PDA

View Full Version : File monitoring


Ric0
12-18-2006, 03:18 PM
Hi,
Im new to the scene here. Im looking for a file-monitoring type program that will detect if an install program touches or modifies the ADS or NTFS stream on a file.

here's why...

Ive installed a trial program using Total Uninstall 3. When I removed them program and try to re-install the trial, I get the message that the trial has expired. Since Total Uninstall monitors the registry and file changes and returns them to thier original state, the only thing I can think of is the information must be hidden in an ADS or NTFS Stream somewhere...

Is my assumption correct or could it be something else?


PS: If this type of discussion is not allowed, I apologize. Im interested in research purposes only and trying to understand and clean up my Windows machine of garbage that gets installed without my knowledge or permission.

Ric0

fileoffset
12-18-2006, 10:59 PM
Its possible. However some protections have been known to write to the raw physical device (at an unused sector).

sysinternals.com have some utilities for working with ADS I believe.

Also, Process Monitor (i think is its new name - also from sysinternals) may monitor those kinds of writes. I would trust it more than Total Uninstall...

Silkut
12-19-2006, 01:39 PM
hxxp://3w.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx

Yeah ProcMon.