Discussion Thread Uninstalr: Or how I tested all the Windows uninstallers and ended up making a new one

simmerskool

Level 28
Verified
Top Poster
Well-known
Apr 16, 2017
1,739
Well it has to be that way, or it won't be able to monitor installations.
ok... but doesn't Revo monitor an installation in full when you use Revo to install an app, or is it that Revo takes a before and after system snapshot. I've always had the sense that Revo (& perhaps others) monitor exactly what the app being installed is adding / changing on the system. Then when the installation is complete, you close Revo and it saves the process as a file for when you want to uninstall. (maybe I forgot some of the posts in this thread?)
 

jackuars

Level 27
Verified
Top Poster
Well-known
Jul 2, 2014
1,683
I haven't tested the software yet, but it looks like
I haven't tested the monitoring. But if an uninstaller is doing a before and after scan, it is using snapshots, which is different to monitoring. Almost all uninstallers use snapshots. When an uninstaller monitors installations, it actually monitors the installer and sees what files and registry keys are being created. Install Monitor, IObit Uninstaller and Comodo Programs Manager are the only other uninstallers I'm aware of that use monitoring.

The problem with using snapshots, is that all changes to the system get recorded, even ones not made by the installer. So for example, if Edge gets updated in the background when installing another app, then the changes made when updating Edge will get included in the record of files and registry keys that were created when installing the other app. This provides a good reason to actually verify what an uninstaller wants to delete, before letting it remove anything. There are also issues with uninstallers that you monitoring. They may fail to monitor the installation of some apps and depending on how well the monitoring works, they may miss some changes that an installer makes.
I haven't tested it yet, but I don't think Uninstalr is using monitoring or snapshots to find related files and folders even before uninstalling a program. I wonder if it's indexing them, but the developer can clear this.
 

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
I haven't tested the software yet, but it looks like

I haven't tested it yet, but I don't think Uninstalr is using monitoring or snapshots to find related files and folders even before uninstalling a program. I wonder if it's indexing them, but the developer can clear this.

The monitoring feature works by snapshots: When you start the monitoring feature, it creates a snapshot and then compares the current state of the system against that in-memory snapshot in order to detect new data.
 

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
Result being same as previous, a successful uninstall of O&O that also removes the Win defrag tool in the process.

Thank you for reporting! This indeed seems like a bug in regards of the data analysis accuracy of Uninstalr. I have been working on this a lot these past weeks and the next version will improve this greatly.
 

Charismagic

New Member
Aug 21, 2014
4
@ Jouni Flemming, Macecraft
@jv16

Sorry to be a bit of a wet blanket here, but you need to really, really take a look at your software and run extensive tests before opening it to public access.

I ran Uninstalr 1.1 portable on a Win10 Pro machine with all current updates and patches, in a simulated environment. FYI, the VM environment just has the Win10 Pro image, completely updated, and the links from my normal environment with all the softwares installed.

It showed me two leftover programs apart from the normal installs. When I uninstalled the leftovers and rebooted, Windows wouldn't boot. Turns out they were critical Windows files.

I tried software install monitoring to install a new software and it crashed. Wonder if it has something to do with any registry snapshots/indexing done...couldnt find any trace of it though. I installed a software normally, and Uninstalr detected it during the scan. When I uninstalled it using Uninstalr, it deleted the exe used to install the software but left the installed exe and the program file in the program directory intact apart from associated registry entries.

Search function seems extensive, but choice of what is to be removed is limited.

3 VT vendors flag the executable and a basic sandbox analysis also throws up interesting results. Maybe the dev can clarify this?



Just to clarify, I am not a noob really on computer security....to all users, would advise caution.
 
Last edited:

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
@ Jouni Flemming, Macecraft
@jv16

Sorry to be a bit of a wet blanket here, but you need to really, really take a look at your software and run extensive tests before opening it to public access.

I ran Uninstalr 1.1 portable on a Win10 Pro machine with all current updates and patches, in a simulated environment. FYI, the VM environment just has the Win10 Pro image, completely updated, and the links from my normal environment with all the softwares installed.

The program went through multiple rounds of both public and private beta testing before release. I'm currently working on an update that addresses the accuracy issue a few people have reported. What software did you try to uninstall with it, and did the list of paths Uninstalr showed it would remove contain system related paths?

3 VT vendors flag the executable and a basic sandbox analysis also throws up interesting results. Maybe the dev can clarify this?

These are false positives that some lesser known anti-virus products show. It's typically always the same anti-virus products which use low effort AI based detection which basically detect any well optimized Windows executable file as malicious or suspicious. We have been sending these companies messages about these false positives many times but they don't react. It's a very unfortunate situation, really, but I cannot see much I can do about it.
 

Charismagic

New Member
Aug 21, 2014
4
What software did you try to uninstall with it, and did the list of paths Uninstalr showed it would remove contain system related paths?

These are false positives that some lesser known anti-virus products show.
The only software used to uninstall was Uninstalr, which showed these leftovers. And no, the paths did not point to system entries.

