Thursday, December 31, 2015

We need an uninstaller utility with before/after snapshot log feature for this. In this article we will use the free and open source ZSoft Uninstaller/ZSU, or the edition—which we'll use.

   There are other alternatives like ChemTable Software's Soft Organizer/SOrg, Ashampoo Uninstaller/AUinst, Regshot (for Windows older than 10), or others. On Windows 10, SOrg is better than ZSU but takes more time.
   We also need text editor such as NPP/Notepad++, Sublime Text, or any other you like.

In essence, what we'll do consists of these general steps:
  1. Create a snapshot of Windows system before running the portable application.
  2. Run and try out all features of the portable application. It's better to run it more than once to make sure it really save its settings.
  3. Create the after run/test snapshot.
  4. Compare the after and before snapshot to see if there are any changes to Windows registry and/or Windows standard data folders.

We'll use GeoGebra Classic portable as example that we've installed in C:\0TEST\GeoGebraClassicforDesktopPortable folder.
  1. Run ZSoft Uninstaller/ZSU, click Analyze. First we have to configure which drives/folders to ignore by ZSU, click Edit Ignore List then add any drive/folder you don't want to monitor—the list in the picture is just an example—after that close the window, Edit Ignore List
    Exclude any drive/folder
  2. Click Analyze → tick Analyze an installation option → click Next → click Before Installation—to create the "before test system snapshot", Analyze an installation
    Before Installation
    Creating before snapshot
  3. When the After Installation button is activated, then the "before snapshot" is finished. Close the window and minimize ZSU, Close the window
    Minimize ZSU
  4. Run the portable application and test any of its features, then close it. Run it twice or more while changing its settings to make sure it can save its settings. Usually, the easiest setting to notice in any application is its windows' size and position. But in our example, GeoGebra Classic don't save this setting, so just open the GeoGebraPEsettings.conf in the C:\0TEST\GeoGebraClassicforDesktopPortable\Data folder with NPP to make sure it's not empty, Run and try any application features
  5. Open the C:\0TEST\GeoGebraClassicforDesktopPortable\Data folder to make sure there's no PortableApps.comLauncherRuntimeData-GeoGebraClassicforDesktopPortable.ini file. This is to make sure that it has completely exited, Make sure it cleanly exited
  6. Bring up ZSU, click Analyze → tick Finish an analysis that has already been started → click Next → click After Installation—to create the "after test system snapshot", Finish an analysis
    Click After Installation
    Creating the after snapshot
  7. Enter any name in the Enter Application Name window then click OK—to save the after snapshot log, as for example: "zzz", Enter comparison log name
    Comparing before and after snapshots
  8. When the snapshot comparison finished click OK → right-click on the "zzz" log entry → select Show Recorded Info → click the top-left blue square to save the log. Save it on Desktop as "zzz.txt". We then can delete the "zzz" entry from the Analyzed Programs tab, Click OK
    Show Recorded Info
    Click the blue square to save
    Save it to a text file
    Delete the log's entry
  9. Open the "zzz.txt" log with NPP/Notepad++. See if the portable application left any traces in other than its own folder, C:\0TEST\GeoGebraClassicforDesktopPortable, Make sure it only leave traces in Data/App folder
       Especially watch for any changes that might be related to our application in Windows data folders:
    • %APPDATA%, in our example C:\Users\thumbapps\AppData\Roaming,
    • %LOCALAPPDATA%, in our example C:\Users\thumbapps\AppData\Local,
    • %USERPROFILE%, in our example C:\Users\thumbapps. This one includes Documents, Music, Video folders, etc.,
    • %ALLUSERSPROFILE%, in our example C:\ProgramData,

    also in Windows registry. And since our application do not require administrator privilege, we can ignore the HKLM entries and just inspect the HKCU entries,
    Watch for affected Windows settings
    especially watch these registry branch where Windows usually stores settings like start-up run:
    • HKU\S-1-5-21-2501081379-2069658986-3569691162-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion...
    • HKU\S-1-5-21-2501081379-2069658986-3569691162-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\...

    The HKU\S-1-5-21-2501081379-2069658986-3569691162-1001 is HKCU.
       You can ignore "file deleted", "reg deleted", and ...Windows\Shell\Bags\... entries.

    Those are places where most applications leave their settings, but some applications might even leave traces of:
    • DLL, for example HKLM\SOFTWARE\Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32,
    • TypeLib, for example HKLM\SOFTWARE\Classes\TypeLib\{04219238-440D-4FED-A5D6-EFD15158CA77}\1.0\0\win32,
    • COM server, for example HKLM\SOFTWARE\Classes\CLSID\{318B6012-AF38-4AFC-807E-169248B941E2}\LocalServer32,
    • service, for example HKLM\SYSTEM\CurrentControlSet\services\ambakdrv,
    • scheduled task, usually stored in %WINDIR%\System32\Tasks,
    • file associations, for example HKU\S-1-5-21-317371406-773968330-1681716359-1000\Software\Classes\.arw or others.
    So, check the comparison log patiently.
   With more experiences, your eyes will become more trained to see which changes are related and which changes can be ignored ;)
   Our conclusion for GeoGebra Classic example: it only stored settings in its configuration file in the Data folder. No traces in registry, Windows data folders, or any other places. So we can say that it's 100% clean/stealthy.[]