Thursday, October 6, 2011

When Applications Take a Dump

How many times have you uninstalled a software product only to find out later that it left traces of its existence all over your poor computer?  Part of the work of a software packager (or rather: repackager) is to perform forensic analysis of the footprint of an application at the time of installation, after being used, and after being uninstalled.  The goal is always to get the computer back to a state as if the application had never been installed, but without causing issues with the operating system or other applications.  Rather than try to split this over XP, Vista and Windows 7, I'm only talking about 7 here.  I don't give a crap about XP or Vista anymore, sorry.  If the %name% stuff confuses you, just open a CMD window, type in SET and press Enter to see what I'm talking about.

The Obvious

  • %ProgramFiles%
  • %WinDir%\System32
  • %CommonProgramFiles%
  • %AllUsersProfile% (note: This is a Symbolic Link to %ProgramData%, same place)
  • %ProgramData%
  • %Temp%
  • HKLM\SOFTWARE\<vendor-or-product>
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

The Not-So-Obvious

  • 64-bit Systems
    • %ProgramFiles(x86)%
    • %CommonProgramFiles(x86)%
    • HKLM\Software\Wow6432Node\...
  • %LocalAppData%
  • %SystemDrive%\Users\Default (note: "Default User" is a JUNCTION to "Default", same place)
  • Services
  • DCOM configuration settings
  • WMI / CIM namespaces
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and RunOnce)
  • HKLM\SOFTWARE\Microsoft\Active Setup\...
  • HKLM\SYSTEM\CurrentControlSet\...
  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup

This is not a complete list.  Some applications crap in more places than these.  But hopefully this gives you a rough idea of places to look when something gets left behind and things are just not quite right as a result.


Some of the tools that can come in handy to help investigate what an application does to a computer are as follows:

  • Virtualization: VMware Player, VMware Workstation, Virtual Box, Hyper-V
  • Sysinternals:  Process Explorer, AutoRuns, Process Monitor
  • CMD:  DIR /AH /AS
  • InstallShield Repackager (snapshot results)


No comments: