Page 1 of 1

Tracing modified registry values

Posted: 03 Dec 2011, 23:46
by skabour
I'm wondering if Uninstall Tool can trace modifications to registry values, in addition to detecting newly created keys. I'm asking this because keys are all I see in the traced data (in XML view). For example, if an uninstall program leaves behind modified file associations, will Uninstall Tool be able to restore the original ones?

I understand that most of the time, modified values don't "cost" anything, but when a program modifies system keys irresponsibly, uninstalling it can be tricky.

Re: Tracing modified registry values

Posted: 04 Dec 2011, 10:11
by eil
in order to trace modification(or even make restore) there must be snapshots used, which is not the way UT makes trace.

Re: Tracing modified registry values

Posted: 04 Dec 2011, 11:41
by Steven
eil is absolutely right!

Re: Tracing modified registry values

Posted: 05 Dec 2011, 06:06
by skabour
I'm not sure exactly how Uninstall Tool traces modifications, it uses some sort of kernel driver obviously. I guess that you mean you don't know the previous value of a registry key, when you monitor a process modifying it. But can't you just enum all of the key's values when the process opens it?

I mean, a process has to open a key before it modifies its values. So I imagine you could do something like this:

1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup

Re: Tracing modified registry values

Posted: 06 Dec 2011, 01:45
by Steven
1. The installation process opens a key --> Uninstall Tool enums and temporarily backups all the of the key's values
2. The installation process modifies a value --> Uninstall Tool detects the modification against the backup
3. The installation process closes the key --> Uninstall Tool discards the backup
Do you want Uninstall Tool to discard something during installation? :shock:

Re: Tracing modified registry values

Posted: 06 Dec 2011, 07:39
by skabour
Perhaps you didn't understand what I meant. Here's another way to put it.

How does a typical uninstaller work?
1. It takes a snapshot of the whole registry before installation (i.e. it backups the registry temporarily)
2. It takes a snapshot of the whole registry after installation (i.e. it backups the registry again)
3. It compares the two snapshots to detect changes (and then, typically, stores the changes and discards the backups, since they are no longer needed).

What could Uninstall Tool, tracing an installation process in realtime, do?
1. The installation process opens a Registry Key (RegOpenKey) --> Uninstall Tool takes a snapshot of the key (RegEnumValue)
2. The installation process closes the Registry Key (RegCloseKey) --> Uninstall tool takes a snapshot of the key again (RegEnumValue)
3. Uninstall Tool compares the two snapshots to detect changes. Afterwards, the snapshots are no longer needed

Re: Tracing modified registry values

Posted: 06 Dec 2011, 17:59
by Steven
Making snapshots is not a "typical uninstaller" job ;) Snapshots mean not only registry but snapshots of the whole file system. Summarizing: it takes long.
That's why Install Tracker - is the original Uninstall Tool real-time installation tracing approach. At the moment.

Re: Tracing modified registry values

Posted: 06 Dec 2011, 18:15
by eil
i think skabour meant not a whole system snapshot but "tracing snapshot"..
UT can't handle modified registry 'cause it catches only newly created keys/branches = so it seems to me, he proposed this:
- UT-tracer catches installation
- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)
- if program opens registry(to further modify it), UT temporally halts that and makes backup of very same key/branch
- if program just creates key UT catches it as now
- in the end of installation UT makes another snapshots of only those registry places that got backups while installing
- found differences are added as "modified" to overall trace

Re: Tracing modified registry values

Posted: 06 Dec 2011, 21:41
by skabour
eil wrote:- while monitoring UT traces what installer is opening and what is creating(by the way are those actions distinguishable?)
Here are the relevant Windows API functions: Registry Functions

Uninstall Tool installs a kernel driver (CisUtMonitor.sys) to trace Windows API calls, I believe. So it can obviously trace all the "Registry Functions". I am suggesting that Uninstall Tool can use some of these functions to actually trace modified values.

This can be done in different ways, I've already suggested two. It's not straightforward, but it can be done, I believe.

Re: Tracing modified registry values

Posted: 08 Dec 2011, 13:39
by Steven
skabour
Thank you. We'll definitely consider tracing registry values rename operations in next versions.