Freeware to view hidden registry entries.
in [Freeware]
|
From: John Corliss on 8 Apr 2010 06:18 I'm want to be able to see hidden (and if necessary, delete) entries in the Registry. These entries can be: 1. anything over 256 characters in length 2. anything with a "/0" (a "null" character) in its name. RegEdit and RegEdit32 use the Windows API to view the Registry and because of this, won't show such portions. So I've been using the free version of TrashReg AKA "Registry Trash Keys Finder", which *does* use the Native API: http://www.databack4u.com/snc/rtkf_eng.html to show such hidden keys: http://en.wikipedia.org/wiki/Native_API For each entry that it finds, TrashReg provides the last modification date of the key and information about it: Location in the registry DisplayName Publisher InstallLocation DisplayVersion The program won't allow you to delete or show you information about certain keys which it detects unless you pay for the "Full Version" though, and IMO this renders the program crippled in many instances. You can still use what little info it gives about the entry to chase it down in most instances. I've also been pointed to a command line program named "RegDump": http://www.codeproject.com/KB/recipes/RegistryDumper.aspx The author says, "It's perfect to just dump the hives before and after software installation and just compare changes with text diff (for example commandline version from UnixUtils is great)." However I tried the program and forgive my density, I couldn't figure out a way to print the output to text files so that I could run that comparison. I even posted something on the site by the way (scroll down to the "Message Board" portion of the page) asking how to do this. Maybe one of you knows the answer? Then there's this discussion about removing hidden Registry entries: http://forum.sysinternals.com/removing-hidden-registry-entries_topic399.html In the very last post to that discsussion, Registry Explorer is mentioned: http://www.regxplor.com The program download links at that website give an "Ooooops - We didn't find what you are looking for" message. You can, however, download the ..dll only version. I found a download link for the full program at Major Geeks though: http://majorgeeks.com/Registry_Explorer_d1909.html Not absolutely sure that Registry Explorer uses the Native API to view the Registry, but it's worth a look I guess. Note that Virustotal says that Symantec rates it a "Suspicious.Insight" detection: http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99 Who cares. -- John Corliss BS206. I block all Google Groups posts due to Googlespam, and as many posts from anonymous remailers (like x-privat.org for eg.) as possible due to forgeries posted through them. No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited, trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.
From: John Corliss on 8 Apr 2010 07:52 John Corliss wrote: > I'm want to be able to see hidden (and if necessary, delete) entries in > the Registry. These entries can be: > > 1. anything over 256 characters in length > 2. anything with a "/0" (a "null" character) in its name. > > RegEdit and RegEdit32 use the Windows API to view the Registry and > because of this, won't show such portions. (clipped) > > http://www.regxplor.com > > The program download links at that website give an "Ooooops - We didn't > find what you are looking for" message. You can, however, download the > .dll only version. > > I found a download link for the full program at Major Geeks though: > > http://majorgeeks.com/Registry_Explorer_d1909.html > > Not absolutely sure that Registry Explorer uses the Native API to view > the Registry, but it's worth a look I guess. Okay, I looked. I installed the ".dll only" version following the directions give at the site. Although an icon appeared on my desktop as described, double-clicking on it made the desktop shortcuts and taskbar disappear briefly and then reappear. Other than that, nothing occurred. I unregistered the .dll file and rebooted. Next I tried the full install version of Registry Explorer 1.4.4. It works as described, but searching for something (in this case I was looking for all instances of the word "Armadillo") in the registry takes forever. I stopped the search it was taking so long. This caused Windows Explorer to crash and restart. I still have the program installed because I can still look at the Registry as long as I don't do a search, but I'm giving serious consideration to uninstalling the program at this point. Guess I'll keep looking for a program that does what I need. -- John Corliss BS206. I block all Google Groups posts due to Googlespam, and as many posts from anonymous remailers (like x-privat.org for eg.) as possible due to forgeries posted through them. No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited, trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.
From: charles on 8 Apr 2010 13:09 On Thu, 08 Apr 2010 03:18:28 -0700, John Corliss <q34wsk20(a)yahoo.com> wrote: >I'm want to be able to see hidden (and if necessary, delete) entries in >the Registry. These entries can be: > >1. anything over 256 characters in length >2. anything with a "/0" (a "null" character) in its name. > 1 - Nirsoft's regscanner.exe has an option to display data with a length range in bytes. 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your above spec. That should do it without a lot of complication.
From: za kAT on 8 Apr 2010 13:32 On Thu, 08 Apr 2010 03:18:28 -0700, John Corliss wrote: <snip> I just tried with regscanner http://www.nirsoft.net/utils/regscanner.html You can set byte size. I set 256 to 65535, and find any item. 10,000 finds later... Default max which can be changed. Really quick actually. Seems on Vista anyhow > 256 bytes is quite common. Good luck looking through that lot :) -- zakAT(a)pooh.the.cat - www.zakATsKopterChat.com
From: VanguardLH on 8 Apr 2010 14:01
charles wrote: > On Thu, 08 Apr 2010 03:18:28 -0700, John Corliss <q34wsk20(a)yahoo.com> > wrote: > >>I'm want to be able to see hidden (and if necessary, delete) entries in >>the Registry. These entries can be: >> >>1. anything over 256 characters in length >>2. anything with a "/0" (a "null" character) in its name. >> > > 1 - Nirsoft's regscanner.exe has an option to display data with a length > range in bytes. > > 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your > above spec. > > That should do it without a lot of complication. I already had Nirsoft RegScanner installed but never bothered to use the size range. I did a test where I specified a range of 250 to 999999999 bytes (I didn't know what else to specify for an undefinded upper range so I used a value that far exceeded the total size of my registry). It found 3112 items in that size range. Corliss claimed that regedit.exe would not display such overly long items (these are registry keys with data items whose value are usually binary and very long). In the normal left/right pane view (registry keys in left pane, data items and their values in the right pane), expanding the data value field (by dragging its rightside handle repeatedly to the right) resulted in seeing a "<somelonglistofbytes>...". That is, eventually the increase in the value field's size would not show more of the value but the display of it got truncated with "..." to show there was more. However, that is simply a limit in how much the *preview* pane will show you. You can double-click on the over long data item to load it in its own hex/text viewer window. Here are some registry keys under which the data items exceeded 256 characters in length but which were still completely visible if you viewed the data item in its own hex/text view window: HKEY_CURRENT_USER\Control Panel\Appearance\Schemes (712 bytes long for each data item under this key) HKEY_CURRENT_USER\Software\Canon\CanoScan Toolbox\4.9\Data For a Canon scanner's cached data (ranged from 348 to 2048 bytes long) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing IE8's antiphishing filter data (WU updates this every month) (a "UserFile" data item was 79,044 bytes long ... uffda) NOTE: Only 4944 bytes could be viewed in the hex/text view window) I sorted Nirsoft's hit list by size (reverse order so biggest was at the top). The largest data item was: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify Data item: PastIconsStream at a whopping 1 megabytes in size! This is the cached list of icon handling data for the Windows taskbar's system notification area (aka systray). I suspect it is this size because applications are expected to update their icon graphics based on the state of the application. To clean the tray icon cache, I used CCleaner and restarted explorer.exe (which is used by the desktop: use Task Manager to kill explorer.exe and its File -> New Task menu to restart it). That not only reduced the size of this registry key but actually deleted the PastIconsStream data item (which will get rebuilt later as the tray icons change). I'm not sure how to use RegScanner to find embedded nulls within just the registry key or data items names. I had to leave while doing this testing. |