Tutorial: Registry tracing & Software behaviour

[n2casey]

Friends, this is my first tutorial. I was not able to post it before coz I was using a dialup connection.
Tutorial is completely based on Tracing Registry Changes & Software Behaviour. Softwares needed r System Mechanic 3.7g (v3.7h can also be used) & Regsnap v5.8 (build 1920). Both softwares r fully functional 30 Days use trial versions. If anythng in this tutorial is illegal, mods can delete that & PM me.

First take a look to registry legend to understand a brief about registry.




Install both the softwares & for better results be careful for:

• both softwares shud b installed on a drive where u will not install any other software for tracing.
• both softwares shud not b installed on the drive where u have installed windows.

Now run System Mechanic, & click on SYSTEM tab. Here we will use two tools:

• One for cleaning registry (Clean system Registry) - Using it clean all the obsolete registry.
• & other for managing startup items (Windows Startup manager) - Using it disable all the startup items.

Now restart ur system.

We r going to trace software and here I m taking CDEject 1.6 as example so that we can know how Vishal Gupta added a right click context menu for ejecting CD-ROM. (Sorry Vishal but don't take it otherwise.)

Again run System Mechanic & on SYSTEM tab click on fifth tool (Safe Installer) to start the tracing procedure.



[list][*]A child window will pop-up. Enter a report description (i.e. name of report e.g. cdeject) & path of Install program (simply browse the software to be installed). Click Next.


[*]Here select the drives to b traced. Obviously one will b Windows drive & other will b for installing CDEject. Click Next.


[*]Here u can add files to be traced for changes. By default SYSTEM.INI & WIN.INI are added. As I think no need to add more files so click Next.


[*]Here browse Report file location (i.e. path for saving report). By default the report will b saved in My Documents folder. Click Next.


[*]Click on Start button to take a snapshot. When snapshot will b taken, installation of CDEject will b started. Just install it.


[*]After finishing installation Done: Report button will appear.


[*]Click on it & a report will b generated (which has been already saved in My Documents folder).



Exit System Mechanic & open the report. Report will be some what like

Code:

System Changes Report: cdeject
==========================================
generated by System Mechanic SafeInstaller
Wednesday, November 29, 2006  09:44 PM
System modifcations tracked via: Disk contents comparison
Drives Tracked: 
    D:\
    E:\

FILES AND DIRECTORIES ADDED: (15)
D:\Documents and Settings\N2CASEY\Local Settings\Temp\Perflib_Perfdata_c44.dat
D:\Documents and Settings\N2CASEY\Start Menu\Programs\CDEject
D:\Documents and Settings\N2CASEY\Start Menu\Programs\CDEject\CDeject.lnk
D:\Documents and Settings\N2CASEY\Start Menu\Programs\CDEject\Help.lnk
D:\Documents and Settings\N2CASEY\Start Menu\Programs\CDEject\Uninstall CDEject 1.6 Demo.lnk
D:\Documents and Settings\N2CASEY\Start Menu\Programs\Startup\CDEject.lnk
E:\Projector\CD Eject
E:\Projector\CD Eject\cdeject.cnt
E:\Projector\CD Eject\cdeject.dll
E:\Projector\CD Eject\cdeject.exe
E:\Projector\CD Eject\cdeject.hlp
E:\Projector\CD Eject\file_id.diz
E:\Projector\CD Eject\INSTALL.LOG
E:\Projector\CD Eject\README.TXT
E:\Projector\CD Eject\UnGins.exe

FILES CHANGED: (2)
D:\Documents and Settings\N2CASEY\ntuser.dat.LOG
D:\WINDOWS\system32\config\software.LOG

NO CHANGES MADE TO D:\WINDOWS\SYSTEM.INI...

NO CHANGES MADE TO D:\WINDOWS\WIN.INI...

REGISTRY KEYS ADDED: (8)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDEject 1.6 Demo
HKEY_LOCAL_MACHINE\SYSTEM\.............

REGISTRY KEYS DELETED: (4)
HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_8086&DEV_24C2&SUBSYS_24C08086&REV_01\3&13c0b0c5&0&E8\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_8086&DEV_24C4&SUBSYS_24C08086&REV_01\3&13c0b0c5&0&E9\DeviceDe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ACPI\51Typ

REGISTRY KEY VALUES CHANGED: (1)
HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
Value "Implementing": binary data changed

REGISTRY KEY VALUES ADDED: (7)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\@="CDEject Context Menu Shell Extension"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\@="E:\Projector\CD Eject\cdeject.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\ThreadingModel="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\@="E:\Projector\CD Eject\cdeject.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PSCDEJECT="E:\Projector\CD Eject\cdeject.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDEject 1.6 Demo\DisplayName="CDEject 1.6 Demo"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDEject 1.6 Demo\UninstallString="E:\Projector\CD Eject\UnGins.exe "E:\Projector\CD Eject\install.log""

REGISTRY KEY VALUES DELETED: (2)
HKEY_USERS\S-1-5-21-329068152-13430.......

