The two critical tools I demonstrate here are freeware written by those smart Winternals guys, Mark Russinovich and Bryce Cogswell, who you man know from in-depths magazine articles about the guts of Windows operating systems. The programs are called FileMon and RegMon and are available for download anytime at the Sysinternals website at www.sysinternals.com. (While you’re there, check out some of the other handy tools they give away, including Process Explorer, with all of the capabilities that Task Manager should have had).
You will also need to use a “switch user”-type tool such as SUDO.EXE from the NT 4.0 Resource Kit Support Tools or RUNAS.EXE from the Win2k or XP operating systems (click the link of the target OS to open a how-to article).
I also use Microsoft Excel (version 97 or higher) for the data-munging, in part because it’s fast and flexible, and because it’s a tool that nearly every business user has on hand.
There are also several other tools which may be useful for finding permissions blocks and written changes. I wouldn’t recommend them as much for this kind of work, but you may find them easier or useful for other tasks, so I will mention them here. A company once called SomarSoft offers a free program called DumpReg which can report on the contents of the Windows registry in more detail than any other app I know, including filtering by the “last modified” date; it should be freely available here. Also, PC Magazine has released a freeware utility called InCtrl5 (“In Control” version 5.0) which uses a snapshot-comparison method to discover OS changes after software installations and such; you can read about it here or download it here.