-
Posts
15 -
Joined
-
Last visited
Posts posted by codon
-
-
Statement
I write in my native language, because then I know exactly what I'm saying and I don't want to be misunderstood. Maybe someone can translate it. I think Google cannot do it alone. All the bad mood, all the ignorance - a pity.
CCleaner ist ein sehr gutes, mächtiges (auch kostenloses) Programm, das so seinesgleichen sucht. Meine Hochachtung den Entwicklern, die so etwas zustande gebracht haben.
Windows ist ein Datensammler, doch ich glaube nicht primär um Benutzer auszuspionieren, sondern um es ihnen einfach zu machen (man denke an die Unix-Zeiten, an die Eingabeaufforderung,etc.). Dieses „Einfach Machen“ birgt allerdings viele Gefahren in sich und viele Programme hinterlassen Spuren und sind nicht so entwickelt, dass sie den Computer so verlassen wie sie ihn vorgefunden haben, wenn man sie deinstalliert.
Ich war erstaunt wie viele Rückstände bzw. Reste zu finden waren, nachdem ich CCleaner angewendet hatte. Das kleine Programm von Nir Sofer zeigte allerdings Spuren, von denen ich meinte, sie dürften eigentlich nicht da sein, hatte ich doch die Optionen im Startmenü / Datenschutz abgewählt. Nun sie waren aber da - und sogar von nichtangeschlossenen Wechselmedien! Dies war der Grund mich in diesem Fachforum anzumelden - ich wollte Hilfe und Unterstützung - und natürlich bemühte ich mich auch eine Lösung zu finden.
So suchte ich den Ort wo diese Informationen gespeichert waren - zunächst jedoch erfolglos. Ich führte Telefonate mit Softwareentwicklern, fand so einiges im Netz und lernte im Laufe der Suche dazu. Hier eine Vermutung, dort ein Verweis oder ein neuer Begriff. Ich hörte nicht auf, war allerdings zunächst auf der falschen Fährte, nämlich der Forensik. Ich suchte nun ein Program, das in Lage war File-Slack (Ram-Slack & Drive-Slack) und MTF-Slack zu löschen, bzw. zu überschreiben. Auf der Suche danach fand ich nebenbei das Programm von Jürgen Haage - und die Einträge waren mit einem Klick verschwunden.
Nir Sofer hat nicht auf die Anfrage geantwortet (er wird zu sehr beschäftigt sein) von wo sein Programm die angezeigten Informationen hat und so galt es über Umwege dahinter zu kommen. Die Informationen waren da und auch in der Registry, doch eben nicht in Klartext. Ich suchte ein Programm, das Veränderungen in der Registry an- und aufzeigen konnte. So kam ich auf diese und deren Unterschlüssel, die gelöscht wurden.
HKU\S-1-5-21-/ ̴ ̴ ̴/--1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Modifiziert wurden diese
HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos… HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos…
Wenn nun alle Informationen in HKEY_USERS bei der Anmeldung eines Benutzers in HKEY_CURRENT_USER geschrieben werden, nutzt das Leeren der BagMRUs dort (HKCU) nichts, da sie bei jedem Systemstart wieder neu eingelesen werden.
Aber auch ohne das Programm von Jürgen Haage geht es. Eine Momentaufnahme bevor man einen oder mehrere neue(n) Ordner anlegt (in diesem Beispiel nur einer), dann eine danach. Beim Vergleich sieht man dann die neuen Einträge in der Registry.
Keys added:12
HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Values added:40
HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot: 0x00000A1E HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0: 50 00 31 00 00 00 00 00 1B 41 65 00 10 00 00 61 72 00 69 00 00 00 3A 00 08 00 04 00 00 BE 1B 41 FA 5E 1B 41 65 00 2A 00 00 00 17 24 01 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 00 00 69 00 00 00 00 00 16 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0: 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev: 0x00000004 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags: 0x41200001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid: "{137E7700-3573-11CF-AE69-08002B2E1262}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode: 0x00000004 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode: 0x00000001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize: 0x00000010 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 18 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 00 00 00 00 10 01 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 0E 00 00 00 00 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 04 00 00 00 00 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 0C 00 00 00 50 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 00 00 00 00 01 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView: 0x00000000 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID: "{00000000-0000-0000-0000-000000000000}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID: 0x00000000 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection: 0x00000001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\KnownFolderDerivedFolderType: "{50000098-004F-4462-BB63-71042380B109}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\SniffedFolderType: "Generic" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot: 0x00000A1E HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0: 50 00 31 00 00 00 00 00 1B 41 65 00 10 00 00 61 72 00 69 00 00 00 3A 00 08 00 04 00 00 BE 1B 41 FA 5E 1B 41 65 00 2A 00 00 00 17 24 01 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 00 00 69 00 00 00 00 00 16 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0: 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev: 0x00000004 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags: 0x41200001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid: "{137E7700-3573-11CF-AE69-08002B2E1262}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode: 0x00000004 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode: 0x00000001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize: 0x00000010 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 18 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 00 00 00 00 10 01 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 0E 00 00 00 00 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 04 00 00 00 00 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 0C 00 00 00 50 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 30 00 25 00 00 00 00 10 00 00 02 60 00 00 00 00 00 00 00 00 01 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView: 0x00000000 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID: "{00000000-0000-0000-0000-000000000000}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID: 0x00000000 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection: 0x00000001 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\KnownFolderDerivedFolderType: "{50000098-004F-4462-BB63-71042380B109}" HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590\Shell\SniffedFolderType: "Generic"
Nach der Reinigung mit dem Programm von Jürgen Haage sah es dann so aus [
Keys deleted:6
HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0
Values deleted:12
HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot: 0x00000A1E HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0: 50 00 31 00 00 00 00 00 1B 41 65 00 10 00 00 61 72 00 69 00 00 00 3A 00 08 00 04 00 00 BE 1B 41 FA 5E 1B 41 65 00 2A 00 00 00 17 24 01 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 00 00 69 00 00 00 00 00 16 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0: 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot: 0x00000A1E HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0: 50 00 31 00 00 00 00 00 1B 41 65 00 10 00 00 61 72 00 69 00 00 00 3A 00 08 00 04 00 00 BE 1B 41 FA 5E 1B 41 65 00 2A 00 00 00 17 24 01 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 00 00 69 00 00 00 00 00 16 00 00 00 HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0: 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ACHTUNG - Ich habe einige Zahlenpaare wie A5, F1, usw. durch 00 ersetzt!
Ein anderes Programm von Nir Sofer „ShellBagsView“ half mir dann weiter diese Bags-Orte für diesen einen Ordner (2590) zu finden
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKEY_USERS\S-1-5-21-/ ̴ ̴ ̴/-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKEY_USERS\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590 HKEY_USERS\S-1-5-21-/ ̴ ̴ ̴/-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2590
- erstaunlich ist hierbei, dass die Eintragungen in den Bags beim Löschen aber anscheinend keine Rolle spielen und weiterhin in der Registry zu finden sind.
Zu guter Letzt - ich mache CCleaner keinen Vorwurf, das er (noch) nicht in der Lage ist diese Spuren zu beseitigen - und habe es niemals getan! Kommunikationsschwierigkeiten gibt es auch in meiner Muttersprache - sie potenzieren sich allerdings, wenn man in der jeweiligen Fremdsprache nicht fit ist und sich mühselig auf ein Wörterbuch und das Gelernte aus längst vergangenen Tagen zurückgreifen muss.
Aber eines bleibt - es gibt ein Gespür, ein Gefühl für das, was sich Menschen einander antun - und das ist hier kein gutes gewesen.
-
Many Shell bags, including all five you show in are recreated by windows during startup because shellbags are created as things are accessed by the computer
why do you write this to me???
didn't you read this!?
-
HKEY_USERS http://de.wikipedia....ssel_HKEY_USERS
This master key contains the user-specific configuration information of all users who are currently logged on to the system. Only when the user logs in - the configuration data will copied from HKEY_USERS in the user-specific key HKEY_CURRENT_USER
in #31 you see all the deleted keys and values - tested on my mashine - and it works! You wrote CCleaner only cleans for the current user. I wrote all changes happen in HKEY_Users - read the lines above again.
We can meet us in "The Red Lion" - may be you mean the one in London and I the one in Würzburg. There is no matchThe second two are a user of that machine (and if it's the current user then entry one and two are the exact same entryHave you understand what I wrote - never! All the things in the screenshots happened. The only nebulous things here are your - sorry - stupid thoughts!
Wake up!
You should do what do you ask me for - my system works - I’m not interested in any winapp2.ini or CCleaner. I was astonished that CCleaner can’t do what I and many friends have had expected.
First I've had only a question, then I found answers and then a greenhorn like you wants ready answers and tested solutions that are themselves not yet found by the developers - what a joke!
-
HKEY_USERS http://de.wikipedia....ssel_HKEY_USERS
-
- grmml developer nrrgh cleaner bla bla bla privacy
- Words are flowing out like endless rain into a paper cup
they slither while they pass, they slip away across the universe…
no direct contact to developers - mmmh
Jai guru deva om - #42
- grmml developer nrrgh cleaner bla bla bla privacy
-
- The Nir Sofer-utility ShellBagsView http://www.nirsoft.n..._bags_view.html shows me for example number 2531(folder etc)
- In the registry I found this number 2531 (folder etc) four times
- HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\2531\Shell…
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2531\Shell…
HKEY_USERS\S-1-5-21-//-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2531\Shell…
HKEY_USERS\S-1-5-21-//-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2531\Shell… - all changes when going into the folders (screenshot #42) or cleaning it (screenshot #31) were in HKEY_USERS-//-
- @radonflex - If you have deleted everything on your way, it stays that way when you restart the Computer?
- The Nir Sofer-utility ShellBagsView http://www.nirsoft.n..._bags_view.html shows me for example number 2531(folder etc)
-
-
HKEY_USERS http://de.wikipedia....ssel_HKEY_USERS
This master key contains the user-specific configuration information of all users who are currently logged on to the system. Only when the user logs in - the configuration data will copied from HKEY_USERS in the user-specific key HKEY_CURRENT_USER -
reverse
- I cleaned the registry
- made a “regshot”
- opend this path c:\windows\system32\drivers\etc
- second “regshot” and compared
- (my) windows 7 x64bit made no changes in HKEY_CURRENT_USER but in HKEY_USERS
-
HKEY_USERS http://de.wikipedia....ssel_HKEY_USERS
-
I have tried the third party plugins (Winapp2.ini) with all options checked and still it fails to remove this history.
After downloading the latest WinApp2.ini file into my 3.24 version of CCleaner on my 32 Bit 7, I found that even after checking all extra items & running CCleaner, it still showed things that had run in the past.
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
...compare this entries in Winapp2.ini and the screenshot above - look and see!
We can meet us in "The Red Lion" - may be you mean the one in London and I the one in Würzburg. There is no match
Do you tried LastActivityView. Does your Winapp2.ini work?
-
- @ CCman
Something of our own: I don’t understand ironic comments or idioms, because it's the
meaning that is meant - not the direct translation of words. A german example: "Da brat mir
einer ‘nen Storch* " -> "Fry me a stork" <- does it make sence to you?
-
*It’s an expression of great astonishment.
What is meant is that there is something so amazing, unusual, such as frying a stork would be.
You'll may say it if anybody tells you the world is a cube.
- @ CCman
-
-
A backup is still required!
- Perhaps it is a little help to study the comments of the VBS script from http://www.jhouseconsulting.com.
However, it is for XP. Look here: SetExplorerViews.vbs (link in #31)
-
A backup is still required!
