Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft XP Change Analysis Diagnostic Tool - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft XP Change Analysis Diagnostic Tool
Earlier today I came across a new tool that might be useful to InfoSec professionals.  Though it is not a "security" tool, it can be used by support people to help better understand the modifications that may have occurred to a particular system.  Once installed the tool will scan the computer looking for specific types of changes to the computer including....

  • Software Programs which are listed in the Add/Remove Program control panel
  • Operating System Components including Hotfixes or updates from Microsoft Update
  • Browser Helper Objects and other COM components loaded in Internet Explorer
  • Drivers
  • ActiveX Controls   and
  • Other Auto-Start Extensibility Points
It creates a nice little XML file that you can use for a variety of purposes.

However in my testing on my laptop, I have found that some software packages appear to make changes in more places then I even knew was occurring. For example,  Symantec Antivirus Corporate Edition changes the path to certain driver files with virus definition updates.  These will be reported as:
Changed from "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070326.020\navex15.sys" to "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\navex15.sys"
Adobe Acrobat apparently also makes regular modifications to the startup folder for its Speed Launcher program.

Even with these items that may need to be ignored depending on the support issue at hand, the tool may be very useful for determining what end users may have done to their computer.  This eliminates the user's need to accurately articulate the changes to you, if they actually admit to changing something.  For more information on the tool, please see KB Article 924732 at

191 Posts
ISC Handler
Mar 28th 2007

Sign Up for Free or Log In to start participating in the conversation!