So that was theory. Now I had to prove it with experimentation. And I'm glad I did, because I found some interesting things. First, I proceeded to perform my base system snapshot, which I then copied on a CD and erased the original copy. I should mention that this was performed on a Windows 95 machine, equipped with a CD burner operated with Adaptec CD-Creator software. I wanted this to be a good test, so I chose not to be picky, scanning both of my drives in their entirety, making only an exception for the win386.swp swap file (this one is expected to change, so there's no reason monitoring it.) As soon as the snapshot file was created, I launched CD-Creator to create my CD copy of the snapshot and database files. I then proceeded to change the location of the snapshot file configuration in InstallWatch (btw, this should have generated perceptible change in the system, but it didn't. Anyone can explain why?)(Explanation from Gavin Stark: InstallWatch doesn't monitor it's own directories and files, which is a bad thing in a security context, but next release could solve this, look Appendice A for a fix) and then closed it, and then made some baits to make sure InstallWatch would effectively catch them.
I added a [space] character at the end of a batch file, thus modifying it's content. That operation also changed the date, which is too bad, because I would have liked to be able to see if it could be fooled. In the good old days of DOS, you could fiddle with the date and time info of a file, but now in the Windows world, it seems like these tools have vanished. Then I erased a .gif file from my (sloppy) "c:\windows\temporary internet files" folder. Then I created an empty hereiam.zip file in d:\jpgs. To top it off, I removed an entry in the registry related to the file type .shs. Who needs that scrap anyway?
Then, launch InstallWatch once more, with the CD in the drive, and I hit Analyze. 20 minute later, I get the results. More than I expected, I admit. Here is the text export files from this scan (* is the field delimiting character):
Test - All files.txt
D:\jpgs\hereiam.ZIP**1KB**A**8/1/00 4:30:04 PM****
C:\WINDOWS\TEMP\error.log*1KB*1KB*A*A*7/31/00 2:20:36 PM*8/1/00 4:24:56 PM***1659241a*be0187b8
C:\WINDOWS\Start Menu\Programs\Multimedia\Adaptec Easy CD Creator\Easy CD Creator.lnk*1KB*1KB*A*A*6/20/00 12:27:50 PM*8/1/00 4:19:36 PM***f4cc5c0e*51e02f72
C:\Program Files\Winamp\WINAMP.ini*3KB*3KB*A*A*8/1/00 3:58:32 PM*8/1/00 4:18:36 PM***b90ccdc*68aedd84
C:\Program Files\Plus!\System\SAGE.DAT*7KB*7KB*HA*HA*8/1/00 3:45:00 PM*8/1/00 4:15:00 PM***43d9e49f*85611617
C:\Program Files\PGP\PGP50\randseed.bin*1KB*1KB*A*A*8/1/00 1:18:04 AM*8/1/00 4:30:36 PM***f0cc5d0e*1d198bb6
C:\logitemp\INSTALL.BAT*4KB*4KB*A*A*8/10/95 4:15:08 PM*8/1/00 4:28:30 PM***d62eaf9c*10033e85
C:\WINDOWS\Temporary Internet Files\Content.IE5\SR0HD7NT\cl2[1].gif*1KB**A**8/1/00 3:30:36 PM****18a5cef*
Test - INI files.txt
C:\Program Files\Winamp\WINAMP.ini*WinampAgent*lastchk*01BFFBC3514DA220*01BFFBF5A67359C0
Test - Registry.txt
HKEY_CLASSES_ROOT\.shs***
HKEY_CLASSES_ROOT\.shs*@*"ShellScrap"*
HKEY_CLASSES_ROOT\AutoRun***
HKEY_CLASSES_ROOT\AutoRun\4***
HKEY_CLASSES_ROOT\AutoRun\4\Shell***
HKEY_CLASSES_ROOT\AutoRun\4\Shell*@*"AutoRun"*
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun***
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun*@*"Auto&Play"*
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun\command***
HKEY_CLASSES_ROOT\AutoRun\4\Shell\AutoRun\command*@*"E:\AUTORUN.EXE"*
HKEY_CLASSES_ROOT\AutoRun\4\DefaultIcon***
HKEY_CLASSES_ROOT\AutoRun\4\DefaultIcon*@*"E:\nhl2000.ICO"*
HKEY_CLASSES_ROOT\AutoRun\4\name***
HKEY_CLASSES_ROOT\AutoRun\4\name*@*"NHL 2000"*
HKEY_CLASSES_ROOT\AutoRun\4\name2***
HKEY_CLASSES_ROOT\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Color***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun*@*"Auto&Play"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun\command***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun\command*@*"E:\AUTORUN.EXE"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\DefaultIcon***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\DefaultIcon*@*"E:\nhl2000.ICO"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name*@*"NHL 2000"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name2***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_LOCAL_MACHINE\SOFTWARE\Adaptec\Easy CD Creator\Devices*default**"1,0,0"
