M
M$ User
Hello, I posted the following problem about registry pollution, but
haven't gotten much response. Hoping someone here can comment. In
addition to the questions at the end, I think I recall seeing a
method of modifying exported registry files to delete and/or create
keys, to be carried out when the file is imported. I can't seem to
find anything about this on the microsoft website. Thanks for any
comments.
-------- Original Message --------
Subject: Cleaning up Burn4free droppings
Date: Wed, 07 Feb 2007 00:26:59 -0500
From: M$ User <[email protected]>
Newsgroups: microsoft.public.win2000.registry
I'm using a VPN that scans my computer for risky things before
connecting. It found my computer to be clean if run from an
administrator account. But when run as a nonadmin user, it prevents
connection because it found:
HKEY_CURRENT_USER\Software\Burn4Free
According to
http://www.siteadvisor.com/sites/mrgratis.com/downloads/1848445/
Burn4free adds many things related to NavHelper/NavExcel, which many
people don't like. Apparently, neither does my VPN client. However,
Burn4free has been removed long ago, so many of the things in the
above website don't appear on my computer. I have no
NavHelper/NavExcel on my Add/Remove_Programs (launched as
administrator). Neither of the 2 strings show up in the registry,
explored as administrator. And there are no file names or directories
on my hard drive containing the string "burn4free".
I have always been warned to leave registry mucking to the wizards.
But I could at least search for occurances of the string "burn4free",
which I did using regedit from an administrator account:
HKEY_CLASSES_ROOT\.b4f
HKEY_CLASSES_ROOT\Applications\Burn4Free.exe
HKEY_CLASSES_ROOT\Applications\Burn4Free.exe\shell
HKEY_CLASSES_ROOT\Burn4Free project
HKEY_CLASSES_ROOT\Burn4Free project\DefaultIcon
HKEY_CLASSES_ROOT\Burn4Free project\shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.b4f
2 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe
3 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe\shell
4 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project
5 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\DefaultIcon
6
7
8 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free
project\shell\open\command
9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\Burn4Free Toolbar
10
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Burn4Free
11
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D
12
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D\MostRecentApplication
13
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Internet
Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
14
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
15
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
16
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Direct3D\MostRecentApplication
17
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
18
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
I also exported the entire registry as a text file (REGEDIT4 file) to
doublecheck the keys containing "burn4free". The key names are found
are:
1 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.b4f]
2 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe]
3 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe\shell]
4 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project]
5 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\DefaultIcon]
6 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\shell]
7 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\shell\open]
8 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free
project\shell\open\command]
9 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\Burn4Free Toolbar]
10
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Burn4Free]
11
12
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D\MostRecentApplication]
13
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Internet
Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
14
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD]
15
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar]
16
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Direct3D\MostRecentApplication]
17
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD]
18
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar]
These do corroborate with those found within regedit, and
corresponding keys between the 2 lists are given the same number
above. Some features to note are:
* The exported file only contains the keys rooted in
HKEY_LOCAL_MACHINE and HKEY_USERS. They do not contain the keys
rooted in HKEY_CLASSES_ROOT and HKEY_CURRENT_USER.
* Keys 6 & 7 do not have corresponding hits in the search from
within regedit because the search facility only matches the
search string to the /last/ component of the "path" (or to a key
containing a value which contains "burn4free".
* Key 11 doesn't have an entry in the exported REGEDIT4 file
presumably because the export only considers keys that contains
values. There really is no point in exporting a key that
contains just another key, since the 2nd key will have its own
entry in the exported file (if it contains values).
* I presume that offending HKEY_CURRENT_USER\Software\Burn4Free
shows up as item 10, and that strange code representing the user
is the account for which the problem experienced.
I would like to erase all the keys in the (first) longer list, and
fear causes me to want to back up the registry before doing so, which
yields a 21MB REGEDIT4 file when done as administrator.
1. Is it safe to go and remove the keys?
2. What is the most efficient (maybe scripted) way to remove the keys?
I'm more familiar with solaris (at a user level) and handier
with a text file than clicking at a GUI.
3. Is this the most advisable solution?
4. It seems more thorough to remove the keys as administrator. Is
this better than doing so as the user experiencing the problem?
Should I remove the keys as both administrator and the nonadmin
user?
5. Is saving a REGEDIT4 file an adequate safety net, or is it
better to save it in its default binary format?
6. Should I take a snapshot of the registry from both accounts?
That would create about 42MB of safety net.
7. Is there an efficient way to specify the exacty keys to export
in one shot? This would be preferable to saving 21MB of
registry per export.
