Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
CharlotteTheHarlot, on 27 November 2012 - 11:52 AM, said:
I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.
This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable
) and just do before and after logs.
Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.
Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.
This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable
) and just do before and after logs.Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.
Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.
BOOTLOG.TXT 71,081 [Before System Restore]
BOOTLOG.TXT 73,973 [After System Restore]
INFO2 2,260 [Before System Restore]
INFO2 2,820 [After System Restore]
USER.DAT 204,832 [Before System Restore]
USER.DAT 208,928 [After System Restore]
WORDPAD.LGC 12,195 [Before System Restore]
WORDPAD.LGC 12,251 [After System Restore]
RSTRUI.LGC 74,058 [After System Restore]
MYDOCU~1.MYD 0 [After System Restore]
RG50CA~1.CAB 3,877,888 [After System Restore]
RESTOR~1.LOG 65 [After System Restore]
A0000026.CPY 235 [After System Restore]
A0000030.CPY 0 [After System Restore]
Make note, that depending on how many restore points you have saved, the *.CAB file name will change.
All registry keys are created after running System Restore
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\StateMgr\ReservedDiskSpace]
"UIFreezeSize"=dword:00000032
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
"MenuText"="@shdoclc.dll,-864@0,Show &Related Links"
"MenuStatusBar"="@shdoclc.dll,-865@0,Shows links related to the current page."
"ButtonText"="@shdoclc.dll,-866@0,Related"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache"=hex:e9,fd,00,00,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
00,00,00,00,00,00,94,95,45,00,00,00,00,00,5f,04,00,00,07,00,00,00,e0,d0,57,\
23,bd,01,00,00,02,00,00,00,19,00,22,45,3a,5c,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,29,38,e8,00,00,00,02,00,00,00,14,00,2e,1e,20,20,ec,21,\
ea,3a,69,10,a2,dd,08,00,2b,30,30,9d,2f,01,00,00,02,00,00,00,14,00,2e,80,a0,\
ff,2c,99,57,f5,1a,10,88,ec,00,dd,01,0c,cc,48,76,01,00,00,02,00,00,00,14,00,\
2e,80,36,b7,11,e2,fd,43,d1,11,9e,fb,00,00,f8,75,7f,cd,76,01,00,00,02,00,00,\
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14]
00,00,00,00,00,00,00,f0,f0,f0,f0,14,00,03,00,6a,01,00,00,00,00,00,00,00,00,\
2e,45,58,45,00,e8,00,00,00,02,00,00,00,29,00,32,00,1a,b7,04,00,8d,41,2e,a1,\
20,00,46,49,4c,45,4c,49,53,54,31,2e,54,58,54,00,46,49,4c,45,4c,49,7e,31,2e,\
54,58,54,00,2f,01,00,00,02,00,00,00,20,00,32,00,38,79,53,00,8d,41,57,a1,20,\
00,52,45,47,31,2e,72,65,67,00,52,45,47,31,2e,52,45,47,00,76,01,00,00,02,00,\
00,00,1c,00,32,00,00,6e,b6,03,8a,41,19,44,20,00,55,39,38,53,45,53,50,33,2e,\
45,58,45,00,00,8f,01,00,00,96,00,00,00,29,00,32,00,e8,b8,04,00,8d,41,92,a1,\
20,00,46,49,4c,45,4c,49,53,54,32,2e,54,58,54,00,46,49,4c,45,4c,49,7e,32,2e,\
54,58,54,00,8f,01,00,00,96,00,00,00,00,00,bf,7f
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"HRZR_EHACNGU"=hex:02,00,00,00,46,00,00,00,60,d1,c6,45,6e,d9,cd,01
"HRZR_HVFPHG"=hex:02,00,00,00,22,00,00,00,a0,2f,ba,3b,6e,d9,cd,01
"HRZR_EHAJZPZQ"=hex:02,00,00,00,21,00,00,00,60,43,ba,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,130"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,132"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf"=hex:02,00,00,00,06,00,00,00,00,eb,b5,10,\
6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf"=hex:02,00,00,00,06,00,00,00,\
00,eb,b5,10,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,191"=hex:02,00,00,00,08,00,00,00,60,43,ba,44,6e,d9,cd,01
00,00,00,06,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\Qrfxgbc\\OOO.ONG"=hex:02,00,00,00,0b,00,00,00,20,1f,\
1e,31,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\ERTRQVG.rkr"=hex:02,00,00,00,07,00,00,00,60,d1,c6,\
45,6e,d9,cd,01
"HRZR_EHACVQY"=hex:02,00,00,00,08,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\FLFGRZ\\ERFGBER\\EFGEHV.RKR"=hex:02,00,00,00,06,00,\
00,00,e0,b3,c6,10,6e,d9,cd,01
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"
Back to top
