We have discontinued this forum and moved support tickets to the GitHub issue tracker. More info

Tracing modified registry values

Ask, answer questions, and express your opinion about Uninstall Tool. Discussion of found bugs and problems, feature requests

Moderator: Steven

Post Reply
skabour
Posts: 4
Joined: 03 Dec 2011, 23:27

Tracing modified registry values

Post by skabour »

I'm wondering if Uninstall Tool can trace modifications to registry values, in addition to detecting newly created keys. I'm asking this because keys are all I see in the traced data (in XML view). For example, if an uninstall program leaves behind modified file associations, will Uninstall Tool be able to restore the original ones?

I understand that most of the time, modified values don't "cost" anything, but when a program modifies system keys irresponsibly, uninstalling it can be tricky.
eil
Posts: 46
Joined: 09 May 2010, 22:49

Re: Tracing modified registry values

Post by eil »

in order to trace modification(or even make restore) there must be snapshots used, which is not the way UT makes trace.
User avatar
Steven
CrystalIDEA Developer
Posts: 2294
Joined: 21 Dec 2009, 11:48
Location: CrystalIDEA headquarters
Contact:

Re: Tracing modified registry values

Post by Steven »

eil is absolutely right!
skabour
Posts: 4
Joined: 03 Dec 2011, 23:27

Re: Tracing modified registry values

Post by skabour »

I'm not sure exactly how Uninstall Tool traces modifications, it uses some sort of kernel driver obviously. I guess that you mean you don't know the previous value of a registry key, when you monitor a process modifying it. But can't you just enum all of the key's values when the process opens it?

I mean, a process has to open a key before it modifies its values. So I imagine you could do something like this:

1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup
User avatar
Steven
CrystalIDEA Developer
Posts: 2294
Joined: 21 Dec 2009, 11:48
Location: CrystalIDEA headquarters
Contact:

Re: Tracing modified registry values

Post by Steven »

1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup
Do you want Uninstall Tool to discard something during installation? :shock:
skabour
Posts: 4
Joined: 03 Dec 2011, 23:27

Re: Tracing modified registry values

Post by skabour »

Perhaps you didn't understand what I meant. Here's another way to put it.

How does a typical uninstaller work?
1. It takes a snapshot of the whole registry before installation (i.e. it backups the registry temporarily)
2. It takes a snapshot of the whole registry after installation (i.e. it backups the registry again)
3. It compares the two snapshots to detect changes (and then, typically, stores the changes and discards the backups, since they are no longer needed).

What could Uninstall Tool, tracing an installation process in realtime, do?
1. The installation process opens a Registry Key (RegOpenKey) --> Uninstall Tool takes a snapshot of the key (RegEnumValue)
2. The installation process closes the Registry Key (RegCloseKey) --> Uninstall tool takes a snapshot of the key again (RegEnumValue)
3. Uninstall Tool compares the two snapshots to detect changes. Afterwards, the snapshots are no longer needed
User avatar
Steven
CrystalIDEA Developer
Posts: 2294
Joined: 21 Dec 2009, 11:48
Location: CrystalIDEA headquarters
Contact:

Re: Tracing modified registry values

Post by Steven »

Making snapshots is not a "typical uninstaller" job ;) Snapshots mean not only registry but snapshots of the whole file system. Summarizing: it takes long.
That's why Install Tracker - is the original Uninstall Tool real-time installation tracing approach. At the moment.
eil
Posts: 46
Joined: 09 May 2010, 22:49

Re: Tracing modified registry values

Post by eil »

i think skabour meant not a whole system snapshot but "tracing snapshot"..
UT can't handle modified registry 'cause it catches only newly created keys/branches = so it seems to me, he proposed this:
- UT-tracer catches installation
- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)
- if program opens registry(to further modify it), UT temporally halts that and makes backup of very same key/branch
- if program just creates key UT catches it as now
- in the end of installation UT makes another snapshots of only those registry places that got backups while installing
- found differences are added as "modified" to overall trace
skabour
Posts: 4
Joined: 03 Dec 2011, 23:27

Re: Tracing modified registry values

Post by skabour »

eil wrote:- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)
Here are the relevant Windows API functions: Registry Functions

Uninstall Tool installs a kernel driver (CisUtMonitor.sys) to trace Windows API calls, I believe. So it can obviously trace all the "Registry Functions". I am suggesting that Uninstall Tool can use some of these functions to actually trace modified values.

This can be done in different ways, I've already suggested two. It's not straightforward, but it can be done, I believe.
User avatar
Steven
CrystalIDEA Developer
Posts: 2294
Joined: 21 Dec 2009, 11:48
Location: CrystalIDEA headquarters
Contact:

Re: Tracing modified registry values

Post by Steven »

skabour
Thank you. We'll definitely consider tracing registry values rename operations in next versions.
Post Reply