All times are UTC


Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Tracing modified registry values
PostPosted: 03 Dec 2011, 23:46 
Offline

Joined: 03 Dec 2011, 23:27
Posts: 4
I'm wondering if Uninstall Tool can trace modifications to registry values, in addition to detecting newly created keys. I'm asking this because keys are all I see in the traced data (in XML view). For example, if an uninstall program leaves behind modified file associations, will Uninstall Tool be able to restore the original ones?

I understand that most of the time, modified values don't "cost" anything, but when a program modifies system keys irresponsibly, uninstalling it can be tricky.


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 04 Dec 2011, 10:11 
Offline

Joined: 09 May 2010, 22:49
Posts: 46
in order to trace modification(or even make restore) there must be snapshots used, which is not the way UT makes trace.


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 04 Dec 2011, 11:41 
Offline
CrystalIDEA Developer
User avatar

Joined: 21 Dec 2009, 11:48
Posts: 1217
Location: CrystalIDEA headquarters
eil is absolutely right!

_________________
Kind Regards,
CrystalIDEA Staff


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 05 Dec 2011, 06:06 
Offline

Joined: 03 Dec 2011, 23:27
Posts: 4
I'm not sure exactly how Uninstall Tool traces modifications, it uses some sort of kernel driver obviously. I guess that you mean you don't know the previous value of a registry key, when you monitor a process modifying it. But can't you just enum all of the key's values when the process opens it?

I mean, a process has to open a key before it modifies its values. So I imagine you could do something like this:

1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 06 Dec 2011, 01:45 
Offline
CrystalIDEA Developer
User avatar

Joined: 21 Dec 2009, 11:48
Posts: 1217
Location: CrystalIDEA headquarters
Quote:
1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup


Do you want Uninstall Tool to discard something during installation? :shock:

_________________
Kind Regards,
CrystalIDEA Staff


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 06 Dec 2011, 07:39 
Offline

Joined: 03 Dec 2011, 23:27
Posts: 4
Perhaps you didn't understand what I meant. Here's another way to put it.

How does a typical uninstaller work?
1. It takes a snapshot of the whole registry before installation (i.e. it backups the registry temporarily)
2. It takes a snapshot of the whole registry after installation (i.e. it backups the registry again)
3. It compares the two snapshots to detect changes (and then, typically, stores the changes and discards the backups, since they are no longer needed).

What could Uninstall Tool, tracing an installation process in realtime, do?
1. The installation process opens a Registry Key (RegOpenKey) --> Uninstall Tool takes a snapshot of the key (RegEnumValue)
2. The installation process closes the Registry Key (RegCloseKey) --> Uninstall tool takes a snapshot of the key again (RegEnumValue)
3. Uninstall Tool compares the two snapshots to detect changes. Afterwards, the snapshots are no longer needed


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 06 Dec 2011, 17:59 
Offline
CrystalIDEA Developer
User avatar

Joined: 21 Dec 2009, 11:48
Posts: 1217
Location: CrystalIDEA headquarters
Making snapshots is not a "typical uninstaller" job ;) Snapshots mean not only registry but snapshots of the whole file system. Summarizing: it takes long.
That's why Install Tracker - is the original Uninstall Tool real-time installation tracing approach. At the moment.

_________________
Kind Regards,
CrystalIDEA Staff


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 06 Dec 2011, 18:15 
Offline

Joined: 09 May 2010, 22:49
Posts: 46
i think skabour meant not a whole system snapshot but "tracing snapshot"..
UT can't handle modified registry 'cause it catches only newly created keys/branches = so it seems to me, he proposed this:
- UT-tracer catches installation
- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)
- if program opens registry(to further modify it), UT temporally halts that and makes backup of very same key/branch
- if program just creates key UT catches it as now
- in the end of installation UT makes another snapshots of only those registry places that got backups while installing
- found differences are added as "modified" to overall trace


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 06 Dec 2011, 21:41 
Offline

Joined: 03 Dec 2011, 23:27
Posts: 4
eil wrote:
- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)


Here are the relevant Windows API functions: Registry Functions

Uninstall Tool installs a kernel driver (CisUtMonitor.sys) to trace Windows API calls, I believe. So it can obviously trace all the "Registry Functions". I am suggesting that Uninstall Tool can use some of these functions to actually trace modified values.

This can be done in different ways, I've already suggested two. It's not straightforward, but it can be done, I believe.


Top
 Profile  
 
 Post subject: Re: Tracing modified registry values
PostPosted: 08 Dec 2011, 13:39 
Offline
CrystalIDEA Developer
User avatar

Joined: 21 Dec 2009, 11:48
Posts: 1217
Location: CrystalIDEA headquarters
skabour
Thank you. We'll definitely consider tracing registry values rename operations in next versions.

_________________
Kind Regards,
CrystalIDEA Staff


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: