On Wed, 22 Jul 2020 23:26:15 -0400, Paul wrote:
> You can look in the TEMP folder (there are a couple), but the
> stub can put stuff where ever it wants. It could even crap on
> your D: drive if it wants.
Hi Paul,
I appreciate your purposefully helpful informative posts, as we both seem
to strive to fully answer a question, where the result, whether intentional
(as in my case) or not, others can benefit from now, and in the future.
I was afraid of that fact that the stub could download into any folder it
wanted to, where I was hoping there was some kind of "standard" directory I
could monitor (or even a "leftover" directory, such as what Chrome-based
browsers seem to use).
<
https://groups.google.com/d/msg/microsoft.public.windowsxp.general/hqKijRgHOC0/vB3pH-sZAgAJ>
Chrome-based browsers, for example, leave very useful remnants in:
o %LOCALAPPDATA%
For example, the Epic stub first downloads the full installer in:
o "%LOCALAPPDATA%\Epic Privacy Browser\Installer\"
And then that download will next install the Epic executable here:
o "%LOCALAPPDATA%\Epic Privacy Browser\Application\epic.exe"
The Brave browser, as noted here, also uses %LOCALAPPDATA% as shown here:
<
https://groups.google.com/forum/#!topic/alt.comp.freeware/bog50yqc_As>
o "%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\"
But, as you noted, they can use "anything", where, I guess I need to look
up all the possible "TEMP" directories to see what goes into there.
Given the definition:
<
https://groups.google.com/d/msg/microsoft.public.windowsxp.general/2HxabZ93Y3U/Rzdj4qPc4LIJ>
o TMP -> developer tools temporary files
o TEMP -> user apps temporary files
I can find (most of?) the temporary directories in the control panel:
<
https://adamtheautomator.com/powershell-environment-variables/>
Win+R > control > {Category}: System and security > System > Advanced System Settings > System Properties > Advanced > Environment Variables
o {User} %TEMP%===%USERPROFILE%\AppData\Local\Temp
o {User} %TMP%===%USERPROFILE%\AppData\Local\Temp
o {System} %TEMP%===%SystemRoot%\TEMP (aka %windir%\temp)
o {System} %TMP%===%SystemRoot%\TMP (aka %windir%\tmp)
Where I think there are a few more not in the control panel:
<
https://groups.google.com/d/msg/microsoft.public.windowsxp.general/R6UJkSBAe5U/jEixhqB0opIJ>
o %USERPROFILE%\Local Settings\Temp
(aka C:\Documents and Settings\{user}\Local Settings\Temp)
o C:\Windows\assembly\temp
o C:\Windows\assembly\tmp
Of course, there's also the "Downloads" directories...
<
https://answers.microsoft.com/en-us/windows/forum/windows_10-files/temporary-downloads-folder/e686f397-57b9-4ac8-8ede-5d8e039cefb7>
o %UserProfile%\Downloads
Did I miss any of the default "temp/tmp" directories?
<
https://www.askvg.com/where-does-windows-store-temporary-files-and-how-to-change-temp-folder-location/>
> I'd probably start by running that in WINE, have the operation
> fail for various reasons, and extract the file in question from
> the "wreckage". For that particular example, I would not start by loading
> that into the main OS.
I was thinking along similar lines, of having the operation fail, and then
run a before/after logging program, which could tell us what was different
between the before and after.
Best would be a before/after logger that could tell which files were not
only added, but which were deleted by the stub, but that might not exist.
> You can make a filelist before and after, and spot the new materials.
>
> You can also do that in the middle of the install, when the installer
> is prompting for something, then go scan and see what you got so far.
Do you have a good recommendation for a before/after logger?
o Normally I just use "dir /s/a/l/on/b C: > c:\tmp\20200723salonb.txt
Googling, there seems to be a Windows system installer log mechanism:
o *How to enable Windows Installer logging*
<
https://support.microsoft.com/en-us/help/223300/how-to-enable-windows-installer-logging>
o HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
o Type: Reg_SZ, Value: Logging, Data: voicewarmupx
There seem to be a few freeware utilities for installation logging:
o *7 Tools to Monitor Software Installs*
<
https://www.raymond.cc/blog/monitor-software-installs-remove-leftovers-install-monitor/>
1. Advanced Uninstaller Pro <
https://www.advanceduninstaller.com/>
2. Install Monitor (no longer free?) <
https://www.mirekusoft.com/downloads/>
3. Primo <
http://randy_hall.tripod.com/download.htm>
4. Total Uninstall <
https://www.totaluninstaller.com/download.html>
(last freeware version) <>
5. Comodo Programs Manager <
https://www.comodo.com/home/support-maintenance/programs-manager.php>
6. ZSoft Uninstaller <
http://www.zsoft.dk/>
7. Ashampoo Magical UnInstall <
https://www.ashampoo.com/en/usd/pin/2003/system-software/uninstaller-8>
There are lots of other hits so that's why I ask what folks like best:
o *How to log and compare Windows Registry data before and after any program installation?*
<
https://stackoverflow.com/questions/1911689/how-to-log-and-compare-windows-registry-data-before-and-after-any-program-instal>
o Total Commander <
https://www.ghisler.com/>
o RegShot <
https://sourceforge.net/projects/regshot/>
o Process Monitor <
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>
o Program Installation Monitor <
https://sourceforge.net/projects/program-installation-monitor/>
o Revo Uninstaller <
https://www.revouninstaller.com/revo-uninstaller-free-download/>
What uninstaller/logger do you recommend that can tell us what happened
between executing the stub and final installation (which might catch the
full network installer download location before it's auto deleted)?
> In the AV scan, BitDefender found something. But at this point I
> don't plan to burrow any deeper, because experience tells me
> it will be largely a waste of time. At one time, the AV companies
> used to write reports for some of these things, and in "one-hop"
> you could have your answer. If I enter some search terms
> today *nothing* shows up. Big vacuum.
Thanks and I don't want you to spend more time on this.
Just whatever you know off the top of your head is more than I know.
I don't use AV programs anymore, and I haven't gotten a virus in a decade
(AFAIK), even as I must install dozens of software packages a week, on
average.
Maybe I'm just lucky (or ignorant).
> I can only assume it's a PUPS, and maybe the "free" product was
> supported by cruft when first delivered. Some of these companies
> disable their OpenCandy delivery vehicle, maybe a year after the
> product comes out.
Thanks. I forgot what a PUPS was, so I googled to refresh my memory:
o *PUPs Explained: What is a Potentially Unwanted Program*
<
https://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/>
I have a one-strike-you're-out policy on freeware.
o The instant it does something obnoxious, it's out.
> So for me, that product starts in WINE, and with a bit of luck,
> I get a carcass to add to my collection (from one of the TEMPs).
Understood. I gave up on WINE long ago for Windows emulation in Linux,
where I can use VMs, but I gave up on them long ago also as too much
trouble; but they worked great when I was getting frequent calls from the
Indians named "joe" pushing the Microsoft Support scam on me (hehheh).
Thanks for your help, where any advice on what uninstaller folks like will
help to log the activity of before, during, and after...
During is the hard part, of course, as we can presume they will delete the
full network installer if they don't want it lying around as a TMP file.