Page 1 of 2

another registry viewer

Posted: Thu Aug 20, 2009 7:05 pm
by Alucard
It shows registry / files changes in a notepad. It's easy to use and fast (unless you install NET Framework sandboxed :twisted: ).
Download: http://www.datafilehost.com/download-8c99fe2d.html

Posted: Fri Aug 21, 2009 4:26 am
by Buster
Could you explain how to use it?

Some instructions will not harm anyone. :wink:

Posted: Fri Aug 21, 2009 6:38 am
by Alucard
Sure. Run a program you want to trace in an empty sandbox.
Exit that program, wait for sandboxed processess to end, and then run this viewer, select the sandbox and press ok. It will also work on active sandboxes, but in most cases you want to end it (the program can modify things on exit).

Registry types i don't have to explain. For modified files:
If a real file have a sandboxed copy and "filecompare" is set then
content - crc32 doesn't match
moddate - crc32 match but modification date doesn't
attribs - changed attributes
other - none of the above are true, most of the time it's just a duplicated file

Ini settings:
Sbiedir - automatically set
Filter - registry filter switch
Ignore* - copy from notepad the keys and values you do not want to be shown.
Format is key,key2,key3 for keys, for values it is: key;value1=data;value2=data,key2,key3
I added the ones that are always created when a sandboxed program starts.
You can verify this by starting "run any program" in an empty sandbox
and then running the viewer with filter=0.
Partial match is supported so HKEY_LOCAL_MACHINE\software will ignore changes in all the subkeys.

By the way this program is tested on XP only so files part may give weird results
(like non translated path) on newer systems. This is due to changed (messed up is the right word) user folders locations.

Posted: Sun Aug 23, 2009 8:32 am
by Guest
Problem using viewer to shows registry changes,cause cpu too hight :(

Posted: Sun Aug 23, 2009 9:36 pm
by Alucard
It hangs or works but hogs cpu? If second try threaded version:
http://www.datafilehost.com/download-3b7071bd.html

Posted: Mon Aug 24, 2009 3:59 am
by Guest
Image

Still the same :cry:

Posted: Mon Aug 24, 2009 8:48 am
by Alucard
I think i found some weird bug(s) in registry procedure, i will later rewrite it. I deleted the download links.

Posted: Mon Aug 24, 2009 7:31 pm
by Alucard
*deleted link*
Added a lot of error checking and some fixes. Works?

Posted: Mon Aug 24, 2009 8:51 pm
by Guest
Thanks Alucard for the reply!
I'll give it a try and let you know the results :D

Posted: Mon Aug 24, 2009 8:58 pm
by Guest
Image

Still no luck
I'm using xp home ,does it makes difference between xp pro and xp home :?:

Posted: Mon Aug 24, 2009 9:45 pm
by Alucard
This is bad news. :? Looking at the numbers it seems random.
After you abort are there any errors in the log? XP Home has all the registry functions Pro has.
I will look tomorrow at the code and maybe figure something out. Did you try Sandboxdiff ?

Posted: Mon Aug 24, 2009 11:16 pm
by Guest
After abort theres no errors in the log.
Sandboxdiff works fine for me.
This problem shows only when i run IE7,I've try runing some program usng this viewer to trace registry ,it works fine.

Posted: Mon Aug 24, 2009 11:49 pm
by Brummelchen
nice piece of work - but not really usable. why?
sandboxie needs to be running - i dont need keys and files when the box is ON.
anything important is AFTER sandboxie processes have ended.
Files i can see directly - and the registry changes in you war are not usable for further action.

and last but not least - you should use the forum search - dumping the hive is not new.
read please: http://sandboxie.com/phpbb/viewtopic.php?t=1549
page 3
SnDPhoenix wrote:You could try using this program instead:
http://www.mitec.cz/wrr.html

And just use that program to save the registry keys out of the hive and into a .reg file. :roll:
Another nice way is/was "dumphive" from "Markus Stephany"
unfortuantely i cannot find any official source - it disappeared somehow.
google told me that it was sorted als malware due its primal function and some similarity to
a malware same name :roll:

after dump any text processing is possible (like after WRR).

Posted: Tue Aug 25, 2009 12:00 am
by Alucard
Error code will show after the "seems like hang..." message.
It will point me to a bug location.
*deleted link*

Posted: Tue Aug 25, 2009 12:25 am
by Guest
Image


Thanks Alucard ,here is the error code.