Cyber Security Expo
A poor-man Tripwire-like system on Windows 9x/NT by Floydman on 08/09/02

Updated: August 14th, 2000: I got some feedback, and this called for an update. First, some of the questions raised in the first versions have been answered by InstallWatch"s author Gavin Stark, and I modified the chapters accordingly, either by putting a note or by removing the questions because they were irrelevant to this paper. I also added 2 appendices. Appendice A is more information about InstallWatch as I got it from Gavin Stark/Epsilon Software. Appendice B is about Harlan Carvey" Perl Page, in which we can find, amongst other things, a Tripwire implementation in Perl.

You can distribute this document freely, as long as no changes are made to the file, or as long as credit for it is not pretended by someone else. All comments and suggestions about the material presented here should be directed at If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified. All version updates of this document are to be released by me.

You can find it online at


The goal of this paper is to present a simple and low-cost way to implement Tripwire-like capabilities on a Microsoft Windows 95/98/NT/2000/* machine.


In my quest for better knowledge in the computer security field, I came across a paper discussing the software Tripwire, then for Unix only but now available for NT as well. For those who have never heard of Tripwire, it is a system integrity checker, i.e. it checks if your system had been compromised, by comparing the current information state of your machine to a "snapshot" previously done that was made from when the system was considered as 100% not-compromised machine (preferably at installation time, before the machine is put on the network). If something"s changed, chances are that some cracker/script kiddie has compromised your system, and what you see is the backdoors and other things like that they left for themselves. People who have read my previous paper "Virus protection in a Microsoft Windows network, or How to stand a chance" know my love for batch files. It quickly came to my mind that I could probably do something similar with some kind of batch files, and have it for free too! But then again, I also stumbled on another piece of software (freeware) that would spare me the trouble and have a GUI too, all at the same price.


I have never used any Tripwire software on any platform. I gathered my knowledge on Tripwire through reading documentation found on Internet. I am stating this for two things: 1) Tripwire could have some features that I have not heard about and that could be not covered in this paper; 2) I have no idea of the Tripwire interface and/or command line options, and the solution covered in this paper may (or may not) be quite different from the actual Tripwire interface.

Targeted audience

This document is presented to anyone who has interests in computer security, network administration, intrusion detection and computing in general.

Table of contents

1. A little bit about Tripwire
2. A little bit about InstallWatch
3. Same thing, but a different way
4. The experiment
5. The pros...
6. And cons
7. In conclusion
Appendice A. A little bit more about InstallWatch
Appendice B. A lot of Perls

1. A little bit about Tripwire

Tripwire is an integrity checking software. It was first developed on the Unix platform as a university project designed by Gene H. Kim and Eugene H. Spafford. It is now a commercial product (, they have an academic free version).

Tripwire works by comparing the current file system of a machine to a previous snapshot done from when the machine was guaranteed as safe (usually, at installation time). The snapshot is actually a database of the disk content, including (but not necessarily limited to) tree structure, complete list of files, along with file properties and Time/Date information, and a derived hash for each file. (A hash could be seen as some kind of encryption scheme, or a translation function, that translates the actual binary content of a file into something unreadable but that uniquely identifies that content) So when you first run Tripwire (or when you updated your machine with various patches and want to get a new snapshot), it will build that database containing all system file information.

The logic from this is that when you installed your system base, there is no reason that system files should be updated "by themselves" afterwards. If it is so, then your system has probably been compromised, and an intruder planted backdoors/trojans/sniffers in your machine. The sad news when you find this kind of things out is there are probably more machines on your network that may be compromised as well.

So back to Tripwire. It is strongly recommended, but not mandatory, to store your "clean system snapshot" to a read-only media (such as CD-R disc), because this will guarantee you that the snapshot cannot be tampered with. Tampering is mostly prevented from the hash encryption, but this is not 100% fool proof, since the encryption algorithm is known (i.e. vulnerable to brute force attack). Having your database on read-only media is your best guarantee, because you can safely store it where no intruder can have access.

So, basically, when you want to run an audit on your system (let"s say on a weekly basis), Tripwire will re-scan the entire system, regenerating a database similar in structure (along with derived hash) to the original snapshot. Any difference between these databases will show file integrity compromise. Added files can be imported tools. Modified files are trojaned system files; missing files could be vandalism. To figure out if a file has been modified, Tripwire does not only rely on the Date/Time stamp, but also on the derived hash.

