The Heuristic Approach to Installer Detection
According to Raymond Chen, a long-time Microsoft engineer and historian of the Windows platform, Windows 95 employed a surprisingly simple method to identify setup programs. Rather than using sophisticated detection software, the operating system relied on a hard-coded list of keywords found in executable filenames.
If a file name contained terms such as “setup,” “install,” or “inst,” the OS would flag the program as an installer. This triggered a specific internal routine designed to monitor and repair system files that were frequently corrupted or overwritten during the installation process.
The List of Keywords
The system tracked a total of six primary terms to identify an installation routine:
- setup
- install
- inst
- imposta (Italian)
- ayarla (Turkish)
- felrak (Hungarian)
Chen noted that some entries were redundant, and he admitted that the non-English terms were his own additions, intended to provide broader coverage for international users. If a file's name did not trigger a match, Windows 95 performed a secondary check to see if the word “Setup” appeared anywhere within the file path.
Protecting Against Damaged System Files
This detection mechanism served as a crucial safety net. During the mid-90s, many installers were notorious for disregarding Microsoft’s guidelines, often overwriting newer Windows 95 system files with outdated versions from Windows 3.1. This practice frequently caused critical errors for other applications that depended on updated DLLs.
To combat this, Windows 95 maintained a hidden directory at C:\Windows\SYSBCKUP containing backup copies of essential files. The OS would monitor the installation process, and once finished, it would compare the state of the system against these backups. If it detected that an installer had downgraded a system file, it would automatically restore the correct, updated version.
Evolution of System File Protection
This rudimentary detection system faced limitations; it could be fooled by programs with non-standard names or triggered unnecessarily by apps with names like “instant.exe.” Furthermore, because some installers required a reboot to swap locked files, the OS often deferred these checks until the next time the computer started.
The reliance on filename guessing was eventually retired with the release of Windows 2000, which introduced a more robust Windows File Protection system. This newer architecture utilized file-change notifications and a dedicated system cache to ensure integrity. Today's modern Windows 11 utility, sfc /scannow, is a direct descendant of these early efforts to secure the operating system, though it has long since moved past the era of simply scanning for the word “setup.”
