Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Microsoft XP Change Analysis Diagnostic Tool InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft XP Change Analysis Diagnostic Tool

Published: 2007-03-28
Last Updated: 2007-03-28 23:37:48 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Earlier today I came across a new tool that might be useful to InfoSec professionals.  Though it is not a "security" tool, it can be used by support people to help better understand the modifications that may have occurred to a particular system.  Once installed the tool will scan the computer looking for specific types of changes to the computer including....

  • Software Programs which are listed in the Add/Remove Program control panel
  • Operating System Components including Hotfixes or updates from Microsoft Update
  • Browser Helper Objects and other COM components loaded in Internet Explorer
  • Drivers
  • ActiveX Controls   and
  • Other Auto-Start Extensibility Points
It creates a nice little XML file that you can use for a variety of purposes.

However in my testing on my laptop, I have found that some software packages appear to make changes in more places then I even knew was occurring. For example,  Symantec Antivirus Corporate Edition changes the path to certain driver files with virus definition updates.  These will be reported as:
Changed from "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070326.020\navex15.sys" to "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\navex15.sys"
Adobe Acrobat apparently also makes regular modifications to the startup folder for its Speed Launcher program.

Even with these items that may need to be ignored depending on the support issue at hand, the tool may be very useful for determining what end users may have done to their computer.  This eliminates the user's need to accurately articulate the changes to you, if they actually admit to changing something.  For more information on the tool, please see KB Article 924732 at


Peter Stendahl-Juvonen wrote to tell us that this tool is language dependent and that it will work only on English language systems.
Let's hope Microsoft will release a version that works on all language systems soon.

0 comment(s)
Diary Archives