Credits to Sirmabus
HS hidden tracking stuff I've located:
This not 100% thorough mind you (What is a could sandbox, or system wide delta compare software?), could be missing something someplace.
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\HsUser_?????
I.E. "HsUser_PPk4Jp3IzgJ". The key is actually the value, rather then the reg value it's self. Obviously some kind of hash/encoding (humm, 88bits?).
Code:
C:\WINDOWS\system32\HsInfo.dat
Your "system" directory may vary, they use "GetSystemDirectory()" instead of a hard coded path. Some small encrypted data (appears to be AES), set with "hidden" file attribute.. Do you really care what's in it? Maybe interesting, but I will just delete it.
It appears the registry entry and file are created once as part of their "CreateNewUser" stuff. I suppose the concept is similar to a GUID.
For your own handler/bypass on initialize it should probably delete these every time, along with the log files (enumerate the target directory tree for "Hs*.log").
This is of concern obviously. I'm not 100% certain about HS, but with GameGuard for sure, they have tracking where they will store flags if hacks are detected. These might end up in log files that are sent back via FTP.
Ahn labs has a FTP log file dump server:
Shouldn't be to much of a surprise, GameGuard does too, as well as a lot of games and other software (via FTP, HTTP, or POP3/email) internally, separately.
Although it looks like HS is nice enough to ask you for permission first to send logs (specifically, to a server in Korea), they could as easy send them hidden in the background.
Look for "FtpOpenFileA" and "InternetOpenA" imports, should be obvious what to do here.
HackShield Hidden tracking 
Linear Mode
