LouieB

ROTFL! Well, it didn't start out that way! While your summary is succinct (after the fact) I certainly had no idea where things would go. The result was "one" result, on "three" different Windows platforms. Are you asking me if I'm sure of my results? When you make an observation and take a screen-shot of the result, how many times do you need to redo the test? Judging from the participation in this discussion it generated some interest, perhaps of zero use to anybody but me. Thank God for the curious minds contributing here! The CC settings are just one facet that needed to be nailed down and I mean NAILED DOWN. While your summary is concise, and we routinely live with more than a little "undeterminism" in the Windows environment, I hope you're not trivializing the need for absolute accuracy to withstand harsh legal cross examination! I admit, it's not a path we often tread in the world of software. I'm still chuckling at the brevity of your summary, great observation!

DennisD - Wow! Above and beyond the call of duty! Thank you! Except for the choice of uninstaller, we followed the same "uninstall, search the registry, & reinstall" process, with the same results up to that point. So now I'm confused - why did my reinstall pick up my previous settings? It looks like I did the same registry search you did looking for "piriform" or "ccleaner". What a puzzle. I'll have to do all that again just to make sure I wasn't hallucinating! It may be a couple of days - the calendar is stacked up - but I'll post my final results.

Mr Don, I did not know about the old versions of CC using an INI file. I also overlooked the fact that a version newer than 2.29 had the "set to default" settings. Have the default settings always been the same for all versions of CC? Proving the default settings for 2.29 may be, uh, problematic. It may have gotten lost in the thread... my tests showed that changing the settings (with 2.29), uninstalling, and then reinstalling restores my settings, not the default settings. I'm still open and looking... Thanks for the input!

Alan_B, Augeas, Thank you for your replies. Alan_B, your idea should work if the between-installation memory is in the registry. I think I have a Ghost image of a brand spanking new XP installation. I'll restore that and let you know what I find (just for grins). Augeas, You're certainly correct about running CC not being inherently malicious but this is not the only item the investigation hinges on, it's only my piece of the investigation. For instance, if the opposing side is using CC to paint a picture for the jury but it can be shown that CC was never run, perhaps in a certain time frame, and/or that the settings were benign, normal cleanup settings, well, you get the idea. In the legal realm can be equally important to show positive proof that something did happen or that it could not have happened, or is just plain hypothetical and unproven. Good lawyers just need to know what is real and what can the jury might be taught. With regard to your logic, you're correct the run date is as important as the settings in making the point - I hadn't overlooked that. The part I've got trouble with comes from this scenario: the default setting for WFS is off. Ergo if it was EVER set to true then there would be an entry in the registry. If you watch the registry, the first time you change from a default it creates a registry entry, subsequent toggles on/off change the entry between True & False. Uninstalling CC wipes out these registry entries and reinstalling picks the old entries up from somewhere - but they don't show in the registry until you make a change in the new installation. If WFS was set to True (entry made in the registry), CC was uninstalled (entries wiped from registry & stored somewhere) , reinstalled (CC install picks up stored values from somewhere), then WFS could be set to True and not show in the registry. Direct evidence is easier to teach to a jury than logic, therefore I'm still looking for CC's secret between-install repository of settings... I will give Alan_B's method a try - give me a few days to muck with it. Thanks to all!

Alan_B, Recall the story about the lawyer that came to town and was starving until another lawyer moved into town and they both became rich. In every forensic exams there are (at least) two parties. One side will impugn the other's methodology to try to discredit them. You are correct, a pristine image of the original drive is made, slack space, free list, MFT, every bit of every sector AND the read-only copy is maintained unaltered. You are also correct in that I could, in principle, reconstruct a bootable drive from the image (while preserving the read-only copy) however that has its problems, compatible hardware and Windows Genuine Advantage withstanding. I have a copy of the bits, the opposing side pulled the hard drive and I don't know who has retained the physical computer. The most pernicious part of booting a reconstructed copy is that once the booted reconstructed system starts changing stuff I would then have to be able to prove that the stuff I'm claiming as evidence didn't change as a consequence of Windows doing some Kabuki dance on it. So while this may be the "hard way" there are legal and procedural reasons for it. Engineering forensics and digital forensics is tricky legal field to work in. Paraben has a free download (http://www.paraben.com/p2-explorer.html) that allows an image to be mounted and browsed, but not booted. My method has been to use regedit (on a host system) to examine the mounted read-only image by loading selective hives from the image registry. I figured if I could find the CCleaner setting repository on my own system that would indicate where to look on the imaged system - alas, no joy [:-( but still looking...

Thank you all for your insights and recommendations. I have not yet found the repository (registry or otherwise) for CCleaner settings from a previous installation. I would still find this information valuable if anybody finds out, or if you are able to get this information from the CCleaner developers. Best regards to all, I await further updates to this thread...

