Windows 95 identified installer programs by guessing from filenames and paths, using simple heuristics to protect critical system files.
We have covered Windows 95 a lot in the recent past. This includes details about how Microsoft managed to bundle all the "fun" stuff on its CD, the methods that the operating system employed to block installers from downgrading critical system components, a mechanism that allowed a Windows 95 PC to restart a lot faster, and more. Now, we have another historical tidbit to share regarding the OS.
According to Microsoft veteran Raymond Chen, while Windows 95 already had the ability to block buggy external installers from downgrading system components, an associated challenge was figuring out how to detect that an installer or a setup file was running.
To work around this problem, Microsoft leveraged a rather basic heuristics-based mechanism, which involved "guessing" that the name of a file belongs to an installer. The idea was that if the words "setup", "installer", and "inst" appear in the program that is currently executing, it is likely an installer file. There were other variations of this word for other languages too, such as "imposta", "ayarla", and "felrak".
If the program didn't have the aforementioned words in its name, Windows 95 would rely on a fallback mechanism where it would check if the word "setup" is present in the path leading to the executable. The rationale was the same: a setup file likely has an explicit identifier to indicate that it's an identifier.
Chen further stated that:
In the above two cases, the file check is delayed until the next start, because some setup programs will realize that the file is in use and cannot be replaced, so they use ExitWindowsExec to exit Windows back to MS-DOS, run a batch file, and then start Windows back up. We have to wait until the restart of Windows to catch any files that were improperly modified by the batch file.
However, Windows 95 did perform a live file check in case of multimedia driver installs through INF files, as the team managing that likely received a special pass.
It's rather interesting that Windows 95 leveraged such basic tricks and mechanisms to detect setup files. You can bet that modern operating systems like Windows 11 employ more advanced methodologies given how much more sophisticated and evolved the threat landscape has become in the past years.
Hope you enjoyed this news post. Feedback welcome.
Posted Wednesday 8 July 2026 at 6:24 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of June) 2,475
- Mutton, EnglishLionheart and phen0men4
-
3
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.