Freeware Catalog

Freeware Analysis tools []

Screenshots
Selection of Security Analysis tools snapshots:
(Click to enlarge)
AutoRunsforWindows

AutoRuns for Windows

Autostartexplorer

AutoStart Explorer

A-squaredhijackfree

a-squared HiJackFree

Autostartviewer

DiamondCs Autostart Viewer

Runalyzer

RunAlyzer

Runscanner

RunScanner

Hijackthistrend

TrendMicro™ HijackThis™ (includes StartupList)

This is more of a general catch all category for security tools. Most of them are used as diagnostic tools by knowledgeable users to check the overall health of the system.


Autostart and other listers []

This class of software enumerates registry entries, startup folders,system files and other sensitive system areas that are often modified by malware -also sometimes called hijack points. Technically while autostart entries are by definition common hijack points for malware (malware needs to find some way to start), tools used for inspecting the machine for malware might look at other areas that do not really count as autostart entries (e.g. Host files).

You can see some of this distinction in some of the earlier and simpler autostart control utilities (see "basic") which monitor only well known and common registry areas and nothing else. They are more commonly used to remove safe but irritating entries added by legitimate programs that want to autostart with your computer rather than for malware inspection.


Basic []

  1. Application Paths 2000 - http://www.gregorybraun.com/AppPaths.html
  2. Autostart and Process Viewer (APV) - http://www.konradp.com/products/autostart-and-process-viewer/
  3. CodeStuff Starter - http://members.lycos.co. uk/codestuff/ (down July 07?) - alternative download align=center
  4. Cyberlion Startup Optimizer - http://cyberlion.info/index.htm
  5. Deskanker - http://www.clearidea.us/deskanker/
  6. DoWinStartup - http://www.freewarepages.com/download.php?aid=348 (down July 07)
  7. FreeFixer - http://www.freefixer.com/download.html
  8. MiTeC Startup Explorer 2.0 - http://www.mitec.cz/systools.htm (down July 07), alternative downlosad
  9. Msconfig - http://www.3feetunder.com/krick/startup/ align=center
  10. Quick Startup - http://www.glarysoft.com/quick-startup/
  11. SilentNight Startup Manager - http://www.silentnight2004.com/freeware.html
  12. StartDreck - http://www.niksoft.at/download/startdreck.htm
  13. Startup Control Panel - http://www.mlin.net/StartupCPL.shtml
  14. Startup Manager - http://www.pc-magazin.de/common/dtt/download.php?areaid=59&fileid=1487&PHPSESSID=8040f2ed3267eba3443210c88ce561d6
  15. StartupRun - http://www.nirsoft.net/utils/strun.html
  16. Startup Application Manager - http://homepages.paradise.net.nz/amorgan1/index.htm
  17. Startup Inspector - http://www.windowsstartup.com/startupinspector.php
  18. SIW System Information Windows - http://www.gtopala.com
    • with this tools you can track three important thread within your PC which are basicly like Software, Hardware and Network within attache onto your PC- System Information Windows

Advanced []

  1. Vista AutoRuns - http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx align=center
  2. Autostart Explorer - http://www.misec.net/products/autostartexplorer/
  3. Autostart Viewer - http://www.diamondcs.com.au/index.php?page=asviewer (down?), alternative download
  4. Vista a-squared HiJackFree - http://www.hijackfree.com/en/ align=center New
  5. Vista HijackThis! http://www.spywareinfo.com/~merijn/programs.php#hijackthis ,Trend Micro version align=center New
  6. Vista RunAlyzer (betaware) - http://spybot.safer-networking.de/en/runalyzer/index.html
  7. RegRun Light - http://www.greatis.com/regrun.htm
  8. Vista RunScanner - http://www.runscanner.net/ align=center RecommendedNew
  9. Vista Silent Runners - http://www.silentrunners.org/ align=center
  10. SpyHolesList - http://www.greatis.com/security/spyholeslist.htm
  11. StartupList v2 - http://www.spywareinfo.com/~merijn/programs.php#startuplist align=center
  12. StartupList v1 - http://www.castlecops.com/downloads-file-516-details-StartupList.html
  13. SystemScan - http://www.suspectfile.com/systemscan_guide.php New
  14. Download keylogger - https://descargar-keylogger.com/
  15. WinPFind - http://download.bleepingcomputer.com/oldtimer/winpfind.exe
  16. See also Process listers below and various Lists of freeware behavior blockers, Lists of freeware antirootkit and Lists of freeware antispyware that list registry entries.


Among the more advanced utilties, HijackThis! is by far the most popular and used throughout the net on forums as a diagnosis aid to remove malware. There are however 2 major versions in use, the original 1.99.1 version and versions after 2.0 after it was sold to Trend Micro. Both are freeware.


Another tool is Silent Runners which is just a simple script to check various hijack points. Other utilities that are still in development includes a-squared HiJackFree, RunAlyzer by Spybot, RunScanner and Sysinternals autoruns .

These tools have many advanced features and typically check not just common autostart entries but also obscure seldom used areas which are exploited almost solely by malware only. Decision making analysis is made easier by filtering out signed entries (microsoft or not), automated checks with online/offline database of safe/dangerous entries, as well as allowing unusual entries to be easily googled. Some like RunScanner go beyond merely listing autostart entries but also provide process enumeration, and multiple process termination methods even though strictly speaking this is not really the province of such tools. However such features are usually handy to have.

Note :There are however a very large number of "hijack points" , see for example Tony Klein's autostart list and Grime's Where malware hides

Lists of autostart locations []

  1. Roger Grimes's Where Malware hides - http://weblog.infoworld.com/securityadviser/archives/2006/05/updated_where_w.html
  2. Silent Runner's Launch point - http://www.silentrunners.org/sr_launchpoints.html
  3. Tony Klein's list at Gladiator forum - http://gladiator-antivirus.com/forum/index.php?showtopic=24610
  4. Greatis's Startup order list - http://www.greatis.com/security/startuporder.htm#9X
  5. Comparison of autostart locations of registry monitors - http://www.wilderssecurity.com/showthread.php?t=32823 - outdated
  6. R2 comparison - http://www.dslreports.com/forum/remark,6721512~days=9999~start=80 plus origin discussion http://www.dslreports.com/forum/remark,6686853~root=security,1~mode=flat


Process Listers []

  1. Vista Process Revealer - http://www.logixoft.com/process-revealer-free-edition.html align=center
  2. Another Task Manager - http://www.betasoluzioni.com/users/atm/higheng.html
  3. Advanced Process Manipulation - http://www.diamondcs.com.au/index.php?page=apm (down July 07), Alternative download
  4. CurrProcess - http://www.nirsoft.net/utils/cprocess.html
  5. Prcview - http://www.teamcti.com/pview/prcview.htm
  6. Vista Process Explorer - http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx align=center
  7. Process Patrol - http://www.majorgeeks.com/Process_Patrol_d4409.html
  8. Process Scanner - http://www.processlibrary.com/processscan/
  9. myProcMan - http://www.trsecurity.net/myprocman/
  10. ProcX - http://www.ghostsecurity.com/procx/ align=center
  11. Security Process Explorer - http://www.glarysoft.com/spe.html New
  12. Vista Sysinternals Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
  13. TaskMan+ - http://www.diamondcs.com.au/index.php?page=taskman (down July 07), alternative download
  14. What's Running - http://www.whatsrunning.net/whatsrunning/main.aspx
  15. Window Watcher - http://www.karenware.com/powertools/ptwinwatch.asp
  16. See also Lists of freeware antirootkit like Icesword and GMER


The built-in task manager in Windows is largely acknowledged to be inadequate for everyday use, much less for power users using it for analysis purposes. Fortunately, there are many capable replacements that can take the place of task manager. They typically provide more information, particularly a column including full paths of the processes. Some like ProcX are light weight enough to replace task manager. Perhaps the big brother of them all is formerly sysinternal's Process Explorer which provides pretty much every information and feature you might desire. However it might not be suitable for everyday use because of information overload. The ultimate real time analysis tool would probably be provided by combining it with Process Monitor by the same company, it combines Filemon and Regmon that shows real-time file system, Registry and process/thread activity.