From this report we can find the changes made to the system but we have to look for the important/required changes. So from the report,
first we get the list of files and directories added. Leave the files added to Local Settings & Start Menu. Next there's list of files added to CD Eject directory. Since only cdeject.dll has a context menu handler registry entry (see the registry addition/changes in report) so the cdeject.dll is the only file of interest.

Next is the list of files changed, & it shows that no changes were made to the WIN.INI & SYSTEM.INI so leave that.

Next is list of REGISTRY KEYS ADDED.Only three keys seems to b of our interest.

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}

Next is list of REGISTRY KEYS DELETED, which is of no use (in most cases).

Next is list of REGISTRY KEY VALUES CHANGED. In this any of keys isn't of our interest but many times they r important.

Again there is list of REGISTRY KEY VALUES ADDED & only four seems to b of our interest.

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\@="CDEject Context Menu Shell Extension"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\@="E:\Projector\CD Eject\cdeject.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\ThreadingModel="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\@="E:\Projector\CD Eject\cdeject.dll"

& next is REGISTRY KEY VALUES DELETED, again they r of no use.


Now take a look at Registry Keys in section 3 & section 6 and observe the difference. In section 3, Keys r created & in section 6, values (e.g. String, DWORD etc.) r added to them. So we nedd only Registry Key Values fron section 6 only.

================================================== =======

OK. Now copy cdeject.dll to another directory (e.g. %Windows/System32/) & uninstall the CD Eject 1.6.
Now open Notepad, type Windows Registry Editor Version 5.00 & copy the Registry Values from section 6. It shud b like

Code:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}]
@="CDEject Context Menu Shell Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\]
@="D:\\Windows\\System32\\cdeject.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}\InProcServer32\]ThreadingModel="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{02a07e80-efa2-11d4-8306-a7ebd4c50c7c}]
@="D:\\Windows\\System32\\cdeject.dll"

Now save the file as xyz.reg.

Note that I have changed the path for cdeject.dll (which is shown in bold letters) since cdeject.dll is now in %Windows\System 32\
and note the [ & ] (every Key).

--------------------------------------------------------------------------------------------------------------
OK. Just click on xyz.reg & u will b asked to add the registry, select Yes so that registry values get added to Windows Registry. Check that do u get the option for Insert at the CD-ROM right click context menu or not. Boooooooooooommmmm..... We have got the Insert in right click context menu. So xyz.reg is the registry entry for such option & we don't need to install CDEject 1.6 any more...

=====================X========================X=== ========


Now, next I m going to find out the changes made to registery when a software is registered (for full version etc.). This is useful coz many times, I found it very irritating to register every software separately when a fresh installation of windows is done. So what I did is, I have traced all s/w during registering procedure & made a single registry file for all s/w & when I install a fresh copy of windows, just install all s/w & register all s/w using registry file & so no need to register a s/w individually.

Here I m using WinZip as an example. Install WinZIp. Now run System Mechanic & on SYSTEM tab click on fifth tool (Safe Installer) to start the tracing procedure.
Enter report description & in the path of Install program browse the WINZIP32.exe. Move furthur & just take a snapshot (no need of any other option).
Now WinZip will b executed & it will ask u for registration, just enter ur registration details & close WinZip.
Now click on Done & report will b generated. Only four Key Values r added for registration details:

[code]
HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Nico Mak Computing\WinZip\WinIni\Name1="Your Name"
HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Nico Mak Computing\WinZip\WinIni\SN1="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\WinZip\WinIni\Name1="Your Name"
HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\WinZip\WinIni\SN1="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
[code]

Here Name1 is for ur name & SN1 is for ur serial number. So just made a registry file like:

[code]
Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Nico Mak Computing\WinZip\WinIni\]
"Name1"="Your Name"
[HKEY_USERS\S-1-5-21-329068152-1343024091-854245398-1003\Software\Nico Mak Computing\WinZip\WinIni\]
"SN1"="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\WinZip\WinIni\]
"Name1"="Your Name"
[HKEY_LOCAL_MACHINE\SOFTWARE\Nico Mak Computing\WinZip\WinIni\]
"SN1"="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
[code]

Follow the same steps for other s/w & u can prepare a single registry file for all.

===================X=======================X====== =======


OK. Now based on above procedure, another tracing can b done for Windows Media Player. In a previous thread, someone has asked to change the crossfading time of WMP & so I writing this tute.

Just follow the same steps & in the installation path, browse wmplayer.exe. After taking snapshot when WMP will b launched, just make some changes like change crossfading time, volume etc. Now close WMP, generate a report & u will find that registry values r changed for such effects. Key Values r changed in hexadecimal. (Only bad thing is that, if u will increase crossfading time more than 10 sec it will cause no effect).

================X====================X============ =======


OK. Now we will trace System Mechanic itself for registry changes.