It"s that simple.

2. A little bit about InstallWatch

Well, it"s name says pretty much what it does. It watches software installations. InstallWatch Pro (version 2.5c at the time of this writing) can be found free of charge at Epsilon Squared web site ( This is one utility that all network administrator/desktop support person should have. When you first install the software, it proceeds to create a database of your current system, i.e. directory structure, complete file list, file properties and CRC check, along with a focus on INI files, and complete registry scan. This will be the base system database.

InstallWatch Pro can be configured to be launched at start-up and to detect "software setups". You can customize what portion of your system you want to be considered for the scan, put exclusion schemes, select what registry hives you want to include, etc. So, what happens next? Let"s say you want to install the productivity software XYZ on your machine. When you double-click on setup.exe, InstallWatch will detect that a software setup process has been launched, and will overtake operations from there. It will ask you to build a snapshot of your system in order to know the "pre-installation" state of your machine. This can take between 30 seconds to 20 minutes depending on your configuration (beware of cache folders, they are time-consuming to scan). When it is done, it gives control back to the installation program, and we install the software as we would normally do. After the installation, or after the reboot if it required one, InstallWatch will kick in again, again to perform a similar scan. The differences in-between the two scans are the result of the installation procedure. You have the complete image to this software. Doing this process for every software used in a site, IT personnel would have a complete database of software package signatures. This can be useful for deployment/troubleshooting purposes. Epsilon Squared also have another product called InstallRite, that supposedly does the same thing, but also include an "installation kit" export feature. I did not try this yet, but this apparently extracts a software installation previously monitored into a single self-extract file, for deployement purposes.

InstallWatch Pro can also be used through a wizard, which will ask you where the installation file is, which can be useful for certain files (like Microsoft patches) that install themselves without triggering InstallWatch. InstallWatch will perform the scan before actually launching the install file. You can also manually launch the different steps if you wish, Snapshot and Analyze.

3. Same thing, but a different way

By now, you must have found out that these two products, while being developed for different purposes, act in a very similar way. I know it didn"t take me long to figure this out, and I quickly forgot my silly ideas about doing a "batch file version" of Tripwire (although I may still do it for the kick later, if I do I"ll include it in this file). I felt more like "tweaking" InstallWatch to see if it could truly be used as a real system integrity checker.

Well, it didn"t need that much tweaking, after all. I proceeded to perform a snapshot of my system, which created a file called snapshot.iws. The file varies between 5 to 10 megabytes, depending on the size of your system scan. When you perform Snapshot and Analyze commands individually, Analyze is disabled until a scan is performed, or more precisely when snapshot.iws is in the snapshot directory. This also means that performing an Analyze will erase the snapshot.iws file, so if you"re not using read-only media, be sure to keep a copy somewhere. InstallWatch behaves like this in order not to pick up unrelated changes between two software installations. So knowing this, it"s easy to figure out what to do.

At the beginning, I"d say you have two options, and I can"t figure out which one is the best option. You decide. The first option is this: you install InstallWatch Pro first thing after the OS, and you monitor the payload of every other Service Pack, update, software, etc. that you add afterwards. That will provide you with a wealth of useful information about your machines. But this can be time consuming. The second option is you prepare your system to be in the desired configuration and software, all up to date, then install InstallWatch Pro in order to monitor any suspicious changes from then on. After your initial snapshot is done, you should make a copy of it on another media, in case of tampering/deletion. I would recommend read-only media. You can then change InstallWatch snapshot directory to point to the copy on the CD-ROM. You should also make a backup copy of your database file, but this one still needs to be accessed on read-write media (could this be made with Adaptec Direct CD? I don"t know. If someone out there is willing to risk scrapping a blank CD-R to try it out, let me know about it). And there you go. Whenever you place the CD in your CD-ROM drive, InstallWatch Pro will be in the Analyze mode, and will compare your system with your clean snapshot.