Unfortunately, many rootkits are able to evade from even such advanced tools (though a keen eyed analyst might spot discrepancies that give the game away). This is where many anti-rootkits such as IceSword , DarkSpy, GMER, Rootkit Unhooker (see Lists of freeware antirootkit) come in. They also provide a task manager like function, but have a better chance of getting past rootkit shielded defenses to display even hidden processes. Some will even indicate which processes are being hidden by rootkits. Similarly many provide autostart listings, port mapping functions etc.

File analyzer/ API Monitors []

  1. Vista FileAlyzer - http://www.safer-networking.org/en/filealyzer/index.html
  2. MANDIANT Red Curtain - http://www.mandiant.com/mrc
  3. Spy Studio - http://www.nektra.com/products/spystudio/


Allows advanced users to study files. MANDIANT Red Curtain looks at six categories of information to calculate a threat score including entropy , digital signatures , existence of specific packers. In addition, the tool identifies executable files that appear to have been modified, files with an excessive amount of imports and those with various combinations of permissions that indicate whether they can be read, written or contain executable code.


File/registry logging []

  1. FileMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx
  2. RegMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
  3. Vista Sysinternals Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx


Use these tools to monitor in real time file and registry changes made by processes.

Port Mappers []

  1. Active Ports - http://www.protect-me.com/freeware.html
  2. Vista CurrPorts - http://www.nirsoft.net/utils/cports.html
  3. OpenPorts (DiamondCS) - http://www.diamondcs.com.au/openports/ align=center (down July 07) alternative download
  4. Open Ports - http://www.jasons-toolbox.com/programs.asp?Program=Open%20Ports
  5. Vista TCPView - http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx align=center
  6. See also Lists of freeware antirootkit like Icesword.


There are tools that improve on the build-in Net-Stat function by providing real time monitoring of ports on your system. They also map processes to ports so you can see what processes are sending packets on what ports. Many but not all firewalls also provide similar functions for information purposes.

Port scanners []

  1. Blue's Port Scanner - http://www.bluebitter.de/portscn2.htm
  2. Fport - http://www.foundstone.com/us/resources/proddesc/fport.htm
  3. Nessus - http://www.nessus.org/
  4. Nmap - http://insecure.org/nmap/index.html align=center
  5. SuperScan v4.0 - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm (down July 07)
  6. YAPS - http://www.steelbytes.com/?mid=19
  7. Windows UDP Port Scanner - http://ntsecurity.nu/toolbox/wups/


It is a mistake to assume that automated port scans like ShieldsUp! is all you need to do to test your defenses. Ideally a manual port scan using a tool like Nmap provides better security.

ARP watch []

  1. AdapterWatch - http://www.nirsoft.net/utils/awatch.html
  2. Winarpwatch - http://sid.rstack.org/arp-sk/
  3. XArp - http://www.chrismc.de/#


Defenses against ARPspoofing.


Packet Sniffer []

  1. PacketMon - http://www.analogx.com/contents/download/network/pmon.htm
  2. Vista Wireshark - http://www.wireshark.org/ align=center
  3. Vista WinDump - http://www.winpcap.org/windump/

NTFS Ads scanner []

  1. Ads Spy - http://www.merijn.org/programs.php#adsspy
  2. Crucial ADS - http://crucialsecurity.com/products/index.html (only available via email request)
  3. Vista LADS - http://www.heysoft.de/nt/ep-lads.htm
  4. NTFS Streams Eraser - http://www.excessive-software.eu.tt/
  5. Streams v1.53 - http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx


Search your computer for Alternative Data Streams (ADS). Some antivirus and antispyware already do this, but not all.