• Run RegSnap, click File> Startup Wizard. Now click [color=red]New Snapshot[color].
  
  
  
• It will ask to enter a remark for ur snapshot (i.e. name of ur snapshot). Enter any remark, select Registry snapshot only & press OK. It will take a snapshot of ur system registry (trial version doesn't allow u to save snapshot).
  
  
  
• After finishing (don't close RegSnap), start System Mechanic, click on third tool Customize Windows settings. Now made some changes in settings (e.g. Start Menu reaction speed, Use Explorer when..... from Windows Explorer tab etc.) & close System Maechanic.
• Now take another snapshot using RegSnap (remark shud b different from previous one).
• After finishing, again click File> Startup Wizard. Now click compare button.
  
  
  
• It will show u both snapshots (current & previous one) for compariison. Choose the options as I have mentioned in following pic.
  
  
  
• After comparision, it will generate a report (u can save it ).

Since I have changed only two options, Start Menu reaction speed & Use Explorer when opening "My Computer", so registry value change which I got were:

[code]
HKEY_CURRENT_USER\Control Panel\Desktop\MenuShowDelay
New: String: "282"
Old: String: "300"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\@
New: String: "explore"
Old: String: ""
[code]

So just made a registry file & customize ur system.

================================================== =======

Sorry for any mistake, since my english is not so good. I have tried to write this tute for beginners & so it becomes somewhat lengthy. I m sorry for that.

[Vishal Gupta]

Quote:

Originally Posted by n2casey

so that we can know how Vishal Gupta added a right click context menu for ejecting CD-ROM. (Sorry Vishal but don't take it otherwise.)

And how did u know that I used this BIG method to find the exact changes?
I just did some R&D, like looking for files in this software's folder and then searching for them and also for "Insert" option into the registry, and thats it May be I did some more R&D which I can't recall atm...

[n2casey]

Quote:

Originally Posted by Vishal Gupta

And how did u know that I used this....

I just guess that. I m sorry but don't take it otherwise.

Quote:

Originally Posted by Vishal Gupta

BIG method to find the exact changes?

Well, I was not expecting such a discouraging reply for my tute.
Method seems big coz I have mentioned all steps in detail, while applying this method is very quick & easy task.

[Vishal Gupta]

Hehe, cheer-up buddy My intention was not to hurt u
Its a good tutorial, And I really appreciate ur efforts
I said it BIG for me coz I didnt use such method for finding the "Insert" Menu trick

Hey n2casey, its great tute man
Though the example you gave (VG's) was a too simple considering what can be done when you know which keys got changed after an installation.
You can remove the garbage that many programs leave etc

[Vishal Gupta]

^^
Eggzactly, thats what I meant.
I knew about the key, so I just searched for it in Registry

ne way buddy I hv repped u for this nice tut

[n2casey]

@ SE><IE

Thx friend.
The example is so simple 4 u, me, VG & some other members but not 4 all. That's why I have posted that.


@ Vishal Gupta

Thx friend 4 ur support. Again saying that, plz don't take it otherwise, I don't have any intention 2 criticize any one. I just used ur tute as an example coz that's very popular.

[Vishal Gupta]

No problem buddy
keep it up the good work

[subhajitmaji]

Good tute dude...repped

[n2casey]

@ kenshin1988 & subhajitmaji

Thx friends for ur support.

[Kiran.dks]

Good effort! Reps for you!

[n2casey]

Thx Kiran.

[mayneu]

whats the use of this ??? i am a noob here. pls dont mind explaining it....ok???
@n2casey: what exactly is its use? who asked for this tutorial???

[n2casey]

Quote:

Originally Posted by mayneu

whats the use of this ??? i am a noob here. pls dont mind explaining it....ok???
@n2casey: what exactly is its use? who asked for this tutorial???

What do u think, We shud share knowledge only when some asked for that?
No one has asked for that tute, I have just posted it for sharing my knowledge.

Well, if u will read tute carefully, u can know the use of the tute.

[subhajitmaji]

Quote:

Originally Posted by n2casey

What do u think, We shud share knowledge only when some asked for that?
No one has asked for that tute, I have just posted it for sharing my knowledge.

Well, if u will read tute carefully, u can know the use of the tute.

Well said....

[n2casey]

^^
Nice to see friends that u agree with me.

[mayneu]

Quote:

Originally Posted by subhajitmaji

Well said....

oh..... really?? he...he....he... u made a joke ha?

[shantanu]

Nice Tutorial Dude

[n2casey]

^^

Thx friend.

Well, someone has reported that images links r not working (sorry for that) so I have uploaded images again & now links r working.
Three days have been passed & no one told me that links r not working. Why?

[ax3]

fantastic effort & thanx a lot ..........


now v can try removing those trialware registry entries ..........

[n2casey]

^^
Thx friend.
It depends on u whether u use it for legal or illegal.
No one is going to ask u.

[forever]

i just gave it a test drive, nice job

[n2casey]

Thx friend.