Here are a few recommendations, though. Since InstallWatch was not originally intended as a security product, it is not a quiet program if you keep the default configuration. Since you"re monitoring production machines that shouldn"t get software installed regularly, you should disable the start-up option, so it is not in memory when the server is in normal use. You should also disable the "detect setup" option, because if an intruder uses a tool that let"s him see the console, and installs himself a kit via a setup program, he"ll get InstallWatch splash screen right on his face, shouting out that you are monitoring your machines. Some could think it is a good thing because that would scare them away, but I don"t believe so. I only gives them the chance to leave, figure out what I"m using, and how to disable/bypass it, than come back. Anyway, Tripwire isn"t built for live checking, so there"s no reason to try to pursue that fantasy with InstallWatch. Disabling these two options will keep the program quiet. You should also hide InstallWatch Pro somewhere else than the default directory. You manually launch InstallWatch Pro every time you want to perform an audit, and you close it after, until next check.

4. The experiment

So that was theory. Now I had to prove it with experimentation. And I"m glad I did, because I found some interesting things. First, I proceeded to perform my base system snapshot, which I then copied on a CD and erased the original copy. I should mention that this was performed on a Windows 95 machine, equipped with a CD burner operated with Adaptec CD-Creator software. I wanted this to be a good test, so I chose not to be picky, scanning both of my drives in their entirety, making only an exception for the win386.swp swap file (this one is expected to change, so there"s no reason monitoring it.) As soon as the snapshot file was created, I launched CD-Creator to create my CD copy of the snapshot and database files. I then proceeded to change the location of the snapshot file configuration in InstallWatch (btw, this should have generated perceptible change in the system, but it didn"t. Anyone can explain why?)(Explanation from Gavin Stark: InstallWatch doesn"t monitor it"s own directories and files, which is a bad thing in a security context, but next release could solve this, look Appendice A for a fix) and then closed it, and then made some baits to make sure InstallWatch would effectively catch them.

I added a [space] character at the end of a batch file, thus modifying it"s content. That operation also changed the date, which is too bad, because I would have liked to be able to see if it could be fooled. In the good old days of DOS, you could fiddle with the date and time info of a file, but now in the Windows world, it seems like these tools have vanished. Then I erased a .gif file from my (sloppy) "c:\windows\temporary internet files" folder. Then I created an empty file in d:\jpgs. To top it off, I removed an entry in the registry related to the file type .shs. Who needs that scrap anyway?

Then, I launched InstallWatch once more, with the CD containing the snapshot in the drive, and I hit Analyze. 20 minute later, I get the results. More than I expected, I admit. Here is the text export files from this scan (* is the field delimiting character):

Test - All files.txt
D:\jpgs\hereiam.ZIP**1KB**A**8/1/00 4:30:04 PM****
C:\WINDOWS\TEMP\error.log*1KB*1KB*A*A*7/31/00 2:20:36 PM*8/1/00 4:24:56 PM***1659241a*be0187b8
C:\WINDOWS\Start Menu\Programs\Multimedia\Adaptec Easy CD Creator\Easy CD Creator.lnk*1KB*1KB*A*A*6/20/00 12:27:50 PM*8/1/00 4:19:36 PM***f4cc5c0e*51e02f72
C:\Program Files\Winamp\WINAMP.ini*3KB*3KB*A*A*8/1/00 3:58:32 PM*8/1/00 4:18:36 PM***b90ccdc*68aedd84
C:\Program Files\Plus!\System\SAGE.DAT*7KB*7KB*HA*HA*8/1/00 3:45:00 PM*8/1/00 4:15:00 PM***43d9e49f*85611617
C:\Program Files\PGP\PGP50\randseed.bin*1KB*1KB*A*A*8/1/00 1:18:04 AM*8/1/00 4:30:36 PM***f0cc5d0e*1d198bb6
C:\logitemp\INSTALL.BAT*4KB*4KB*A*A*8/10/95 4:15:08 PM*8/1/00 4:28:30 PM***d62eaf9c*10033e85
C:\WINDOWS\Temporary Internet Files\Content.IE5\SR0HD7NT\cl2[1].gif*1KB**A**8/1/00 3:30:36 PM****18a5cef*

Test - INI files.txt
C:\Program Files\Winamp\WINAMP.ini*WinampAgent*lastchk*01BFFBC3514DA220*01BFFBF5A67359C0

