You are here

What is really left behind with portable apps?

39 posts / 0 new
Last post
Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
What is really left behind with portable apps?

I have been using the portable apps suite from a thumb drive on a machine for the last couple of weeks. I was curious to see what is left behind when using these portable apps. I ran Nirsoft Regscanner 1.60. I punched in "portableapps" and ran a scan of the whole Registry. This is what I found. 78 items. Please explain.

http://www.screenshots.cc/view_image/8b6a1640/2007-12-13_001509.jpg

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Well

Well, from the list I can see a few entries due to Firefox auto-updating. This is due to a bug introduced in later versions of Mozilla Firefox itself... somewhere within 2.0.0.x versions. Details are here. The workaround is listed in that bug.

The other thing I see in the list is 7-Zip entries, which are cleaned up when you properly shut down 7-Zip Portable.

Sometimes, the impossible can become possible, if you're awesome!

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
What do you mean properly

What do you mean properly shut down 7 Zip Portable?

What about the rest of the entries?

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Close It

Properly shut down = close it without yanking the drive out. (The next version of 7-Zip Portable will even clean up when you yank the drive out.)

The other entries I see appear to be the Firefox auto-update (it improperly changes a couple dozen keys at least). Thunderbird does, too (it uses the same updater with the same bug).

Sometimes, the impossible can become possible, if you're awesome!

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 2 months ago
Joined: 2006-01-06 21:27
How?

How does it do that? Loads itself into memory?

"If you're not part of the solution, you're part of the precipitate."

Simeon
Simeon's picture
Offline
Last seen: 10 years 2 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
Youre not the

only one who wants to know that Wink

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

digitxp
digitxp's picture
Offline
Last seen: 13 years 3 months ago
Joined: 2007-11-03 18:33
I think it does that by

I think it does that by 1)closing and deleting all marks of itself on the computer and 2)gets a hidden program that loads itself into physical memory (the whole thing) and when it detects ejection of the drive, it closes all programs running off of it. Like U3...
P.S. Is it going to be on the other Portable apps?

Insert original signature here with Greasemonkey Script.

Simeon
Simeon's picture
Offline
Last seen: 10 years 2 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
not like u3

cause u3 leaves an exe on the host.
it has to be in the memory.

P.S. Is it going to be on the other Portable apps?
What do you mean?

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
I did not shut down 7 Zip

I did not shut down 7 Zip improperly. I always close Portable Apps by closing the individual app than clicking the close button on the Portable Apps Start Menu and than once it's closed I select the Safely Remove Hardware icon in the System Tray and than when it indicates it's safe to remove the device I do.

There are many more entires in the log than Firefox and Thunder Bird. There are Clamwin and Miranda entries as well. Bottom line is that there is a lot being left behind. I have yet to find a truly portable app anywhere. Every thing leaves something behind.

Simeon
Simeon's picture
Offline
Last seen: 10 years 2 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
yep

you cant avoid all entries because Microsoft does some and you cant remove them. Thats how the miranda and clamwin entries got there. Its the same with the entries in your prefetch folder...

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Yeah

Windows itself will keep track of certain things and, if you're not logged in as an admin, you can't delete them. So, there's no such thing as leaving nothing at all behind. The commercially available portable platforms all lie in their advertisements and on their websites and say things like "no trace", etc even though they actually leave the usual registry entries, MUI Cache, prefetch files, etc. Heck, some of the commercial platforms make the "no trace" claim and actually leave their own EXE files behind.

The portable apps from here leave as little as possible... and the platform itself will have some improved options to ensure that some of the Windows bits are cleaned up when possible... but there's a reason it's listed as "no personal information left behind" instead of "no trace". Anyone claiming "no trace" is trying to sell you something and lying in the process.

Sometimes, the impossible can become possible, if you're awesome!

digitxp
digitxp's picture
Offline
Last seen: 13 years 3 months ago
Joined: 2007-11-03 18:33
Umm...

You're saying that's why sandisk teamed up with Microsoft so they can make a workaround for the reg entries. That sounds a little too much for Microsoft.

Insert original signature here with Greasemonkey Script.

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
Umm...

Where did he say that Sandisk teamed up with Mircrosoft in that statement?

The developer formerly known as ZGitRDun8705

Ed_P
Offline
Last seen: 6 years 2 months ago
Joined: 2007-02-19 09:09
He didn't.

