Remove any trace of a program
September 2, 2007 6:34 PM   Subscribe

How can you remove from your computer any trace of using a program?

Windows XP, IE & and Firefox.
posted by JayRwv to Computers & Internet (9 answers total) 2 users marked this as a favorite
Format the hard drive and reinstall your OS.

Seriously: you'll need to give way more information than this, and unless you've been monitoring all the file changes since the program was installed, I doubt it's even possible to do this with any confidence, short of the afore-mentioned format.
posted by pompomtom at 6:45 PM on September 2, 2007

Response by poster: Sorry that I was not more forthcoming. Example: I have Quicken installed. I have uninstalled it. How do I remove any trace that Quicken was ever on my computer? I do understand about format and reinstall the OS. I was hoping for a simpler operation.
posted by JayRwv at 7:16 PM on September 2, 2007

Something like Regcleaner should probably tidy up any loose registry entries. Delete any folders left behind under 'Program Files' and 'Application Data'. Delete any document files you've saved, of course... That would go a fair way, but I still don't think you'll be able to be confident that all trace has been removed.
posted by pompomtom at 7:22 PM on September 2, 2007

Response by poster: Thank you pompomtom. That is my problem. I don't have confidence that all traces are gone. Kind of weird that it works that way. It does not cause me a problem but I wanted to know if I could do that. Thanks again.
posted by JayRwv at 7:32 PM on September 2, 2007

Best answer: How much is any trace?

Theoretically, I hear you (if you're the CIA) can take an a non-optical microscope to a hard drive and recover quite a bit of what was on it even if it's been overwritten since. Everything on hard disk is 0s and 1s, but if they look at it magnetically they can see that some of the 1s used to be 0s and so on. I don't know how far these skills extend, but I believe the capability exists. At this level, you're supposed to kill the platters with fire.

Even a person with normal resources and some knowledge will probably be able, for some time after file deletion, to go in and recover a file that was simply deleted unless you use certain tools to actually overwrite the data rather than just mark it for possible future overwriting.

If you're not worried about that sort of absurdity, you should go through the program install directory and any files you created, obviously, your registry, C:\Documents and Settings\, and your Windows directory for any thing that may be related to that program. If the program does a clean uninstall it should actually remove all this crap, but if it doesn't good luck cleaning out the registry without installing on another machine and seeing exactly what it did. If it was for some reason important to me to REALLY remove any trace that a skilled person could find of a program like Quicken, Firefox, or Word, that can really put its hooks into various places, I'd just reformat.
posted by TheOnlyCoolTim at 7:48 PM on September 2, 2007

Cleaning the registry is not enough if subsequent activity caused Windows to create a restore point. You'd also have to "scrub" all of the previous system backups.

And, for an application like Quicken, if you registered the software, the "evidence" of your installation is out of your hands and in the software vendor's database.
posted by SPrintF at 8:43 PM on September 2, 2007

Best answer: I do computer forensic examinations professionally. To be certain there is no trace left, you will need to reinstall from scratch. But really it depends on who you think will be looking and what they are looking for.

Any investigation is normally conducted to prove or disprove a hypothesis. If the question is "Was this program ever on the computer?" you are more likely to be discovered than if the question is "What programs are on the computer now?". In the first case, there are so many artifacts left that it is probable that some evidence will be left; either in the registry, in unallocated space on the disk; or in a variety of log files. In the latter case, it would be easier to just pull out what is there and not look at all the other things.

Against the government, who has lots of time, money, and trained people, you will need to reformat if they are looking for that program.

Against someone like me, who is trained and has access to tools and time to conduct experiments to determine what artifacts a particular program might leave, it depends on how both how specific the examination is and how much the person paying for it can afford. If I am asked to determine if you ever had a particular program, I would make a clean system, note what was there, install the program and run it for a while, and see what changed. There are so many possible changes that I can't imagine any one program erasing them all - seriously, I am continually surprised at how much evidence is left. For example, there are even encrypted registry entries that show everything that was run, how many times, and the date and time of the last execution. But to do that takes time, and examinations are expensive (the going rate is on the order of $250/hour), so someone would have to really want to know if that program was there.

If you are just hiding it from casual observers who aren't expecting a particular program to be there, deleting it and running some registry cleaner would probably be ok.
posted by procrastination at 8:48 PM on September 2, 2007 [2 favorites]

You could try Total Uninstall.
posted by blahtsk at 11:36 PM on September 2, 2007 also depends if the software in question is actively trying to leave traces (as limited-trial shareware sometimes does, to avoid the uninstall/reinstall trial-period-reset manoeuvre.)

In that case, they can do some extremely dubious and tenacious things to leave their mark, and without reverse engineering the program to establish exactly what it does, your only really guaranteed option is the rebuild.
posted by Luddite at 9:12 AM on September 3, 2007

« Older Seattle breakfast places?   |   Whoooooooooooooooooooooooo does the f@%$!ing track... Newer »
This thread is closed to new comments.