Regshot for Linux

From LQWiki
Jump to navigation Jump to search
Author: Sag47 (talk, contrib)


Introduction

There are two primary tools for Windows which make analyzing the file system and registry easy for Windows installed programs. Regshot and Registry Key Remover are compliments of each other designed to take snapshots of a Windows system before and after and then generate an NSIS script which can be compiled to undo the changes.

This small guide was written to replicate the functionality of those programs but use Linux native commands which are already designed to do that.

Regshot for Linux

Unix provides multiple tools for easily recreating the functionality of the Windows utility Regshot. The first method I show only allows one to view which files have been added or removed. The second method only reveals which files have been changed or removed. It is recommended to use both methods to figure out what files have been added, removed, or changed.

If you're using this functionality because you have a problem with your system then you may want to check my blog for how to effectively search your system logs for keywords.

Compare for files added/removed

This method uses the find command to list out the file system before and after an install. Then by comparing the two listings one could figure out what files have specifically been added/removed. This method does not work, however, for files which have been changed. Skip to the next section for finding files which have been changed.

Run the following commands as root. This will replicate the functionality of regshot which takes two snapshots and then compares the differences.

find / | grep -v '^/proc' > snapshot1

#Install software on to your system. After you install the software continue.

find / | grep -v '^/proc' > snapshot2
diff -crB snapshot1 snapshot2 > changes

Now you can view the changes that were made by your system in a pager (less) or the editor vim (use :q to quit).

less changes
vim changes

Compare for files changed/removed

This method uses the find command to list out the filesystem and then run an md5 checksum on every file. This method allows the user to figure out which files have been changed by an install by checking all files against their md5 checksums. If any checksums fail then it means the file has either been changed or deleted. One could use grep to further filter out failed checksums for deleted files to list just files which have been changed.

Run the following commands as root and be sure to be mindful of your working directory when working with the output files.

find / -type f -wholename '/proc' -prune -print0 | xargs -0 md5sum | tee md5sum.txt

Now install your software and check your whole filesystem against the previously generated md5 checksums.

md5sum -c md5sum.txt 2> /dev/null | grep -i 'FAIL' > failed.txt

Now you can view the changes that were made by your system in a pager (less) or the editor vim (use :q to quit).

less failed.txt
vim failed.txt

Things to notice

You may have already noticed this but then again you may not if you're new to Linux. In all of the above commands I have excluded the /proc directory because it is associated with the PIDs of currently running processes. Basically you don't need to list these our or checksum it because you can't. It is best to leave it alone in this instance.