Do understand the issue of false positives and it can mar a products reputation, which is unfair. You have used UPX packers in the application but entry point UPX 01 has a very high entropy - 7.92 plus (according to Shannon's entropy scale between 0 and 8 typically used by malware, since it is a measure of randomness for the purpose of obfuscation)

It is also hooking into wsock.dll and network comms, specially using a raw socket API?? I can understand your need to gather data to figure out how the software is performing, and I hope it's nothing more, but that being the case, maybe you should specify what your program collects as information and its usage at your end, in the interests of transparency for a free software and credibility. Just a suggestion.
 
Last edited:

Charismagic

New Member
Aug 21, 2014
4
The only software used to uninstall was Uninstalr, which showed these leftovers. And no, the paths did not point to system entries.

Do understand the issue of false positives and it can mar a products reputation, which is unfair. You have used UPX packers in the application but entry point UPX 01 has a very high entropy - 7.92 plus (according to Shannon's entropy scale between 0 and 8 typically used by malware, since it is a measure of randomness for the purpose of obfuscation)

It is also hooking into wsock.dll and network comms, specially using a raw socket API?? I can understand your need to gather data to figure out how the software is performing, and I hope it's nothing more, but that being the case, maybe you should specify what your program collects as information and its usage at your end, in the interests of transparency for a free software and credibility. Just a suggestion

To be fair and just to add on to the post....I know that a good compression removes redundant data making the exe appear more random than if it was uncompressed and in this case the entropy will usually be 7.7 or above, so that might account for a score of 7.92 plus, but then, I do not have the data at my end.
 

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
Do understand the issue of false positives and it can mar a products reputation, which is unfair. You have used UPX packers in the application but entry point UPX 01 has a very high entropy - 7.92 plus (according to Shannon's entropy scale between 0 and 8 typically used by malware, since it is a measure of randomness for the purpose of obfuscation)

I use UPX packer, because I don't think it makes any sense to waste bandwidth and user resources by not compressing one's data. It's a matter of providing optimized binary file. I don't know what could cause high entropy, as I don't use any methods of obfuscation in the code. Here is the executable file without the UPX compression: https://uninstalr.com/Uninstalr_v11_raw.exe

It is also hooking into wsock.dll and network comms, specially using a raw socket API?? I can understand your need to gather data to figure out how the software is performing, and I hope it's nothing more, but that being the case, maybe you should specify what your program collects as information and its usage at your end, in the interests of transparency for a free software and credibility. Just a suggestion.

I specify in the Privacy Policy what information the program collects from users: None. (You can find the Privacy Policy at the bottom of the website Uninstalr)

The only internet related thing that the program does is it checks for latest version if you click the "click here to check what is latest version" link at the bottom part of the UI, OR if you click the logo that opens the app's website. If you don't click either of those parts of the UI, the program doesn't connect to the internet at all and when it does connect, the only data it sends out is the app's name and version number as a part of the http agent string.

The method I use to fetch the latest program version is to use Windows API call InternetOpen(), InternetConnect() and HttpOpenRequest() to perform a http GET call to read the latest version number from the web server. That's all. If any of those function calls are somehow suspect, please let me know which Windows API calls should rather be used.

Not even the website uses any kind of Google or Facebook spyware. It doesn't even use any kind of tracking cookies. I would say my software including the website are among the most privacy friendly things you can find online.

And what it is worth: I have been publishing software since 1998. The number of malware that has ever been included in any file that I have ever published since that time is zero. I have not even include any gray area things, such as bundled software. Believe me, I get contacted on regular basis by some shady people asking whether I would be interested to include some VPN or browser extension to my software as a bundled software to be paid per install. I have said no to every single such offer since day one.
 

Charismagic

New Member
Aug 21, 2014
4
I use UPX packer, because I don't think it makes any sense to waste bandwidth and user resources by not compressing one's data. It's a matter of providing optimized binary file. I don't know what could cause high entropy, as I don't use any methods of obfuscation in the code. Here is the executable file without the UPX compression: https://uninstalr.com/Uninstalr_v11_raw.exe



I specify in the Privacy Policy what information the program collects from users: None. (You can find the Privacy Policy at the bottom of the website Uninstalr)

The only internet related thing that the program does is it checks for latest version if you click the "click here to check what is latest version" link at the bottom part of the UI, OR if you click the logo that opens the app's website. If you don't click either of those parts of the UI, the program doesn't connect to the internet at all and when it does connect, the only data it sends out is the app's name and version number as a part of the http agent string.

The method I use to fetch the latest program version is to use Windows API call InternetOpen(), InternetConnect() and HttpOpenRequest() to perform a http GET call to read the latest version number from the web server. That's all. If any of those function calls are somehow suspect, please let me know which Windows API calls should rather be used.

Not even the website uses any kind of Google or Facebook spyware. It doesn't even use any kind of tracking cookies. I would say my software including the website are among the most privacy friendly things you can find online.