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*MRUList*"|{njzdatqh}rlbiukgpcsyvmxfweo"*"nkgopcysvqmxfew|{jzdath}rlbiu"
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*c*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,9a,28,8a,a2,10,80,4e,63,64,74,72,65,65,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,1a,00,31,00,00,00,00,00,74,27,2c,06,10,00,43,68,6f,72,64,00,43,48,4f,52,44,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*e*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,48,4d,7e,31,00,1e,00,31,00,00,00,00,00,44,25,08,b2,10,00,57,69,7a,4d,61,72,6b,00,57,49,5a,4d,41,52,4b,00,18,00,31,00,00,00,00,00,44,25,09,b2,10,00,57,69,7a,31,00,57,49,5a,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,28,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,49,6e,73,74,61,6c,6c,57,61,74,63,68,20,50,72,6f,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,00,00,00,b7,28,fa,b3,10,00,53,6e,61,70,73,68,6f,74,73,00,53,4e,41,50,53,48,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*f*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,44,25,01,b2,10,80,4d,61,78,69,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*g*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,32,00,31,00,00,00,00,00,4a,28,eb,71,10,00,57,69,6e,64,6f,77,73,20,55,70,64,61,74,65,20,53,65,74,75,70,20,46,69,6c,65,73,00,57,49,4e,44,4f,57,7e,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,16,00,31,00,00,00,00,00,dd,28,4a,23,10,00,6c,6f,67,00,4c,4f,47,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*k*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,00,18,00,31,00,00,00,00,00,9a,28,6e,8b,10,00,56,62,6f,78,00,56,42,4f,58,00,1c,00,31,00,00,00,00,00,9a,28,6e,8b,10,00,43,6f,6d,6d,6f,6e,00,43,4f,4d,4d,4f,4e,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,18,00,31,00,00,00,00,00,ce,28,90,a8,10,00,6a,70,67,73,00,4a,50,47,53,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*m*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,13,00,31,00,00,00,00,00,44,25,8a,b2,10,80,4d,70,73,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,00,30,00,31,00,00,00,00,00,48,25,27,00,14,00,54,65,6d,70,6f,72,61,72,79,20,49,6e,74,65,72,6e,65,74,20,46,69,6c,65,73,00,54,45,4d,50,4f,52,7e,31,00,26,00,31,00,00,00,00,00,4a,28,68,7e,14,00,43,6f,6e,74,65,6e,74,2e,49,45,35,00,43,4f,4e,54,45,4e,54,2e,49,45,35,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*o*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,48,4d,7e,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*p*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,18,00,31,00,00,00,00,00,9e,28,81,be,10,00,74,65,6d,70,00,54,45,4d,50,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,da,28,c3,0b,10,00,6c,6f,67,69,74,65,6d,70,00,4c,4f,47,49,54,45,4d,50,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*s*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,55,28,86,06,10,00,4d,79,20,4d,75,73,69,63,00,4d,59,4d,55,53,49,7e,31,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,1f,27,85,b5,10,00,41,63,72,6f,62,61,74,33,00,41,43,52,4f,42,41,54,33,00,1c,00,31,00,00,00,00,00,1f,27,85,b5,10,00,52,65,61,64,65,72,00,52,45,41,44,45,52,00,00,00,
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shs***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shs*@*"ShellScrap"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell***
