View Full Version : Time Trial + Registry

June 28th, 2007, 07:01
Was just wondering if anyone has tried monitoring the registry during an INSTALL to see what has been added (in the form of a time trial key). Would this not be easier than trying to unpack/debug the .exe/.dll's after the install? Could anyone who has tried, please share their ideas. Thanks a bunch.

June 28th, 2007, 07:24
Yes and No.
The registry is not the only place where a program can and will peg the time of install: It can be placed in a irrelevant looking file somewhere in windows system folders, written to an existing file, written to a specific sector in the boot drive, and often in more than one place, for tamper detection. Also, programs may mark not only time of install but also time of first run as the beginning of the trial.

So simply monitoring the registry will not work but in the simplest protections.

there are 2 other avenues to explore: Install monitors: will give you a catalog of all the reg-keys, files and modifications to existing files that a installation did, and even some allow you to "wipe" or Total Un-install" your app, by erasing all traces left behind by the installation. works in some but not all the cases.

Simpler and lazier, if you don't want to unpack, trace and reverse secured applications, is the use of virtual machines, available from M$ and VM ware:

Install an OS in a virtual machine, tweak it to your taste, save a copy as an archive. Now clone it, and install your time limited application in the clone.
Every time it expires, dump the clone, make a fresh one from the archived OS master, reinstall the time trial, go for another 30 days (The closest a computer will get to a box of Kleenex ).

The simplest and laziest is to buy the damn application.

June 28th, 2007, 07:25
and what are you going to do once you find it? A lot of programs stop working if you just delete the key, so you still need more knowledge.

edit: Naides has a much better explanation than me. Serves me right for sticking all the topics onto tabs and reading them later!

For me, I like to know how the protection works, rather than just defeating it by using VM's, but VM is the idle persons way

June 28th, 2007, 07:36
I didn't know you could clone them - I thought you had to install each vm from scratch. Is there anywhere I can get more info on cloning vm's? Thanks for your fedback.

June 28th, 2007, 07:41
Actually, VM machines are invaluable for exploring how a protection works
Tracing the expired and un-expired versions of an app in parallel, inside two VM is a very illuminating experience

@ Malikón: Read the VMware site, white papers, and manuals. Cloning is a standard feature of VMware (I don't do the M$ VM).

In any case, a VM is nothing else than a folder with some files in it, that can be copied at will.

June 28th, 2007, 07:49
If you were in this room I'd shake your hand... 2 vm's is how I'll be doing things from now on. Thank You!

June 28th, 2007, 08:14
I usually get a smacker on the lips for my help services. See:

So I will not bargain for anything less than that this time around, Malikón.

June 28th, 2007, 14:38
And malikah you do not need to always "quote" all or part of the message to post a response. Choose the button on the bottom far right (that looks like a page with a down arrow on it) to do a quick reply without quoting the post you are answering. It saves room in the database that way.


June 28th, 2007, 14:46
Like this... Ahh I C.. Cheers

June 29th, 2007, 03:43
[Originally Posted by naides;66739]Actually, VM machines are invaluable for exploring how a protection works
Tracing the expired and un-expired versions of an app in parallel, inside two VM is a very illuminating experience
And pinpointing the critical jump/function is also often as easy as running the two versions through Olly once, with the Conditional Branch Logger plugin (see OllyStuph for download).

June 29th, 2007, 15:24
[Originally Posted by malikah;66735]Could anyone who has tried, please share their ideas.
regmon + filemon, thread over.

June 29th, 2007, 15:42
Oh Damn! You just gave away another "deep, dark, closely held secret"!

Who'd a thunk there were actually "tools" to keep track of such things.


June 29th, 2007, 17:32
Yea - I tried both regmon and filemon - very bland tools in the way of user options. All they did was spit out about 3000 lines per second of internet explorer and some other file. I need a program with better filters - for example: "Show only written keys".. And yes I saved it to a text file - but If I knew what to search for in the text file then I would not have needed the reg/filemon in the first place. Or am I missing something? I don't think so.

June 29th, 2007, 17:40
If memory serves, I believe if you do a search for regmon you will find a "filter" created by Kayaker for me when I was tracing a program and was complaining about having to look through 20,000+ thousand log entries in the output.

Hint: In the Search Button, go to "Advanced Search" and put "regmon" (without the quote marks) in the left and Kayaker in right and hit enter.

It's from 2002 and I have just confirmed it is still there.

I believe it works for WinXP and Win2K! If it doesn't work in WinXP, maybe we can get Kayaker to "update" it for us. It is a wonderful utility.


June 30th, 2007, 01:13
I've never had a problem with either mon, primarily because I only run the program I'm trying to log, and I filter to include only the name of the interested file.

June 30th, 2007, 09:54
[Originally Posted by malikah;66800]I need a program with better filters - for example: "Show only written keys".
Err, did you try the checkbox saying something like "Writes" in the "Filter" dialog of Regmon?

July 26th, 2007, 12:18
I personally find a program called "RegShot" to be the 100% best tool to weed out registry time trials. Regmon and Filemon suck because they are live and even with filtering they get too much data that is irrelevant.

RegShot can also look at the entire C:\ drive (or whatever drive you point it to).

All you do is:

1. Start RegShot. If you want to monitor C:\ put that in too. PRess "1st snapshot button"

2. Set your date and or /time on the machine a few days forward to force the trial program to update it's trial data.

3. Run the trial program that you want to defeat

4. Kill the program and the in RegShot press the "2nd Snapshot" button.

5. When done use the "Compare" button.

Wallah you now will see everything that has changed, and only the things that have changed, on the system since last time. It will be a piece of cake then to track down the reg and / or file information that was used.

I always use this tool now for time trials and it is the best tool for time trials, a nice static snapshot of before / after. However, time trials can also go into sector 32 on the hard drive too, and that's where a good hex editor with raw disk access comes in. But only Installshield FlexNet , etc, and SecureROM use the sector 32 tricks.