...n/thread/cc39f0fc-a356-4f72-a3a3-4c366f4bf538):
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I've seen that before, but it's sort of vague and provides no download links. Also has unrelated information, being a forum thread.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    System Explorer's snapshot feature now works correctly in x64. Registry snapshot comparisons do not show added registry keys if there are no values within the added key. Registry snapshot comparisons do not show deleted registry keys if there were no values within the deleted registry key.

    Thank you majoMo for your post in the System Explorer forum which led to the proper functioning of the snapshot feature in x64. :)
     
    Last edited: Dec 26, 2011
  16. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    My prefered tool for that is Registry Workshop, wonder if you had a chance to give it a try? Not free but just out of curiosity to see what would be your findings.

    There is also a new beta available for RegShot Unicode: 1.8.3 beta1 (MAJ le 25/12/11)
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I haven't tried Registry Workshop because it isn't free. See post #4 if you're wondering if it works correctly in x64.

    Thank you for the notice about the latest Regshot. I just tried using it as admin, and it didn't crash, unlike the version that I tested in post #1. I'll test it and report my results here.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are a number of programs that can be used to show file system changes in real time. These technically aren't snapshot comparison programs but nonetheless are related. Here are some that seem to work properly in x64:

    1. Process Monitor
    Unlike the other programs mentioned in this post, shows the process responsible for the file changes. Can show registry changes also. Tip: create filter "Category is Write then Include". Also, you can check "Drop Filtered Events" so that only displayed events are kept.
    2. Disk Pulse
    Requires installation.
    3. Moo0 FileMonitor
    Runs as standalone program. As of v1.07, can list more items if run with admin privileges than without; I reported this to developers because I'm not sure if it's a bug.
    4. TheFolderSpy
    Runs as standalone program. If you want a realtime file change monitoring program that seems to list all file changes without requiring admin privileges, use this program.
     
  19. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Ok, I understand.
    (btw, RW seems to truely work on x64 because it listed the key I created as instructed above, thanks for this infotip and this thread)
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  21. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    My thanks for your infotip that allows me to check x64 compatibility'System Explorer snapshot feature; since their snapshot feature to be good and quick, was a laxness not to work in x64 bits systems indeed.

    ;)
     
  22. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Developer seems very active lastly.
    3 new builds this week...
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
Loading...
Thread Status:
Not open for further replies.