Processkiller & file unlocker []

  1. Advanced Process Termination - http://www.diamondcs.com.au/index.php?page=apt (down July 07) alternative download
  2. Vista FileASSASSIN - http://www.malwarebytes.org/fileassassin.php
  3. KillBox - http://www.bleepingcomputer.com/files/killbox.php
  4. Simple process termination - http://www.syssafety.com/leaktests.html
  5. Vista Unlocker - http://ccollomb.free.fr/unlocker/ align=center


Many malware process are extremely difficult to kill , the tools in this category, use various different methods to terminate processes, and/or delete locked files. Many anti-rootkits such as IceSword (see Lists of freeware antirootkit), are also capable of killing normally unkillable processes due to access to kernel.

ActiveX/BHO/Toolbar/LSP listers (obsolete with XP SP 2) []

  1. ActiveXHelper - http://www.nirsoft.net/utils/axhelper.html
  2. Active XCavator v2.0 - http://www.cognitronix.com/index.html#A1
  3. BHOCaptor - http://www.snapfiles.com/get/bho.html
  4. BHODemon - http://www.definitivesolutions.com/bhodemon.htm
  5. BHOlist - http://www.spywareinfo.com/~merijn/programs.php#bholist
  6. ToolbarCop - http://windowsxp.mvps.org/toolbarcop.htm


These group of tools are used to manage toolbars, BHOS, ActiveX controls in internet explorer. Somewhat obsolete today, since Internet Explorer provides built in methods to do the same. Moreover, many startup listers, antispyware tools list or monitor these entries as well.


URL discomboulator []

  1. Vista URL Discombobulator v1.9 - http://www.karenware.com/powertools/ptlookup.asp

Driver and dll related []

  1. ListDrivers - http://ntsecurity.nu/toolbox/listdrivers/
  2. Loadorder - http://ccollomb.free.fr/unlocker/
  3. ServiWin Services/Drivers Manager - http://www.nirsoft.net/utils/serviwin.html
  4. See also Lists of freeware antirootkit like Icesword and GMER


Listing of files shares []

  1. ShareEnum v1.6 - http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx
  2. SHAREMON - http://members.fortunecity.com/sektorsecurity/projects/sharemon.html


End user license agreements (EULAs)Analyzer []

  1. EULAlyzer - http://www.javacoolsoftware.com/eulalyzer.html
  2. EULA Analyzer (browser based service/beta) - http://www.spywareguide.com/analyze/index.php


Cut and paste EULAs into the program and it will highlight suspicious phrases.

Listing of dangerous sites []

  1. Badware.org - http://stopbadware.org/ (no plugin just listing)
  2. VistaFinjan SecureBrowsing - http://securebrowsing.finjan.com/index.html
  3. Vista Haute Secure (betaware)- http://www.hautesecure.com/howitworks.aspx (Includes elements of HIPS with sandboxing and behavior analysis).
  4. VistaLinkscanner (free software available also for Internet explorer and firefox) - http://linkscanner.explabs.com/linkscanner/default.asp
  5. Robot Genius RGguard - http://www.robotgenius.net/technology/rgguard.jsp New
  6. VistaScandoo - http://www.scandoo.com/config.do
  7. VistaSiteadvisor (available via firefox extension) - http://www.siteadvisor.com/
  8. VistaSitehound - http://www.firetrust.com/firetrustsitehound.html
  9. TrendProtect™ Beta Overview - TrendProtect™ Beta Overview - http://www.trendsecure.com/portal/en-US/free_security_tools/trendprotect.php
  10. Vista Web Security Guard - http://www.websecurityguard.com/
  11. See also Lists_of_freeware_antiphishing


Tools in these categories are typically browser addons (for both Internet explorer and Firefox).Somewhat related to anti-phishing tools, they typically overlay searches results from common search engines (e.g google, yahoo)with information about how trustworthy or dangerous the site is, allowing the user to be forewarned before clicking the link. In addition, most will also prompt a warning if you enter a url that the tool considers dangerous (not available for the freeware versions for some).

