Regshot for Linux

Introduction
There are two primary tools for Windows which make analyzing the file system and registry easy for Windows installed programs. Regshot and Registry Key Remover are compliments of each other designed to take snapshots of a Windows system before and after and then generate an NSIS script which can be compiled to undo the changes.

This small guide was written to replicate the functionality of those programs but use Linux native commands which are already designed to do that.

Regshot for Linux
Unix provides multiple tools for easily recreating the functionality of the Windows utility Regshot. The first method I show only allows one to view which files have been added or removed. The second method only reveals which files have been changed or removed. It is recommended to use both methods to figure out what files have been added, removed, or changed.

If you're using this functionality because you have a problem with your system then you may want to check my blog for how to effectively search your system logs for keywords.

Compare for files added/removed
This method uses the find command to list out the file system before and after an install. Then by comparing the two listings one could figure out what files have specifically been added/removed. This method does not work, however, for files which have been changed. Skip to the next section for finding files which have been changed.

Run the following commands as root. This will replicate the functionality of regshot which takes two snapshots and then compares the differences. find / | grep -v '^/proc' > snapshot1 find / | grep -v '^/proc' > snapshot2 diff -crB snapshot1 snapshot2 > changes
 * 1) Install software on to your system. After you install the software continue.

Now you can view the changes that were made by your system in a pager (less) or the editor vim (use :q to quit). less changes vim changes

Compare for files changed/removed
This method uses the find command to list out the filesystem and then run an md5 checksum on every file. This method allows the user to figure out which files have been changed by an install by checking all files against their md5 checksums. If any checksums fail then it means the file has either been changed or deleted. One could use grep to further filter out failed checksums for deleted files to list just files which have been changed.

Run the following commands as root and be sure to be mindful of your working directory when working with the output files. find / -type f -wholename '/proc' -prune -print0 | xargs -0 md5sum | tee md5sum.txt

Now install your software and check your whole filesystem against the previously generated md5 checksums. md5sum -c md5sum.txt 2> /dev/null | grep -i 'FAIL' > failed.txt

Now you can view the changes that were made by your system in a pager (less) or the editor vim (use :q to quit). less failed.txt vim failed.txt

Things to notice
You may have already noticed this but then again you may not if you're new to Linux. In all of the above commands I have excluded the /proc directory because it is associated with the PIDs of currently running processes. Basically you don't need to list these our or checksum it because you can't. It is best to leave it alone in this instance.