[PROBLEMCHYLD]

CharlotteTheHarlot, on 27 November 2012 - 11:52 AM, said:

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run

BOOTLOG.TXT 71,081 [Before System Restore]
BOOTLOG.TXT 73,973 [After System Restore]

INFO2 2,260 [Before System Restore]
INFO2 2,820 [After System Restore]

USER.DAT 204,832 [Before System Restore]
USER.DAT 208,928 [After System Restore]

WORDPAD.LGC 12,195 [Before System Restore]
WORDPAD.LGC 12,251 [After System Restore]

RSTRUI.LGC 74,058 [After System Restore]

MYDOCU~1.MYD 0 [After System Restore]

RG50CA~1.CAB 3,877,888 [After System Restore]

RESTOR~1.LOG 65 [After System Restore]

A0000026.CPY 235 [After System Restore]
A0000030.CPY 0 [After System Restore]

Make note, that depending on how many restore points you have saved, the *.CAB file name will change.

All registry keys are created after running System Restore

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\StateMgr\ReservedDiskSpace]
"UIFreezeSize"=dword:00000032

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
"MenuText"="@shdoclc.dll,-864@0,Show &Related Links"
"MenuStatusBar"="@shdoclc.dll,-865@0,Shows links related to the current page."
"ButtonText"="@shdoclc.dll,-866@0,Related"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache"=hex:e9,fd,00,00,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
  00,00,00,00,00,00,94,95,45,00,00,00,00,00,5f,04,00,00,07,00,00,00,e0,d0,57,\
  23,bd,01,00,00,02,00,00,00,19,00,22,45,3a,5c,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,29,38,e8,00,00,00,02,00,00,00,14,00,2e,1e,20,20,ec,21,\
  ea,3a,69,10,a2,dd,08,00,2b,30,30,9d,2f,01,00,00,02,00,00,00,14,00,2e,80,a0,\
  ff,2c,99,57,f5,1a,10,88,ec,00,dd,01,0c,cc,48,76,01,00,00,02,00,00,00,14,00,\
  2e,80,36,b7,11,e2,fd,43,d1,11,9e,fb,00,00,f8,75,7f,cd,76,01,00,00,02,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14]
  00,00,00,00,00,00,00,f0,f0,f0,f0,14,00,03,00,6a,01,00,00,00,00,00,00,00,00,\
  2e,45,58,45,00,e8,00,00,00,02,00,00,00,29,00,32,00,1a,b7,04,00,8d,41,2e,a1,\
  20,00,46,49,4c,45,4c,49,53,54,31,2e,54,58,54,00,46,49,4c,45,4c,49,7e,31,2e,\
  54,58,54,00,2f,01,00,00,02,00,00,00,20,00,32,00,38,79,53,00,8d,41,57,a1,20,\
  00,52,45,47,31,2e,72,65,67,00,52,45,47,31,2e,52,45,47,00,76,01,00,00,02,00,\
  00,00,1c,00,32,00,00,6e,b6,03,8a,41,19,44,20,00,55,39,38,53,45,53,50,33,2e,\
  45,58,45,00,00,8f,01,00,00,96,00,00,00,29,00,32,00,e8,b8,04,00,8d,41,92,a1,\
  20,00,46,49,4c,45,4c,49,53,54,32,2e,54,58,54,00,46,49,4c,45,4c,49,7e,32,2e,\
  54,58,54,00,8f,01,00,00,96,00,00,00,00,00,bf,7f

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"HRZR_EHACNGU"=hex:02,00,00,00,46,00,00,00,60,d1,c6,45,6e,d9,cd,01
"HRZR_HVFPHG"=hex:02,00,00,00,22,00,00,00,a0,2f,ba,3b,6e,d9,cd,01
"HRZR_EHAJZPZQ"=hex:02,00,00,00,21,00,00,00,60,43,ba,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,130"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,132"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf"=hex:02,00,00,00,06,00,00,00,00,eb,b5,10,\
  6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf"=hex:02,00,00,00,06,00,00,00,\
  00,eb,b5,10,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,191"=hex:02,00,00,00,08,00,00,00,60,43,ba,44,6e,d9,cd,01
  00,00,00,06,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\Qrfxgbc\\OOO.ONG"=hex:02,00,00,00,0b,00,00,00,20,1f,\
  1e,31,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\ERTRQVG.rkr"=hex:02,00,00,00,07,00,00,00,60,d1,c6,\
  45,6e,d9,cd,01
"HRZR_EHACVQY"=hex:02,00,00,00,08,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\FLFGRZ\\ERFGBER\\EFGEHV.RKR"=hex:02,00,00,00,06,00,\
  00,00,e0,b3,c6,10,6e,d9,cd,01

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"

[CharlotteTheHarlot]

PROBLEMCHYLD, on 13 December 2012 - 03:35 PM, said:

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.

At the minimum, a System Restore should save both ( on Win98 ) or all three ( WinME ) registry hives, as well as key files like SYSTEM.INI, WIN.INI, and it should be able to do quite a few more like VMM32.VXD just for an example. We could crowd source a nice complete list, but I thought that the WinME System Restore already had it built-in.

[PROBLEMCHYLD]

CharlotteTheHarlot, on 14 December 2012 - 04:36 AM, said:

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

It does, I was just being lazy.

CharlotteTheHarlot, on 14 December 2012 - 04:36 AM, said:

Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.

It was System Restore.
The system hive is placed inside a .cab file in the _Restore folder. If you notice the change in the file sizes I posted above, it lets you know system restore has written new data. I only made minor changes, to speed up the process.