Note, each tool has slightly different definitions of what counts as dangerous or untrustworthy and targets slightly different class of threats. They include


(1) Websites that offer spyware and other malware exeutables for download - most common (Siteadvisor, RGguard) (2) Websites that use exploits (Linkscanner) (3) Websites that are phishing (Most in this list don't, see anti-phishing tools) (4) Websites that provide fraudulent services (Sitehound claims to warn about "Misleading or False Advertising")

There are several ways used to determine whether a site is bad, some scan the code on the page dynamically -real time analysis (Finjan SecureBrowsing) , others rely on prescanned results (Siteadvisor), others rely on other measures of trustworthiness -so called reputation systems (TrendProtect), yet others supplement all this with community analysis, where human users provide feedback and comments on the ratings provided.

Listing of file hashes/names/processes/startups/CSLIDS []

  1. Castlecops list - http://hashes.castlecops.com/ Note: Castlecops has other CastleCops#Research_Databases align=center
  2. FileAdvisor -http://fileadvisor.bit9.com/services/search.aspx - FileAdvisor client utility available
  3. Hijackthis.de - http://filedb.hijackthis.eu/
  4. Prevx1 - http://fileinfo.prevx.com/filesearch.asp
  5. ProcessLibrary - http://www.processlibrary.com/about/
  6. Runscanner list - http://www.runscanner.net/listMD5.aspx
  7. Spyandseek - http://www.spyandseek.com/
  8. NSRL list - http://www.nsrl.nist.gov/Downloads.htm
  9. Sysinfo.org - http://sysinfo.org/


Installation monitors []

  1. FileMap by BB (file only) - http://www.dogkennels.net/filemap/
  2. InCtrl5 - http://www.devhood.com/tools/tool_details.aspx?tool_id=432align=center
  3. Installspy - http://www.2brightsparks.com/freeware/
  4. Installwatch - http://www.epsilonsquared.com/
  5. Look@win - http://digilander.libero.it/zancart/lookwin.html
  6. Total uninstaller - http://www.aplusfreeware.com/categories/util/uninst.htmlalign=center
  7. ZSoft Uninstaller - http://www.zsoft.dk/ alternative download align=center
  8. See also Lists of freeware virtualization


Tools that monitor software installs, by comparing the differences between a pre-install and post install states of the folders and registry. The idea here is that many uninstallers don't do a good job of removing every trace, hence the use of these installation monitors.


Scriptdecoder []

  1. VBScript Decoder - http://shockley.net/apps.asp


Patch checker []

  1. Secunia Software Inspector - http://secunia.com/software_inspector align=center
  2. Secunia Personal Software Inspector (betaware) - https://psi.secunia.com/ align=center
  3. Microsoft Baseline Security Analyzer (MBSA) - http://www.microsoft.com/technet/security/tools/mbsahome.mspx


Microsoft Baseline Security Analyzer (MBSA) only checks for Microsoft related patches. Secunia Software Inspector is an online service that checks not just Microsoft related software for security patches but also many other common applications like Firefox, Opera, Java, Flash and media players, IM clients, see list. etc. Secunia Personal Software Inspector runs locally on your computer like MBSA, but checks a much larger list of applications than the other two.


Other mass software updater checker []

  1. Appsnap - http://appsnap.genotrance.com/
  2. Vista File Hippo Update Checker - http://www.filehippo.com/updatechecker/ align=center


Scans your hard-disk for applications and checks them with an online database. Informs you which ones has newer updates available. These updates don't always contain security updates but might add features , fix other bugs etc.



This article is part of the Lists of Freeware Security Software: Malware Control series.

Freeware Anti-Viruses | Freeware Anti-Spyware | Freeware Anti-Trojans | Freeware Anti-Keyloggers | Freeware Anti-Rootkits | Freeware Firewalls | Freeware Behavior blockers | Freeware Sandboxes | Freeware Virtualization | Freeware Security analysis tools | Freeware Hardening tools | Freeware Blocklists | Freeware security services (excluding virus scanners) | Freeware Anti-Phishing | List of portable tools | List of unclassified tools

Related : Lists of online scanners