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell*@*"AutoRun"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\Shell\AutoRun***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*v*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,13,00,31,00,00,00,00,00,44,25,38,af,10,80,4d,74,6d,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,16,00,31,00,00,00,00,00,5b,28,2d,18,10,00,6c,68,78,00,4c,48,58,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*w*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,14,00,31,00,00,00,00,00,44,25,01,b2,10,80,4d,61,78,69,00,00,22,00,31,00,00,00,00,00,44,25,08,b2,10,00,42,65,6e,63,68,6d,61,72,6b,73,00,42,45,4e,43,48,4d,7e,31,00,1e,00,31,00,00,00,00,00,44,25,08,b2,10,00,57,69,7a,4d,61,72,6b,00,57,49,5a,4d,41,52,4b,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,27,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,28,00,31,00,00,00,00,00,b7,28,e2,b3,10,00,49,6e,73,74,61,6c,6c,57,61,74,63,68,20,50,72,6f,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,00,00,00,b7,28,f8,b3,10,00,44,61,74,61,62,61,73,65,73,00,44,41,54,41,42,41,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*x*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,1a,00,31,00,00,00,00,00,6f,25,d9,b9,10,00,6d,6f,75,73,65,00,4d,4f,55,53,45,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU*y*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,7f,28,61,14,10,80,4d,76,70,63,72,69,62,00,00,00,00,*hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,20,00,31,00,00,00,00,00,1f,27,85,b5,10,00,41,63,72,6f,62,61,74,33,00,41,43,52,4f,42,41,54,33,00,00,00,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10*ViewView*hex:1c,00,60,81,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,*hex:1c,00,60,81,04,00,00,00,00,00,0a,04,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\16*ViewView*hex:1c,00,60,81,04,00,00,00,00,00,26,01,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,*hex:1c,00,60,81,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Color***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***
WHOAA!!! Where does all this shit comes from? Welcome to the Microsoft world buddy. First of all, you can export data in Text format, or in HTML. But this format just gives you raw information. In the GUI, you can break down these to Added, Modified, and Deleted, for all three categories. If you want that granularity in your output, you have to generate a separate output file at each breakdown. Now, about the results. The steps I did between the two scans are exactly as described above and are complete, and it all occurred within a 5-minute window. So what happened?
First, we can see at the top of the All files.txt file that it spotted my dummy .zip file. The second to last line is the batch file that I added one [space] character at the end of it (notice the big difference in the CRC check, the last two fields of the line). And the last line is the .gif file I erased in my temp folder. The rest results from Windows activity. Error.log was created by CD-Creator when I copied the files on CD. The same with the .lnk file (interesting note, .lnk files have a field in them for last accessed date and time, which means that when you double-click on a shortcut, you actually modify the file by updating this field). System agent apparently updates it's .dat file, WinAmp does the same with it's .ini file (remember this is not a server, it is my home PC), and PGP does I-don't-know-what with a .bin file. I didn't use WinAmp, System Agent or PGP during the testing period, although they were installed and active.
The Registry gives even more intriguing results: first, we see the entry I removed (HKEY_CLASSES_ROOT\.shs***), and the rest is pure gravy. If you look closely, there are some more entries related to .shs that have been removed also, which probably means that the Windows Registry is self-updating. Then, you view a bunch of registry entries relating again to CD-Creator, resulting from when I burned the CD. The rest intrigues me and I hope someone out there can shed more light as to what really went on. Several entries relating to Autorun have been erased from the registry, and a bunch of entries related to stream in Explorer (video streaming?) have been modified. And I want to precise that the machine was not connected to any network during this time.
So, it works, but you need to tailor your configuration to make sure you don't get too many false alarms. You should scan your temp folders, but try to keep them clean.
3. Same thing, but a different way
5. The Pros...
Table of contents