Test - Registry.txt
HKEY_CLASSES_ROOT\AutoRun\4\name*@*"NHL 2000"*
HKEY_CLASSES_ROOT\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Color***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name*@*"NHL 2000"*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\4\name2*@*"NHL 2000 Setup"*
HKEY_LOCAL_MACHINE\SOFTWARE\Adaptec\Easy CD Creator\Devices*default**"1,0,0"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*BarID**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*XPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*YPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*Docking**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockID**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockLeftPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockTopPos**dword:fffffffe
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockRightPos**dword:000001ae
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUDockBottomPos**dword:0000001e
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatStyle**dword:00002000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatXPos**dword:80000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0*MRUFloatYPos**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar1*BarID**dword:0000e801
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*BarID**dword:0000e8ff
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar2*Visible**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*BarID**dword:0000e81b
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bars**dword:00000003
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#0**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#1**dword:0000e800
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar3*Bar#2**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Advanced*TrackBufferThresholdInKB**dword:00000064
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*CDROM_Drive**"E"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*bMustRunSysTest**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*WindowPos**"0,5,-1,-1,-1,-1,64,44,960,670"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DefView**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*HorizBar**dword:000000c0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*UpperBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*LowerBar**dword:000000fd
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol0**dword:00000063
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol1**dword:0000003d
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioCol2**dword:00000040
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*NameWidth**dword:00000060
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SizeWidth**dword:00000046
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*TypeWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*DateWidth**dword:00000088
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*PriorWidth**dword:000000f0
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioHorizBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioUpperBar**dword:00000000
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceAutoArrange**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*SourceViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Settings*AudioViewMode**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Margin*JewelCaseBorders**dword:00000001
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\UpgInfo*install**"2000_08_01"
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*XPos**dword:00000209
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Disc Wizard*YPos**dword:00000014
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Color***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Default Priority Levels***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Track***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Title***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\BoxEdge***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Font\Artist***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*Bars**dword:00000004
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCX**dword:00000400
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Summary*ScreenCY**dword:00000300
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Optimizer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Track_Writer***
HKEY_USERS\.Default\Software\Adaptec\Easy CD Creator\Easy CD Creator-Bar0***

WHOAA!!! Where does all this shit comes from? Welcome to the Microsoft world buddy. First of all, you can export data in Text format, or in HTML. But this format just gives you raw information. In the GUI, you can break down these to Added, Modified, and Deleted, for all three categories. If you want that granularity in your output, you have to generate a separate output file at each breakdown. (Note: this should be solved in next release) Now, about the results. The steps I did between the two scans are exactly as described above and are complete, and it all occurred within a 5-minute window. So what happened?

First, we can see at the top of the All files.txt file that it spotted my dummy .zip file. The second to last line is the batch file that I added one [space] character at the end of it (notice the big difference in the CRC check, the last two fields of the line). And the last line is the .gif file I erased in my temp folder. The rest results from Windows activity. Error.log was created by CD-Creator when I copied the files on CD. The same with the .lnk file (interesting note, .lnk files have a field in them for last accessed date and time, which means that when you double-click on a shortcut, you actually modify the file by updating this field). System agent apparently updates it"s .dat file, WinAmp does the same with it"s .ini file (remember this is not a server, it is my home PC), and PGP does I-don"t-know-what with a .bin file. I didn"t use WinAmp, System Agent or PGP during the testing period, although they were installed and active.

The Registry gives even more intriguing results: first, we see the entry I removed (HKEY_CLASSES_ROOT\.shs***), and the rest is pure gravy. If you look closely, there are some more entries related to .shs that have been removed also, which probably means that the Windows Registry is self-updating. Then, you view a bunch of registry entries relating again to CD-Creator, resulting from when I burned the CD. The rest intrigues me and I hope someone out there can shed more light as to what really went on. Several entries relating to Autorun have been erased from the registry, and a bunch of entries related to stream in Explorer (video streaming?) have been modified. And I want to precise that the machine was not connected to any network during this time.

So, it works, but you need to tailor your configuration to make sure you don"t get too many false alarms. You should scan your temp folders, but try to keep them clean.

