another registry viewer

Utilities designed for use with Sandboxie
Alucard

another registry viewer

Post by Alucard » Thu Aug 20, 2009 7:05 pm

It shows registry / files changes in a notepad. It's easy to use and fast (unless you install NET Framework sandboxed :twisted: ).
Download: http://www.datafilehost.com/download-8c99fe2d.html

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Aug 21, 2009 4:26 am

Could you explain how to use it?

Some instructions will not harm anyone. :wink:

Alucard

Post by Alucard » Fri Aug 21, 2009 6:38 am

Sure. Run a program you want to trace in an empty sandbox.
Exit that program, wait for sandboxed processess to end, and then run this viewer, select the sandbox and press ok. It will also work on active sandboxes, but in most cases you want to end it (the program can modify things on exit).

Registry types i don't have to explain. For modified files:
If a real file have a sandboxed copy and "filecompare" is set then
content - crc32 doesn't match
moddate - crc32 match but modification date doesn't
attribs - changed attributes
other - none of the above are true, most of the time it's just a duplicated file

Ini settings:
Sbiedir - automatically set
Filter - registry filter switch
Ignore* - copy from notepad the keys and values you do not want to be shown.
Format is key,key2,key3 for keys, for values it is: key;value1=data;value2=data,key2,key3
I added the ones that are always created when a sandboxed program starts.
You can verify this by starting "run any program" in an empty sandbox
and then running the viewer with filter=0.
Partial match is supported so HKEY_LOCAL_MACHINE\software will ignore changes in all the subkeys.

By the way this program is tested on XP only so files part may give weird results
(like non translated path) on newer systems. This is due to changed (messed up is the right word) user folders locations.

Guest

Post by Guest » Sun Aug 23, 2009 8:32 am

Problem using viewer to shows registry changes,cause cpu too hight :(

Alucard

Post by Alucard » Sun Aug 23, 2009 9:36 pm

It hangs or works but hogs cpu? If second try threaded version:
http://www.datafilehost.com/download-3b7071bd.html

Guest

Post by Guest » Mon Aug 24, 2009 3:59 am

Image

Still the same :cry:

Alucard

Post by Alucard » Mon Aug 24, 2009 8:48 am

I think i found some weird bug(s) in registry procedure, i will later rewrite it. I deleted the download links.

Alucard
Posts: 7
Joined: Mon Aug 24, 2009 7:17 pm

Post by Alucard » Mon Aug 24, 2009 7:31 pm

*deleted link*
Added a lot of error checking and some fixes. Works?
Last edited by Alucard on Wed Aug 26, 2009 9:48 am, edited 1 time in total.

Guest

Post by Guest » Mon Aug 24, 2009 8:51 pm

Thanks Alucard for the reply!
I'll give it a try and let you know the results :D

Guest

Post by Guest » Mon Aug 24, 2009 8:58 pm

Image

Still no luck
I'm using xp home ,does it makes difference between xp pro and xp home :?:

Alucard
Posts: 7
Joined: Mon Aug 24, 2009 7:17 pm

Post by Alucard » Mon Aug 24, 2009 9:45 pm

This is bad news. :? Looking at the numbers it seems random.
After you abort are there any errors in the log? XP Home has all the registry functions Pro has.
I will look tomorrow at the code and maybe figure something out. Did you try Sandboxdiff ?

Guest

Post by Guest » Mon Aug 24, 2009 11:16 pm

After abort theres no errors in the log.
Sandboxdiff works fine for me.
This problem shows only when i run IE7,I've try runing some program usng this viewer to trace registry ,it works fine.

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Post by Brummelchen » Mon Aug 24, 2009 11:49 pm

nice piece of work - but not really usable. why?
sandboxie needs to be running - i dont need keys and files when the box is ON.
anything important is AFTER sandboxie processes have ended.
Files i can see directly - and the registry changes in you war are not usable for further action.

and last but not least - you should use the forum search - dumping the hive is not new.
read please: http://sandboxie.com/phpbb/viewtopic.php?t=1549
page 3
SnDPhoenix wrote:You could try using this program instead:
http://www.mitec.cz/wrr.html

And just use that program to save the registry keys out of the hive and into a .reg file. :roll:
Another nice way is/was "dumphive" from "Markus Stephany"
unfortuantely i cannot find any official source - it disappeared somehow.
google told me that it was sorted als malware due its primal function and some similarity to
a malware same name :roll:

after dump any text processing is possible (like after WRR).

Alucard
Posts: 7
Joined: Mon Aug 24, 2009 7:17 pm

Post by Alucard » Tue Aug 25, 2009 12:00 am

Error code will show after the "seems like hang..." message.
It will point me to a bug location.
*deleted link*
Last edited by Alucard on Wed Aug 26, 2009 9:49 am, edited 1 time in total.

Guest

Post by Guest » Tue Aug 25, 2009 12:25 am

Image


Thanks Alucard ,here is the error code.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests