[Tfug] OT: Windows "Tracking Software"

Bexley Hall bexley401 at yahoo.com
Wed Mar 4 06:58:26 MST 2009 

Hi, Andy,

> >> Run Spybot Search and Destroy?
> > 
> > I think that only deals with "traditional" spyware (i.e.,
> > things that monitor internet activity and potentially
> > report it to some (remote) third party (site)
> 
> Is that an assumption? You will want to eliminate all
> assumptions...

>From what I read on the web site, it is intended to
deal with spyware that has surreptiotiously installed
itself on your machine over the web, etc.

> What about other spyware tools? Does the same assumption
> apply to them as well? That is something you might want to
> check.

Note that spyware tools are designed, for the most part,
to look for malicious/malware stuff.  The software that
I am talking about is a legitimate application typically
installed by employers to monitor the usage of their
*own* machines (i.e., it works even if you don't EVER
have an internet connection).

It would be like trying to detect if Acrobat Distiller
is installed on your machine -- you can look under Add/Remove
Programs (though Distiller is usually installed as part
of something *else*).  You could look for the executable
residing somewhere on a mounted filesystem.  You could
look for the process that watches for "distillable files"
(though that process might not be running, at the time).
Etc.
 
> >> Remove it using Add/Remove programs?
> > 
> > I'll have to check to see if it is listed there.
> > Note that you can design an application to install
> > itself and *not* create an entry in the "Remove Programs"
> > registry.
> >  
> >> I don't think you've provided enough
> information
> >> for the answer you are really looking for...
> > 
> > You can install software to track a user's
> *computer*
> > activity (i.e., not just "internet"
> activity).  I
> > want to know how to detect, disable and/or remove
> > such tools (presumably, anything that does this
> > and is designed intelligently will leave a very
> > small fingerprint!)
> 
> If I suspected my PC had something like that then I would
> get the free Process Explorer and examine all the processes.
> Kill any I didn't want running.

And what do you do if you aren't running as Administrator
(i.e., because the machine is maintained/provided by your
*employer*)?

> Also I would investigate safe mode to see if that stopped
> the tracking behaviour.

But, you don't even know (yet) that "tracking" is taking
place!  <grin>  I.e., that is the first part of my
question:  "detect and defeat"

> I would run msconfig and stop any services and processes
> from running at startup that I didn't recognize.

Again, that only works if you have root privileges.

> Worst case I would reinstall windows.

Your boss would undoubtedly have something to say if you
had done this.  Also, many newer machines can be configured
so that booting off a CD/DVD is disallowed.

You're assumingthis is *your* machine and that someone has
slipped something onto it surreptitiously.  What if it is
*my* machine that *you* use 8 hours a day (on my behalf)?

<grin>  It's a lot harder problem to solve than it
would appear...

--don

More information about the tfug mailing list