another registry viewer

[Alucard]

It shows registry / files changes in a notepad. It's easy to use and fast (unless you install NET Framework sandboxed ).
Download: http://www.datafilehost.com/download-8c99fe2d.html

[Buster]

Could you explain how to use it?

Some instructions will not harm anyone.

[Alucard]

Sure. Run a program you want to trace in an empty sandbox.
Exit that program, wait for sandboxed processess to end, and then run this viewer, select the sandbox and press ok. It will also work on active sandboxes, but in most cases you want to end it (the program can modify things on exit).

Registry types i don't have to explain. For modified files:
If a real file have a sandboxed copy and "filecompare" is set then
content - crc32 doesn't match
moddate - crc32 match but modification date doesn't
attribs - changed attributes
other - none of the above are true, most of the time it's just a duplicated file

Ini settings:
Sbiedir - automatically set
Filter - registry filter switch
Ignore* - copy from notepad the keys and values you do not want to be shown.
Format is key,key2,key3 for keys, for values it is: key;value1=data;value2=data,key2,key3
I added the ones that are always created when a sandboxed program starts.
You can verify this by starting "run any program" in an empty sandbox
and then running the viewer with filter=0.
Partial match is supported so HKEY_LOCAL_MACHINE\software will ignore changes in all the subkeys.

By the way this program is tested on XP only so files part may give weird results
(like non translated path) on newer systems. This is due to changed (messed up is the right word) user folders locations.

[Guest]

Problem using viewer to shows registry changes,cause cpu too hight

[Alucard]

It hangs or works but hogs cpu? If second try threaded version:
http://www.datafilehost.com/download-3b7071bd.html

[Guest]

Still the same

[Alucard]

I think i found some weird bug(s) in registry procedure, i will later rewrite it. I deleted the download links.

[Alucard]

*deleted link*
Added a lot of error checking and some fixes. Works?

[Guest]

Thanks Alucard for the reply!
I'll give it a try and let you know the results

[Guest]

Still no luck
I'm using xp home ,does it makes difference between xp pro and xp home

[Alucard]

This is bad news. Looking at the numbers it seems random.
After you abort are there any errors in the log? XP Home has all the registry functions Pro has.
I will look tomorrow at the code and maybe figure something out. Did you try Sandboxdiff ?

[Guest]

After abort theres no errors in the log.
Sandboxdiff works fine for me.
This problem shows only when i run IE7,I've try runing some program usng this viewer to trace registry ,it works fine.

[Brummelchen]

nice piece of work - but not really usable. why?
sandboxie needs to be running - i dont need keys and files when the box is ON.
anything important is AFTER sandboxie processes have ended.
Files i can see directly - and the registry changes in you war are not usable for further action.

and last but not least - you should use the forum search - dumping the hive is not new.
read please: http://sandboxie.com/phpbb/viewtopic.php?t=1549
page 3

You could try using this program instead:
http://www.mitec.cz/wrr.html

And just use that program to save the registry keys out of the hive and into a .reg file.

Another nice way is/was "dumphive" from "Markus Stephany"
unfortuantely i cannot find any official source - it disappeared somehow.
google told me that it was sorted als malware due its primal function and some similarity to
a malware same name

after dump any text processing is possible (like after WRR).

[Alucard]

Error code will show after the "seems like hang..." message.
It will point me to a bug location.
*deleted link*

[Guest]

Thanks Alucard ,here is the error code.