Many software companies don't design programs with high security in mind, and if you ask around, you'll probably find that programmers aren't necessarily security-minded individuals. For most programmers, security is an after-the-fact consideration that occurs only after attackers compromise programs or after the programs have allowed the compromise of an entire system or network.
Various software products have security vulnerabilities. One such product is Oracle's database software, which leaves sensitive information readily available on the system in clear text. During an Oracle install on Windows NT, Oracle's spoolman.log file records database passwords in clear text.
The moral is to protect yourself by examining your system very carefully before, during, and after installing new software products, especially if those products aren't mainstream commercial items. A good way to keep a close eye on the Registry is to use Sysdiff in the Microsoft Windows NT Workstation 4.0 Resource Kit. With Sysdiff, you can make an image of the Registry before you install new products, then compare that image to the working Registry after you install the product. Sysdiff reveals any changes between the two Registry images. As an alternative, you can use the Regmon tool (available at the Sysinternals Web site—http://www.sysinternals.com), which lets you watch Registry access in realtime.
For file system changes, you can make a before-and-after comparison to help locate all files that a new product installation added or changed. To perform such a comparison, you can use the resource kit's Windiff tool. Here's how.
Before you install a new product, open a DOS window and change to the root directory of the disk you want to watch (e.g., C:\). Issue the following command to create a text file containing your entire directory and file structure:
dir /S > directory1.txt
This command creates directory1.txt, which contains a list of all directories and files on whichever drive you were on when you issued the command. Create such a file for all drives available on your system, using a different name for each drive. When you complete your new software installation, create another set of files in the same manner, using different filenames. Next, use Windiff to run a comparison of each matching set of directory listing files you've created. At this point, any directories and files that an installation routine removed, added, or modified will become readily apparent in the Windiff display. Be sure to read the Windiff Help file for complete instructions on using the tool.
You can also use Filemon (available at the Sysinternals Web site) to watch all file system activity. Using Filemon and Windiff is a good idea because the combination will help catch third-party applications that might be reading sensitive system information without your knowledge.