What exactly is "stealth?"

[tedkord]

I've put several useful portable apps on my 8gb pen drive, and made sure each was classified as stealth on this website. Next, to test them out, I took them to work and launched each, using PStart.

Every one of them left some info in the registry. PStart included. SMPlayer, Eraser portable, CCleaner portable, and so on. At the very least, each one left it's path in the registry. In the case of SMPlayer, MPlayer left even more. I checked at home, and they were there, too.
Here's an example from home:

"HKEY_USERS\S-1-5-21-...-1957994488-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache" has the string value " L:\Portable Apps\smplayer-0.6.0rc4\smplayer.exe" in it.

Am I doing something wrong? I installed each according to the directions.
Any help appreciated!

[MiDoJo]

MUI Cache is not something that is considered leaving a reg entry (as far as I'm aware). This is just the cache of most recent programs and stuff. If you really wanna get rid of these listings too use CCleaner or other similar program.

[Queue]

If someone wants to take the time to list any (and if possible all) standard locations in the registry (or file system too I guess) where Windows automatically saves path names I could prepare a simple automatic cleanup utility that you could run off a Flash Drive before ejecting to remove any traces relating to that particular drive. Essentially, it'd just compare the drive letter assigned to the drive and remove any recent file listings that were from that drive letter.

Queue

[m^(2)]

If someone wants to take the time to list any (and if possible all) standard locations in the registry (or file system too I guess) where Windows automatically saves path names I could prepare a simple automatic cleanup utility that you could run off a Flash Drive before ejecting to remove any traces relating to that particular drive. Essentially, it'd just compare the drive letter assigned to the drive and remove any recent file listings that were from that drive letter.

Queue

As it's written here, even "stealth" apps are not really stealth. Such tool would make detection of their works harder..but still possible. I think it would make misunderstanding of pseudostealthiness even worse. Such tool could be useful for some. You could also write a good explanation of what it does and what does not. But as many people don't read readmes anyway I think you shouldn't write this tool at all.

[Queue]

Well, Nir Sofer's release of CleanAfterMe lit a fire under my butt to pursue this idea farther with my EjectUSB utility. Man I love NirSoft's stuff.

Anyhow, right now EjectUSB only cleans up:

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

but by digging around the registry a little more and taking CleanAfterMe as an example, I think I need to also cover the following places (those marked with an X have been implemented in EjectUSB7):

X HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
X HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
X HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
X HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
X HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
X HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

and Vista locations I need to add:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

and I'm not sure about the following locations:

HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
(These two are big and seem to be a mess to parse. I think cleaning them would be required for extreme stealthiness but I'm not touching them until I'm positive of their structure.)

While CleanAfterMe clears all entries, my objective is to only remove entries directly related to the drive or folder passed to EjectUSB.

Any thoughts? Are there other places I've missed? I should probably also check the recent documents .lnk files as well.

Queue

Edit: Updating the listings as I work on EjectUSB revision 7.

Also, I honestly like Microsoft, but I'm frustrated how practically every one of the above locations in the registry adheres to a slightly different format.

Second Edit: I've updated EjectUSB with the more comprehensive registry cleanup that I listed in this post. It's here.

[Queue]

I could use some help from someone running Vista. If willing, could someone upload registry exports for:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

They shouldn't contain any super-sensitive information; just file names. The format for at least one of these is a fair bit different than it is on XP and I don't have consistent access to a Vista machine to get the information from (it'll be many days before I'm back at one).

---

I've implemented Recent Documents cleanup into my 8th revision of EjectUSB and will upload it once I get these two Vista-specific cleanup sections added.

Queue

[MiDoJo]

Queue Glad yer workin on eject some more I think it's a great idea from a progie.