And what it is worth: I have been publishing software since 1998. The number of malware that has ever been included in any file that I have ever published since that time is zero. I have not even include any gray area things, such as bundled software. Believe me, I get contacted on regular basis by some shady people asking whether I would be interested to include some VPN or browser extension to my software as a bundled software to be paid per install. I have said no to every single such offer since day one.

Thanks for the update Jouni.

I think the AV false flags are due to the high file entropy and access to raw sockets also raises suspicion.

However, the fact that it wrongly classified some files and did not remove others, stands. Also registry snapshots for a before and after and a display of what gets removed with a wider choice for users may be something that you might want to consider. Do understand that the target audience may not be bothered by such details or couldn't care less and that is a balance that you will have to decide on. Continuous testing on these use cases would be helpful for further development.
 

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
Thanks for the update Jouni.

I think the AV false flags are due to the high file entropy and access to raw sockets also raises suspicion.

However, the fact that it wrongly classified some files and did not remove others, stands. Also registry snapshots for a before and after and a display of what gets removed with a wider choice for users may be something that you might want to consider. Do understand that the target audience may not be bothered by such details or couldn't care less and that is a balance that you will have to decide on. Continuous testing on these use cases would be helpful for further development.

As said, I don't really know how I could affect the entropy of the binary file. I'm a programmer, I write code. What kind of binary file the compiler produces from my code, I can affect but not that much. Besides, I think it shouldn't be my job to dance around compiling my software in a way that a few lesser known antivirus products do not produce false positives. It should be the antivirus product developers who should work on preventing false positives. Or the very least, these antivirus companies should provide an easy to use "report false positive" functionality, which they would then actually monitor.

I use normal Windows API calls to perform a http get request. None of my code touches raw sockets in any ways. I suspect the socket code is relating to some shared library that I use, which might also contain such functionality. I will see if I can remove those libraries from the program.

The software already displays every single path it would remove during the uninstallation, before the uninstallation starts and instructs the user to verify the list before proceeding and user can freely edit the list of paths as well. The software doesn't remove anything without first showing it to the user. The mentioned issue about incorrect analysis by Uninstalr is indeed a known issue in the current version and will be addressed with the next version. The development of the next version has taken some time, because I want to address this issue properly, with multiple new safeguards.

The incorrect analysis issues were not detected in the testing that happened before the initial version release. This testing included both private and public beta testing.
 
Last edited:

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
The only software used to uninstall was Uninstalr, which showed these leftovers. And no, the paths did not point to system entries.

I just noticed this part and I'm rather confused by this comment. Can you please specify exactly what software you uninstalled with Uninstalr before the problem occurred? I can then test this and see whether the problem reproduces. If I can reproduce the problem, I can fix it.
 
Last edited:

Prokopi

New Member
Aug 15, 2023
2
The Uninstalr is a dangerous program. I recommend everyone not to use it as it is a harmful program. Developer say something about monitoring, but this is a pseudo featuring. The program just grab everything by searching the words. The developer constantly asks you to give him the names of the programs that went wrong so that he can manually fix his failures via exceptions. This program is fake. He never described when the snapshots are taken and when ended, before and after install. The only featuring is scanning for installed programs. There is no any progressbar about snapshots. Scanning changes are actually scan for installed programs. As I said before, during the monitoring I installed third part software and his program never detected the changes from this additional software.
 

jv16

From Macecraft Software
Thread author
Verified
Developer
Jan 2, 2023
70
The Uninstalr is a dangerous program. I recommend everyone not to use it as it is a harmful program.

While it is true there are some accuracy related issues in the current official version, I think it's also important to point out that there has not been a single confirmed case as far as I know, where the program deleted something incorrectly without first confirming that with the user. Users are recommended to verify what they are about to remove before proceeding with the uninstallation. That is the very reason why the program lists everything it is about to remove, before anything is removed.

Developer say something about monitoring, but this is a pseudo featuring.

The only thing I have said about monitoring is that Uninstalr contains a software installation monitor feature, that one can use but using that feature is not required for the program to work. The only reason I added the feature because some people seem to like that kind of thing.


The developer constantly asks you to give him the names of the programs that went wrong so that he can manually fix his failures via exceptions.

I have asked people to let me know if they have noticed any software's data to be analyzed or detected incorrectly by Uninstalr. I have asked this, so I can test the program with these software to ensure this type of issues will not happen with next versions.


This program is fake. He never described when the snapshots are taken and when ended, before and after install. The only featuring is scanning for installed programs. There is no any progressbar about snapshots. Scanning changes are actually scan for installed programs. As I said before, during the monitoring I installed third part software and his program never detected the changes from this additional software.

I don't understand what you are trying say. I have described when snapshots are taken: When you start the new software installation monitor feature. That is when the program takes a snapshot and then continues to compare the current system state against the snapshot.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,432
I would personal use/test this software in a heartbeat, if I had the time and extra since it got more than a good enough basic zero problem assessment from a genuine professional malware analyst here:

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top