5. The pros...

Well, the pros are pretty obvious. You spare 595$ US (700$ with one year premium support) per copy of Tripwire for NT you would have needed, since InstallWatch Pro is provided free of charge. But it could sell for 30$-40$ and it would still be a good purchase, even if you were to limit it"s use to it"s original design. With very little effort, a good file integrity checker will protect your servers. What could you ask more?

6. And the cons

Well, not much, but still a few things. First, the CRC check algorithm used by InstallWatch is not as strong as the one implemented in Tripwire. If you require the best of the best in your security choices, then go for the absolute best, there is no trade off for that. But I still consider that the CRC check is still good enough for the vast majority of us (but don"t let your CD carelessly on your desk). Another point, Tripwire supports networks, meaning that several servers running Tripwire report to a management console, providing a single point of access. Since InstallWatch was not designed as a security suite, it would be unfair to blame it on Epsilon Squared. But InstallWatch can export its data in HTML, and you could save it on an intranet page to view all your results. What would be a nice add-on is the ability to have an auto-export feature that export to files according to your specifications after every audit. That"s about it. If you have some imagination, you could have your audits to run as scheduled tasks (which would involve leaving the CD in the machine, it"s OK if your server is in a safe location).

7. In conclusion

I wanted to have an integrity checker that works in the same fashion than Tripwire on the Windows platform, but as I was to attempt to do this with batch files, I laid my hands on InstallWatch Pro, a good piece of software that could very well do the trick. With some quick experimenting, I came to the conclusion that this setup provides efficient system integrity checking, even uncovering some unexpected file activity. I leave to the reader to figure out the best configuration, common sense should rule. I hope this will help many people at securing their systems for the best price in the world.

Appendice A. A little bit more about Installwatch

Shortly after I first released this paper, I was contacted by Gavin Stark, author of InstallWatch Pro and President of Epsilon Squared. I actually sent him an e-mail that didn"t get through, apparently because of ISP problems. But my paper generated quite ebough traffic to his site to get his attention, and that"s how he found out about this paper. We have exchanged a few e-mails, mainly for answering questions araised in the first version and thinking of ideas for a future release of InstallWatch. Some questions that proved to be irrelevant from InstallWatch Pro were simply dropped, others have been annotated in the text. Here is some more info that we exchanged on this project that might be if interest to the reader.

From:Gavin Stark
Floydman, As the author of InstallWatch, I read with interests your discussion of InstallWatch Pro. You were very accurate and reasonable in your review and I am intrigued with the idea of using InstallWatch as a security application. We did not, as you accurately ascertained, originally design the application for such but I am always looking for ways to improve
the software. I"d like to respond to several things in your document and perhaps solicit some input from you on ways to improve the software.


The CRC algorithm is CRC-32 compatible with the version used by WinZip, etc. Perhaps not as strong as MD5 or something, but sufficient for the current use which is to find files that are content-different but have the same date/time, etc. Some sneaky install programs do this to you) I would like to get feedback from you, and the community, on how to make InstallWatch more useful in the scenario you are documenting. For example, we have the following command line options available in InstallWatch:
-snapshot (perform a snapshot)
"-analyze=Name of Install" (perform an analyze - quotes are required if you want a space in the install name)
-configure (configure)
-wizard (go through an install in wizard mode)
- I have added a "-quiet" option to the command line switches which will prevent InstallWatch from displaying any UI during the various batch processes the other command line switches offer.


Here is a list of the default files we skip:
Anything in the \RECYCLED directory (The directory named RECYCLED in the ROOT directory)
Anything in the EPSILON SQUARED directory (This is any directory named EPSILON SQUARED - not very secure for an intrusion detection system as the
hacker could put his tools there...)
Anything in the "TEMPORARY INTERNET FILES" directory

As an intrusion detection system I would recommend removing the file "skipit.dll" from the installation directory and we will not skip any files by default. SkipIt.DLL is a plugin where we can update the list of skipped files dynamically. If you don"t want us to skip any of the default files, just zap skipit.dll.