Can we maybe start a new thread (just copy pasta what ever peeps have already said)

Here is my Vista last visited

Code: Select all

Key Name:          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Class Name:        <NO CLASS>
Last Write Time:   5/29/2008 - 6:40 PM
Value 0
  Name:            MRUListEx
  Type:            REG_BINARY
  Data:            
00000000   01 00 00 00 00 00 00 00 - ff ff ff ff              ........ÿÿÿÿ

Value 1
  Name:            0
  Type:            REG_BINARY
  Data:            
00000000   77 00 6d 00 70 00 6c 00 - 61 00 79 00 65 00 72 00  w.m.p.l.a.y.e.r.
00000010   2e 00 65 00 78 00 65 00 - 00 00 14 00 1f 44 47 1a  ..e.x.e......DG.
00000020   03 59 72 3f a7 44 89 c5 - 55 95 fe 6b 30 ee 20 00  .Yr?§D.ÅU.þk0î .
00000030   00 00 1a 00 ee bb fe 23 - 00 00 10 00 71 d5 d8 4b  ....î»þ#....qÕØK
00000040   19 6d d3 48 be 97 42 22 - 20 08 0e 43 00 00 6c 00  .mÓH¾.B" ..C..l.
00000050   31 00 00 00 00 00 00 00 - 00 00 10 00 46 72 69 67  1...........Frig
00000060   68 74 65 6e 65 64 20 52 - 61 62 62 69 74 00 4c 00  htened Rabbit.L.
00000070   07 00 04 00 ef be 00 00 - 00 00 00 00 00 00 26 00  ....ï¾........&.
00000080   00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000090   00 00 00 00 46 00 72 00 - 69 00 67 00 68 00 74 00  ....F.r.i.g.h.t.
000000a0   65 00 6e 00 65 00 64 00 - 20 00 52 00 61 00 62 00  e.n.e.d. .R.a.b.
000000b0   62 00 69 00 74 00 00 00 - 20 00 6a 00 31 00 00 00  b.i.t... .j.1...
000000c0   00 00 be 38 dd 02 10 00 - 4d 49 44 4e 49 47 7e 31  ..¾8Ý...MIDNIG~1
000000d0   00 00 52 00 07 00 04 00 - ef be be 38 2b 02 be 38  ..R.....ï¾¾8+.¾8
000000e0   5b 02 26 00 00 00 71 d0 - 01 00 00 00 2d 01 00 00  [.&...qÐ....-...
000000f0   00 00 00 00 00 00 00 00 - 4d 00 69 00 64 00 6e 00  ........M.i.d.n.
00000100   69 00 67 00 68 00 74 00 - 20 00 4f 00 72 00 67 00  i.g.h.t. .O.r.g.
00000110   61 00 6e 00 20 00 46 00 - 69 00 67 00 68 00 74 00  a.n. .F.i.g.h.t.
00000120   00 00 18 00 00 00                                  ......

Value 2
  Name:            1
  Type:            REG_BINARY
  Data:            
00000000   72 00 65 00 67 00 65 00 - 64 00 69 00 74 00 2e 00  r.e.g.e.d.i.t...
00000010   65 00 78 00 65 00 00 00 - 00 00                    e.x.e.....

and here is my Opensave (which was made when I opened the txt file containing the above information)

Code: Select all

Key Name:          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Class Name:        <NO CLASS>
Last Write Time:   5/29/2008 - 6:40 PM

Key Name:          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
Class Name:        <NO CLASS>
Last Write Time:   5/29/2008 - 6:45 PM
Value 0
  Name:            0
  Type:            REG_BINARY
  Data:            
00000000   78 00 32 00 00 00 00 00 - 00 00 00 00 80 00 6c 61  x.2...........la
00000010   73 74 76 69 73 69 74 65 - 64 70 69 64 6d 72 75 2e  stvisitedpidmru.
00000020   74 78 74 00 54 00 07 00 - 04 00 ef be 00 00 00 00  txt.T.....ï¾....
00000030   00 00 00 00 26 00 00 00 - 00 00 00 00 00 00 00 00  ....&...........
00000040   00 00 00 00 00 00 00 00 - 00 00 6c 00 61 00 73 00  ..........l.a.s.
00000050   74 00 76 00 69 00 73 00 - 69 00 74 00 65 00 64 00  t.v.i.s.i.t.e.d.
00000060   70 00 69 00 64 00 6d 00 - 72 00 75 00 2e 00 74 00  p.i.d.m.r.u...t.
00000070   78 00 74 00 00 00 24 00 - 00 00                    x.t...$...

