How to Check If a Portable Application is Clean/Stealthy or Not

We need an uninstaller utility with before/after snapshot log feature for this. In this article we will use the free and open source ZSoft Uninstaller/ZSU, or the PortableApps.com/PA.c edition—which we'll use.

   There are other alternatives like ChemTable Software's Soft Organizer/SOrg, Ashampoo Uninstaller/AUinst, Regshot (for Windows older than 10), or others. On Windows 10, SOrg is better than ZSU but takes more time.
   We also need text editor such as NPP/Notepad++, Sublime Text, or any other you like.

In essence, what we'll do consists of these general steps:

1. Create a snapshot of Windows system before running the portable application.
2. Run and try out all features of the portable application. It's better to run it more than once to make sure it really save its settings.
3. Create the after run/test snapshot.
4. Compare the after and before snapshot to see if there are any changes to Windows registry and/or Windows standard data folders.

We'll use GeoGebra Classic portable as example that we've installed in C:\0TEST\GeoGebraClassicforDesktopPortable folder.

1. Run ZSoft Uninstaller/ZSU, click Analyze. First we have to configure which drives/folders to ignore by ZSU, click Edit Ignore List then add any drive/folder you don't want to monitor—the list in the picture is just an example—after that close the window,
   
   
2. Click Analyze → tick Analyze an installation option → click Next → click Before Installation—to create the "before test system snapshot",
   
   
   
3. When the After Installation button is activated, then the "before snapshot" is finished. Close the window and minimize ZSU,
   
   
4. Run the portable application and test any of its features, then close it. Run it twice or more while changing its settings to make sure it can save its settings. Usually, the easiest setting to notice in any application is its windows' size and position. But in our example, GeoGebra Classic don't save this setting, so just open the GeoGebraPEsettings.conf in the C:\0TEST\GeoGebraClassicforDesktopPortable\Data folder with NPP to make sure it's not empty,
   
5. Open the C:\0TEST\GeoGebraClassicforDesktopPortable\Data folder to make sure there's no PortableApps.comLauncherRuntimeData-GeoGebraClassicforDesktopPortable.ini file. This is to make sure that it has completely exited,
   
6. Bring up ZSU, click Analyze → tick Finish an analysis that has already been started → click Next → click After Installation—to create the "after test system snapshot",
   
   
   
7. Enter any name in the Enter Application Name window then click OK—to save the after snapshot log, as for example: "zzz",
   
   
8. When the snapshot comparison finished click OK → right-click on the "zzz" log entry → select Show Recorded Info → click the top-left blue square to save the log. Save it on Desktop as "zzz.txt". We then can delete the "zzz" entry from the Analyzed Programs tab,
   
   
   
   
   
9. Open the "zzz.txt" log with NPP/Notepad++. See if the portable application left any traces in other than its own folder, C:\0TEST\GeoGebraClassicforDesktopPortable,
      Especially watch for any changes that might be related to our application in Windows data folders:
   • %APPDATA%, in our example C:\Users\thumbapps\AppData\Roaming,
   • %LOCALAPPDATA%, in our example C:\Users\thumbapps\AppData\Local,
   • %USERPROFILE%, in our example C:\Users\thumbapps. This one includes Documents, Music, Video folders, etc.,
   • %ALLUSERSPROFILE%, in our example C:\ProgramData,
   
   also in Windows registry. And since our application do not require administrator privilege, we can ignore the HKLM entries and just inspect the HKCU entries,
   
   especially watch these registry branch where Windows usually stores settings like start-up run:
   • HKU\S-1-5-21-2501081379-2069658986-3569691162-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion...
   • HKU\S-1-5-21-2501081379-2069658986-3569691162-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\...
   
   The HKU\S-1-5-21-2501081379-2069658986-3569691162-1001 is HKCU.
      You can ignore "file deleted", "reg deleted", and ...Windows\Shell\Bags\... entries.
   
   Those are places where most applications leave their settings, but some applications might even leave traces of:
   • DLL, for example HKLM\SOFTWARE\Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32,
   • TypeLib, for example HKLM\SOFTWARE\Classes\TypeLib\{04219238-440D-4FED-A5D6-EFD15158CA77}\1.0\0\win32,
   • COM server, for example HKLM\SOFTWARE\Classes\CLSID\{318B6012-AF38-4AFC-807E-169248B941E2}\LocalServer32,
   • service, for example HKLM\SYSTEM\CurrentControlSet\services\ambakdrv,
   • scheduled task, usually stored in %WINDIR%\System32\Tasks,
   • file associations, for example HKU\S-1-5-21-317371406-773968330-1681716359-1000\Software\Classes\.arw or others.
   So, check the comparison log patiently.

   With more experiences, your eyes will become more trained to see which changes are related and which changes can be ignored ;)
   Our conclusion for GeoGebra Classic example: it only stored settings in its configuration file in the Data folder. No traces in registry, Windows data folders, or any other places. So we can say that it's 100% clean/stealthy.[]