But SanDisk has indeed teamed up with MS for a new device in 2008. However, it's unlikely that either company is looking to create a stealth device. Trying to circumvent the rules, policies and regulations of companies, schools and libraries is not a corporate goal for either.

Ed

peter_g
Offline
Last seen: 12 years 4 months ago
Joined: 2006-09-09 05:54
That was not clear to me !

Uoops !
That was not clear to me !

It was in fact not clear to me, that portable apps are not "traceless", but secure in that way, that no personal information is left behind ..... what is a great feature at all !

Even though I am a little bit disappointed about that (;-)), I am clearly happy about having understood that - I think important - difference !

And to be clear: I will use portable apps further on, because portable apps are very useful for my daily digital life at all Smile

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
Did you have your portable

Did you have your portable apps running while you ran the reg scan? These apps will move data into the registry while they are running (they back up any data that may already be there, move the new data in place, remove the new data when the app is closed, and restore the original)

The developer formerly known as ZGitRDun8705

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
No I did not have the

No I did not have the Portable Apps running. It would have defeated the purpose of the test which was to see what is left behind AFTER running the Portable Apps. I also rebooted before doing the scan. I would recommend others try it. I used Nirsoft Regscanner. It is a tiny little stand alone app that has a lot of hand scanning variables and lists all the results in a window. Much better than Windows built in Reg Scanner. It doesn't clean anything so it's perfectly safe. Once the results are listed you can double click an entry and it brings you right to it in Regedit.
http://www.nirsoft.net/utils/regscanner.html

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
I did a scan with it, after

I did a scan with it, after running FFP, ClamWinPortable and Notepad++Portable...the only keys it detected were MRU and MUI, which will always retain some data....as John said above, PortableApps claims it leaves no personal data behind, not that it leaves no data at all behind.

The developer formerly known as ZGitRDun8705

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
What were your scanning

What were your scanning options? Here are mine.
http://www.screenshots.cc/view_image/bed441907/2007-12-13_132944.jpg

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
I just redid the scan with

I just redid the scan with my settings identical to yours, it found more, but still just MRU or MUI....nothing more than that.

The developer formerly known as ZGitRDun8705

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
Could you post a screen shot

Could you post a screen shot of the results so I can compare to mine?

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
Here is my

Here is my screenshot.

http://www.screenshots.cc/view_image/6802b1555/regscreenshot.jpg

If you expand your Registry Key column in RegScanner as I have, you will see that all of the entries are in one of two locations:

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

The "HKU\[series of numbers]\anything" is identical to "HKCU\anything"

Edit: I just looked at the screenshot of your registry keys again. The entries in HKLM most likely came from allowing FirefoxPortable to automatically update the internal firefox (allowing FFP to auto-upgrade the internal firefox can break a locally installed copy) This is a known bug, just recently discovered, and I believe John is working on a fix for this.

The developer formerly known as ZGitRDun8705

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
OK but that is a lot left

OK but that is a lot left behind. What is the significance of the entires being in
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

I will not be updating any of the apps internally any more. I will waite for the portable version to be released and update from this site.

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
MRU and MUI

These are auto-generated by Windows for every EXE run. You can not prevent this. And, if you're not logged in as an admin, you can't clean this afterward. As has been stated a couple times in this thread, Windows itself keeps track of everything you run and, as a non-admin, you CAN NOT prevent this.

Sometimes, the impossible can become possible, if you're awesome!

rab040ma
Offline
Last seen: 5 months 3 weeks ago
Joined: 2007-08-27 13:35
I think it is good for

I think it is good for people to keep checking. It's clear that Windows does notice when you run something. And some of the portable launchers miss things from time to time (though bugs like that do get addressed).

It's probably also good to note that, besides the registry entries, there might be some temporary files that could be undeleted, and some indexes or caches in the file system itself might have entries. So don't be surprised if a forensic examination of the computer shows at least some information about your usage.

PA's pretty good about cleaning up, but not perfect. It's designed for use at a public computer, or at your friend's house. Don't rely on it for hiding your usage from your employer.

MC

Devo
Offline
Last seen: 1 year 1 month ago
Joined: 2007-09-04 14:55
Firefox/Thunderbird

I've been using firefox and thunderbird and I've found that they both leave folders in the Application Data folder. I've uninstalled and reinstalled both programs and still get the same problem. I let the programs shut down properly but the folders are still there. I've been using Portidy to clean up after them. Is there an option or something that I'm missing?

