Jump to content

Results of moving Documents and Settings with backup image?


Devinco
 Share

Recommended Posts

Hello,

I have 2 hard drives, 1 main drive and an external hard drive for backup images.

The main hard drive has 2 partitions C: for the OS and D: for Data.

Let's say you move the "Documents and Settings" folder to D: with nLite and everything works well.

Then you make a clean backup image of C: to the external backup drive.

Now you install a program.

The program gets installed to C:\Program Files\program folder.

The program's settings are stored in D:\Documents and Settings\[CURRENT USER]\Application Data\program folder.

The program is working normally and appears in the Control Panel Add/Remove Programs.

Suddenly you discover that the program is MALWARE!

You decide you no longer want the program and you don't trust the uninstall to completely remove the program.

So you restore the clean backup image that you previously made.

The program folder will be gone.

Any changes to OS files and any extra components added to the windows folders will be gone.

The program's settings will still be stored in D:\Documents and Settings\[CURRENT USER]\Application Data\program folder. You can manually delete the folder so that is not a major problem.

Will the program still appear in the Control Panel Add/Remove Programs?

Edited by Devinco
Link to comment
Share on other sites


nope, the installed programs list is stored in the registry, which in turn is stored in %windir%\System32\config

Hi tijuana,

The registry is composed of several files, see here (scroll down to the bottom under Windows NT platform).

All of these registry hives are stored in %windir%\System32\config except NTUSER.DAT which corresponds to HKEY_CURRENT_USER.

NTUSER.DAT is stored in Documents and Settings and will not be restored because it was not backed up.

It is stored in the D: partition Documents and Settings where it was moved to.

HKEY_CURRENT_USER may contain subkeys that control whether the program is still listed in Add/Remove Programs.

For example...

Control Panel

This subkey contains subkeys for Control Panel settings, including information stored in the Win.ini and Control.ini files in Microsoft Windows 3.x.

and
Software

This subkey contains subkeys describing the current user's software settings and contains program-specific information previously stored in the Win.ini or private initialization files in Windows 3.x.

Is the installed programs list stored in the NTUSER.DAT(HKEY_CURRENT_USER)?

If not, where is it stored?

Edited by Devinco
Link to comment
Share on other sites

The original reason for starting this thread has been resolved.

The reason was to determine if the benefits of moving the Documents and Settings folder are greater than the risks and problems.

I've learned that there are Operating System files within this folder (not just documents and settings) that malware can exploit to great advantage.

So much so that with the folder moved to a different partition, a restore of a backup image will not wipe out a malware infection and will in fact become active automatically again after the restore.

Moving the Documents and Settings folder with nLite (or any other means) is not worth the security risk.

It removes the security benefit of making backup images.

Much better to move the My Documents folder, Favorites, Program Files folder(if necessary), selected program profiles and data, and rename the Windows folder.

Thanks for having this forum.

Keep up the nLitenment!

Link to comment
Share on other sites

he, every day you learn something new :)

well in that case, if the app was installed for "this user only", then it would appear in the user's ntuser.dat. If it was installed for all users, then it would appear in the folder I mentioned before.

What I do is put windows on c:, program files on d:, and docs and settings on e:; and then another disk /partition for all my stuff. Then I simply ghost c:,d:,and e: together, and would restore them together. The benefit of this is that if my system hasn't been formatted for a year, I can simply restore drives c and d without losing my settings (after checking to be sure there are no viruses or junk anywhere). It's just nice to have that option, at least for me.

Link to comment
Share on other sites

well in that case, if the app was installed for "this user only", then it would appear in the user's ntuser.dat. If it was installed for all users, then it would appear in the folder I mentioned before.

Then if the programs were installed for "this user only", it would also appear in the Add/Remove Programs after the restore.

What I do is put windows on c:, program files on d:, and docs and settings on e:; and then another disk /partition for all my stuff. Then I simply ghost c:,d:,and e: together, and would restore them together. The benefit of this is that if my system hasn't been formatted for a year, I can simply restore drives c and d without losing my settings (after checking to be sure there are no viruses or junk anywhere). It's just nice to have that option, at least for me.

That's what is nice about nLite, you can have as many different installations as there are users.

Thank you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...