The "All Files" / "All Registry" listing will now (when 2.5d is released) show as the first column the action that happened to the item (added, deleted, modified) (note: this will improve output clarity in text or html files)
Although the -quiet switch could help improve stealth of InstallWatch or be useful to regular users, it is still not ideal for an IDS file integrity checker. Even if no visual output is shown, an intruder could still notice decrease in performance as InstallWatch works. To solve this, I suggested an -ids switch that could do the following:
- implement correct configuration for IDS purpose (i.e.: does not launch on startup, does not detect "setup procedures")
- that means that Install Watch Pro can only be launched manually
- a time-out could then close InstallWatch if left open and unnantended for 5 minutes (removing it form memory until it is manually started again)

This may come in a future release, but nothing is confirmed yet.

Comments and questions about InstallWatch and InstallRite should be directed to Epsilon Squared inc. (, unless it also relates to it"s use as a Tripwire-like system, then I"d like to know about it too (

Appendice B. A lot of Perls

I was also contacted by Harlan Carvey, who told me about his own implementation of a Tripwire-like system in Perl. Harlan"s motives are the same as mine, improving the security of Windows boxes out there. I try to help by writing these text files, he does so by having a rather complete security suite for NT all written in Perl and available on the web at Make sure also to read his paper "System Security Administration for NT" presented recently at the Usenix LISA-NT "00 conference, in Seattle, WA. On his pages, you will find numerous links to Perl resources for the NT platform, along with the tools he designed. These tools let you do things like extracting info from the event viewer, collect information through the network, parse log files, and... perform integrity checking just like Tripwire. Notice that these Perl scripts use MD5 encryption for the hash, same as the original Tripwire, which is a stronger algorithm than the CRC-32 used by InstallWatch Pro.

I still didn"t have a chance to learn Perl yet, but I plan to do so soon. In the meanwhile, I am unable to comment the scripts, but I will put the code here anyway. I think it is short enough to be self explanatory (2 scripts, and Be sure to go to for the other goodies.

#! c:\perl\bin\perl.exe
# Generate MD5 checksums on files in the md5_conf file
# (example at end of script)
# Use with system files, web pages, etc. Can also use files
# on mapped drives, but must use complete path.
# copyright 1999 H. Carvey
use Digest::MD5;
use File::stat; usage();
# config file
$config = "md5_conf"; # log file for checksums...this is the file that will
# be verified by
$log = "md5_log"; open (CONF, "$config") || die "Could not open config file: $!\n";
open (LOG,"> $log") || die "Could not open log file: $!\n"; while () {
$file = $_;
chomp $file;
if (-d $file) {
print "$file is a directory. Skipping...\n";
else {
if (-e $file) {
$base = baseline($file);
$size = stat($file)->size;
$atime = stat($file)->atime;
$mtime = stat($file)->mtime;
$ctime = stat($file)->ctime;

print "$file $base $size $atime $mtime $ctime\n";
print LOG "$file $base $size $atime $mtime $ctime\n";
else {
print "$file does not exist.\n";
} close(CONF);
close(LOG); sub baseline {
my ($file) = @_;
open (FILE, $file) or die "Can"t open $file: $!\n";
$digest = Digest::MD5->new->addfile(*FILE)->b64digest;
return $digest;
} sub usage {
print "FileSeNTry, by H. Carvey\ncopyright 1999 H. Carvey\n\n"
} # Example md5_conf file...remove comment delimiters (#)
# File must contain only the filenames and paths
# No spaces
# c:\io.sys
# c:\config.sys
# c:\autoexec.bat
# c:\winnt\system32\fpnwclnt.dll
#! c:\perl\bin\perl.exe
# Verify MD5 checksums on files in the md5_logf file
# (generated by
# Use with system files, web pages, etc. Can also use files
# on mapped drives, but must use complete path.
# copyright 1999 H. Carvey
use Digest::MD5; usage(); $log = "md5_log"; print "Verifying data...\n";
open (LOG,"$log") || die "Could not open log file: $!\n"; while () {
($f,$md) = split();
if (verify($f,$md)) {
print "$f verified.\n";
else {
print "$f not verified.\n";
} sub baseline {
my ($file) = @_;
open (FILE, $file) or die "Can"t open "$file": $!\n";
$digest = Digest::MD5->new->addfile(*FILE)->b64digest;
return $digest;
} sub verify {
my ($file,$md5) = @_;
if (baseline($file) eq $md5) { return 1;}
else { return 0;}
} sub usage {
print "FileSeNTry -> verify, by H. Carvey\ncopyright 1998 H. Carvey\n"

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.