8. What are some of the barriers to recovery if things go wrong?
Thanks for any thoughts on this.
haven't gotten much response. Hoping someone here can comment. In
addition to the questions at the end, I think I recall seeing a
method of modifying exported registry files to delete and/or create
keys, to be carried out when the file is imported. I can't seem to
find anything about this on the microsoft website. Thanks for any
comments.
-------- Original Message --------
Subject: Cleaning up Burn4free droppings
Date: Wed, 07 Feb 2007 00:26:59 -0500
From: M$ User <[email protected]>
Newsgroups: microsoft.public.win2000.registry
I'm using a VPN that scans my computer for risky things before
connecting. It found my computer to be clean if run from an
administrator account. But when run as a nonadmin user, it prevents
connection because it found:
HKEY_CURRENT_USER\Software\Burn4Free
According to
http://www.siteadvisor.com/sites/mrgratis.com/downloads/1848445/
Burn4free adds many things related to NavHelper/NavExcel, which many
people don't like. Apparently, neither does my VPN client. However,
Burn4free has been removed long ago, so many of the things in the
above website don't appear on my computer. I have no
NavHelper/NavExcel on my Add/Remove_Programs (launched as
administrator). Neither of the 2 strings show up in the registry,
explored as administrator. And there are no file names or directories
on my hard drive containing the string "burn4free".
I have always been warned to leave registry mucking to the wizards.
But I could at least search for occurances of the string "burn4free",
which I did using regedit from an administrator account:
HKEY_CLASSES_ROOT\.b4f
HKEY_CLASSES_ROOT\Applications\Burn4Free.exe
HKEY_CLASSES_ROOT\Applications\Burn4Free.exe\shell
HKEY_CLASSES_ROOT\Burn4Free project
HKEY_CLASSES_ROOT\Burn4Free project\DefaultIcon
HKEY_CLASSES_ROOT\Burn4Free project\shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.b4f
2 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe
3 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe\shell
4 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project
5 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\DefaultIcon
6
7
8 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free
project\shell\open\command
9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\Burn4Free Toolbar
10
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Burn4Free
11
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D
12
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D\MostRecentApplication
13
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Internet
Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
14
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
15
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
16
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Direct3D\MostRecentApplication
17
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD
18
HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar
I also exported the entire registry as a text file (REGEDIT4 file) to
doublecheck the keys containing "burn4free". The key names are found
are:
1 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.b4f]
2 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe]
3 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Burn4Free.exe\shell]
4 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project]
5 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\DefaultIcon]
6 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\shell]
7 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free project\shell\open]
8 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Burn4Free
project\shell\open\command]
9 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\Burn4Free Toolbar]
10
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Burn4Free]
11
12
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Direct3D\MostRecentApplication]
13
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Internet
Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
14
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD]
15
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar]
16
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Direct3D\MostRecentApplication]
17
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free CD and DVD]
18
[HKEY_USERS\S-1-5-21-527237240-920026266-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Burn4Free Toolbar]
These do corroborate with those found within regedit, and
corresponding keys between the 2 lists are given the same number
above. Some features to note are:
* The exported file only contains the keys rooted in
HKEY_LOCAL_MACHINE and HKEY_USERS. They do not contain the keys
rooted in HKEY_CLASSES_ROOT and HKEY_CURRENT_USER.
* Keys 6 & 7 do not have corresponding hits in the search from
within regedit because the search facility only matches the
search string to the /last/ component of the "path" (or to a key
containing a value which contains "burn4free".
* Key 11 doesn't have an entry in the exported REGEDIT4 file
presumably because the export only considers keys that contains
values. There really is no point in exporting a key that
contains just another key, since the 2nd key will have its own
entry in the exported file (if it contains values).
* I presume that offending HKEY_CURRENT_USER\Software\Burn4Free
shows up as item 10, and that strange code representing the user
is the account for which the problem experienced.
I would like to erase all the keys in the (first) longer list, and
fear causes me to want to back up the registry before doing so, which
yields a 21MB REGEDIT4 file when done as administrator.
1. Is it safe to go and remove the keys?
2. What is the most efficient (maybe scripted) way to remove the keys?
I'm more familiar with solaris (at a user level) and handier
with a text file than clicking at a GUI.
3. Is this the most advisable solution?
4. It seems more thorough to remove the keys as administrator. Is
this better than doing so as the user experiencing the problem?
Should I remove the keys as both administrator and the nonadmin
user?
5. Is saving a REGEDIT4 file an adequate safety net, or is it
better to save it in its default binary format?
6. Should I take a snapshot of the registry from both accounts?
That would create about 42MB of safety net.
7. Is there an efficient way to specify the exacty keys to export
in one shot? This would be preferable to saving 21MB of
registry per export.
8. What are some of the barriers to recovery if things go wrong?
Thanks for any thoughts on this.