Value 1
  Name:            MRUListEx
  Type:            REG_BINARY
  Data:            
00000000   01 00 00 00 00 00 00 00 - ff ff ff ff              ........ÿÿÿÿ

Value 2
  Name:            1
  Type:            REG_BINARY
  Data:            
00000000   60 00 32 00 00 00 00 00 - 00 00 00 00 80 00 6f 70  `.2...........op
00000010   65 6e 73 61 76 65 31 2e - 74 78 74 00 44 00 07 00  ensave1.txt.D...
00000020   04 00 ef be 00 00 00 00 - 00 00 00 00 26 00 00 00  ..ï¾........&...
00000030   00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000040   00 00 6f 00 70 00 65 00 - 6e 00 73 00 61 00 76 00  ..o.p.e.n.s.a.v.
00000050   65 00 31 00 2e 00 74 00 - 78 00 74 00 00 00 1c 00  e.1...t.x.t.....
00000060   00 00                                              ..


Key Name:          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\txt
Class Name:        <NO CLASS>
Last Write Time:   5/29/2008 - 6:45 PM
Value 0
  Name:            0
  Type:            REG_BINARY
  Data:            
00000000   78 00 32 00 00 00 00 00 - 00 00 00 00 80 00 6c 61  x.2...........la
00000010   73 74 76 69 73 69 74 65 - 64 70 69 64 6d 72 75 2e  stvisitedpidmru.
00000020   74 78 74 00 54 00 07 00 - 04 00 ef be 00 00 00 00  txt.T.....ï¾....
00000030   00 00 00 00 26 00 00 00 - 00 00 00 00 00 00 00 00  ....&...........
00000040   00 00 00 00 00 00 00 00 - 00 00 6c 00 61 00 73 00  ..........l.a.s.
00000050   74 00 76 00 69 00 73 00 - 69 00 74 00 65 00 64 00  t.v.i.s.i.t.e.d.
00000060   70 00 69 00 64 00 6d 00 - 72 00 75 00 2e 00 74 00  p.i.d.m.r.u...t.
00000070   78 00 74 00 00 00 24 00 - 00 00                    x.t...$...

Value 1
  Name:            MRUListEx
  Type:            REG_BINARY
  Data:            
00000000   01 00 00 00 00 00 00 00 - ff ff ff ff              ........ÿÿÿÿ

Value 2
  Name:            1
  Type:            REG_BINARY
  Data:            
00000000   60 00 32 00 00 00 00 00 - 00 00 00 00 80 00 6f 70  `.2...........op
00000010   65 6e 73 61 76 65 31 2e - 74 78 74 00 44 00 07 00  ensave1.txt.D...
00000020   04 00 ef be 00 00 00 00 - 00 00 00 00 26 00 00 00  ..ï¾........&...
00000030   00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000040   00 00 6f 00 70 00 65 00 - 6e 00 73 00 61 00 76 00  ..o.p.e.n.s.a.v.
00000050   65 00 31 00 2e 00 74 00 - 78 00 74 00 00 00 1c 00  e.1...t.x.t.....
00000060   00 00                                              ..

PM Me if you need me to actually upload you the reg export file I exported it to TXT

[ashghost]

I uploaded exported reg files to senduit.com for you:

last visited:
http://senduit.com/c0feab

open save
http://senduit.com/6459a0

Cheers

[Queue]

Thanks a ton both of you, that should be plenty of raw data to figure out the formatting for those registry entries.

I have a thread going in the Portable Freeware Development subforum, but it seems tough to get much in the way of feedback there. I've been piggy-backing on this thread since the newest parts of EjectUSB have been directly related to the original post.

Queue

Edit: Thanks again you two. EjectUSB revision 8 is here.