Simeon
Simeon's picture
Offline
Last seen: 10 years 2 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
those folders

should be deleted by the launcher after you close the program.
are they still there after you deleted them and re-run the programms?

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Multiple Instances?

Any chance you're using multiple instances? If so, all bets are off as the launchers won't properly clean up. That's why this option has always been recommended against.

By default Firefox, Thunderbird and Sunbird will created a single folder in APPDATA while running. FF and TB will place a pluginreg.dat there. On exit, the launcher will remove that file and the empty directories. There may be some non-portable plugins or extensions that somehow change this behavior, though.

Sometimes, the impossible can become possible, if you're awesome!

Devo
Offline
Last seen: 1 year 1 month ago
Joined: 2007-09-04 14:55
Firefox Portable

The pluginreg.dat file gets cleaned up, but the folder does not get cleaned up Mozilla/Firefox/Profiles. I have noticed that when I open firefox, only firefox.exe is running, and PortableFirefox.exe is not. I don't know if this is intentional or not. The ThunderbirdPortable.exe runs but for some reason fails to clean up the Thunderbird folder. I'll check to see if it's one of my extensions by running a clean install.

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Local Copy

If Firefox Portable (or TB or SB) finds an existing local copy, it won't attempt a cleanup of the directories as they would already be there.

Try manually deleting the APPDATA\Mozilla\Firefox folder before running Firefox Portable. Whether that folder exists determines whether FFP will stick around and do the cleanup.

Sometimes, the impossible can become possible, if you're awesome!

Devo
Offline
Last seen: 1 year 1 month ago
Joined: 2007-09-04 14:55
After wasting time...

After wasting time I found the culprit. I had an extension installed MR Tech Local Install that for some reason would not let FirefoxPortable.exe from cleaning up the folder. I uninstalled the extension and now everything works perfectly.

Anthony A
Offline
Last seen: 7 years 3 months ago
Joined: 2007-11-28 16:33
If they create a folder

If they create a folder there what about the folder that would already exist there if there is a local copy of FF or TB installed? Won't they be effected?

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
No

They create blank folders. Creating a blank folder that's already there doesn't do anything.

Sometimes, the impossible can become possible, if you're awesome!

Devo
Offline
Last seen: 1 year 1 month ago
Joined: 2007-09-04 14:55
Mozilla Registry Entries

I understand that the Portable launchers clean up everything from Firefox and Thunderbird when the programs are closed. Even after the programs are finished cleaning there is one key left for both FirefoxPortable and ThunderbirdPortable at
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla and HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla Thunderbird respectively. Is there a reason these registry entries aren't cleaned up?

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
Do you have Firefox and

Do you have Firefox and Thunderbird installed on the PC? If so, those keys will be left, because the launchers back up local settings, put the portable ones in place, then restore local settings. If local settings exist, those keys will always exist.

The developer formerly known as ZGitRDun8705

Devo
Offline
Last seen: 1 year 1 month ago
Joined: 2007-09-04 14:55
Registry

I don't have either one installed. I messed around with Thunderbird and it now deletes the registry entry, but I can't figure out why Firefox won't delete the registry entry. It could be one of the extensions I have installed.

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 11 months ago
Developer
Joined: 2006-12-06 18:07
It's possible that it is an

It's possible that it is an extension. I've never had registry entries left behind other than MRU, which can't be handled anyway.

The developer formerly known as ZGitRDun8705

morganfrmn
Offline
Last seen: 16 years 10 months ago
Joined: 2008-02-01 14:11
thank you

thank you,
being as invisible as possible is the most important thing to me and
its the reason to have a thumb drive. Anymore comments on invisiblity.

Fortunately they let me log in as admin so tell me how to clean up after myself.

rab040ma
Offline
Last seen: 5 months 3 weeks ago
Joined: 2007-08-27 13:35
You might find something

You might find something like MruBlaster to help; it removes all of those "most recently used" records.

There are several strategies around for cleaning up index.dat files if you want to go that far.

regshot can give you a pretty good report on what registry entries and files on the computer are changed by a particular program; you can then write a script or something to remove anything that is a problem.

MC

Log in or register to post comments