I had trouble logging into the forum for the last 15 hours... Thank you all for your questions, comments, and directions. Isn't it amazing how we think we're being so precise in these posts yet all these questions come up? I've moved my "bottom line" to the top of this text lest the answers to your questions turn into red herrings. New info: the target system was Win 7. The whole purpose to my inquiry(ies) has been that if I could find the place where a CCleaner re-installation was picking up the defaults then I could explicitly verify the settings that were in use on the target system the last time it was run. Allow me to add another questions to the mix (it may help): how can I tell the date of the last time CCleaner was run? There was no prefetch file (C:/Windows/Prefetch/ccleaner.exe*.pf) on the target system. Augeas: Let me answer your questions in sequence: "You searched for CCleaner on your target image and had no hits?" I had no search hits in the registry and hard drive on my TEST systems after uninstalling. I verified this behavior under W2K, XP PRO, and XP Home versions. I did this to try and find ccleaner "residue" as a clue to where it might be picking up the defaults. That strategy obviously didn't work. (yet?) "Is CC installed on the target image? Do you have a c:/program files/ccleaner folder?" Yes, the path exists: c:/program files/ccleaner/ccleaner.exe "You imply that there's no registry entry for individual CC check boxes until the boxes are checked (something I didn't know)." No implication! It's really cool to sit there with the registry open, looking at the HKEY_CurrentUser\Software\Piriform\CCleaner path and watch the entries get created and then toggled between True and False! Try it! You can also watch these entries get created in the registry during the install process. Some of the registry stuff gets created at install-time and some the first time you run CC. In addition, the registry path below also gets updated.: HKEY_USERS\S-1-5-21-2436634489-3716022376-2615223600-1008\Software\Piriform\CCleaner After uninstalling CCleaner on my test system I came up with no hits when searching the hard drive or the registry - the uninstall seems to do a very thorough job. HOWEVER, when I reinstalled version 2.29 for testing it pulled my previous settings from somewhere. I also searched file contents (after uninstalling from my test system) and came up with no hits for CCleaner or Piriform. I also searched the entire C drive for ccleaner.ini - no hits. As I said, CCleaner seems to do a really good job removing itself. The target system has multiple entries for CCleaner in the registry and the hard drive. The one that convinced me that it was installed was the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner Entries under this key on the target system entry also report the version number. DennisD, Andavari: Thank you for pointing me to the default settings, at least I can find out what the default settings were supposed to be! Update: version 2.29 doesn't seem to have a "restore default settings button" ??

Hi Andavari, After reading the Piriform documentation (well before I posted my question in this forum) I looked for C:\Program Files\CCleaner\ccleaner.ini, it does not exist on the target system or on the platform I was running tests on. I searched both drives in their entirety for "piriform" or "ccleaner" (hidden and system files too) - I came up with no hits. Please allow me to ask another question (which I have not found an answer to): what are the "out of the box" default settings on CCleaner? Thanks again!

DennisD, thanks for the reply! Let me rephrase my question. When you open CCleaner some of the check boxes on the left panel are checked and some not. A single corresponding registry label only shows up in my registry after I've clicked and unclicked one of the boxes. Any further checking and unchecking the box toggles the value of the registry label between True and False. If I uninstall CCleaner, all the setting values in the registry path HKEY_CURRENT_USER\Software\Piriform\CCleaner are deleted. When I reinstall CCleaner it restores all of my settings, from before the uninstall, to the check boxes but not the registry. CCleaner must be storing and picking up my old settings from somewhere. I assume that the "remembered" settings are in a registry entry somewhere, but where? I only care about where these things are stored because I need to determine what the setting was on this read-only hard drive image that I have. I'm anxious for your thoughts!

Kudos - this is a great product. Just one thing I need to know:Where is the CCleaner "wipe free space" setting stored? I have been all over the documentation and the other forum entries, maybe I missed it. On my Win2k system I can see the settings change in the registry under HKEY_Current_User/software/piriform/ccleaner. For example, once I make a change to the "wipe free space" check box I can see the "Wipe Free Space" key get created the first time and then show up as True or False thereafter. Under XP / Vista it doesn't show up under that registry path and I can't find any other path where it does. The HKEY_Local_Machine/Software/Microsoft/Windows/currentversion/uninistall/ccleaner shows the system was running CCleaner Version 2.29. I know I can force it to be in a .INI file, but I am working on a read-only forensic image and I need to find the setting without booting the system or making any changes. I surely would be grateful for some registry paths that tell me (1) the location of the settings and (2) if the settings are still at the installation defaults. Best Regards,