-
- “There must be some kind of way out of here, there's too much confusion, I can't get no relief - but may be now!” - modified text of Jimi Hendrixs all along the watchtower
- Most of the NirSoft utilities were developed in C++
- I tried to decompile LastActivitiesView - no success
- I've been thinking hard about everything again to find a solution - and...
- I watched the registry activities before and after running the tool of Jürgen Haag - success
- <sarcasm>aim is not to compare {edit}, but find a solution </sarcasm>
-
- my system - win7 64bit
- may be the following link is helpfully for the developers
-
http://www.jhouseconsulting.com/2009/05/09/mastering-the-default-explorer-views-for-windows-xp-and-2003-280
- “There must be some kind of way out of here, there's too much confusion, I can't get no relief - but may be now!” - modified text of Jimi Hendrixs all along the watchtower
-
facts - I tell / told you - for a better CCleaner
- Nir Sofer developes a tool that shows entries made by windows (works on any version of Windows, starting from Windows 2000 and up to Windows 8 - 32bit & 64bit systems are supported).
- the tool from Jürgen Haage deletes this entries
- it seems that there exactly two people*#35 know in this world, where these information’s are stored - Nir Sofer and Jürgen Haage
- I wish CCleaner may remove these things also
- I have a solution for the symptoms, and you should find the cause
-
whose interface looked cribbed from ccleaner - what an ugly and wrong information
- we can change the world, when we love our enemies
- recognize help when it is given
-
In Germany there are bulbs that can burn 5000 hours, but no normal person can buy it. They are only for traffic lights so they do not often need to be serviced. Ordinary consumers must change every 1000 hours - isn’t it a pity? Think about it!
-
-
do it
- Nir Sofer developes a tool that shows entries made by windows (works on any version of Windows, starting from Windows 2000 and up to Windows 8 - 32bit & 64bit systems are supported).
-
Hi
{HEAVILY EDITTED BY NERGAL}While the user was able to learn what it was that needed cleaning through a second cleaning software, they did not report what extra needed cleaning. Regrettably I had to change this post as it did not follow forum rules and standards{END EDIT}
Hi
- my list from LastActivityView is clean - wow
- There is no answer from Nir Sofer (I didn't know that this is his name )
- I've learned many about File-Slacks http://de.wikipedia....wiki/File-Slack - they are not the cause of the entries
- no forensic-cleaner is needed
- I tried a 15 days testversion from Jürgen Haage (there is an english version too).
- just one short click there (Gespeicherte Explorer-Ansicht-Einstellungen) - and aaaahh nodocodon
- never long lists again
- my list from LastActivityView is clean - wow
-
Thank you all - thank you hazelnut
The informations are not from the registry, any (prefetch-)cache or (event-)logs.
Tools like CCleaner-Enhancer, TuneUp, Glary, Tweakme and Seven Clean 2013 have no effect.
Please - is here anybody who can talk/write with the NirSoft-developer to ask where the informations come from?
I’m sitting here with my „Langenscheidt - Großes Schulwörterbuch Deutsch - Englisch | Englisch - Deutsch“ and I have problems to find the suitable words and sentence constructions - it’s so hard.
Feedback-Nirsoft
If you have any problem, suggestion, comment, or you found a bug in my utility, you can send a message to nirsofer@yahoo.com
-
Thank you for your answer Alan_B
I found out, that NirSoft detects only the first time you open a folder. I renamed one and I got a new entry - then I renamed it again (back to the old name).
==================================================
Handlungszeitpunkt: 28.10.2012 13:05:10
Beschreibung : Ordner im Explorer betrachtet
Dateiname : +CCleaner test
Pfad : D:\+CCleaner test
Zusatzinformationen:
================================================this folder didn’t exist anymore but I have the information in NirSoft - LastActivityView
==================================================
Handlungszeitpunkt: 28.10.2012 13:04:16
Beschreibung : Ordner im Explorer betrachtet
Dateiname : CCleaner test
Pfad : D:\CCleaner test
Zusatzinformationen:
==================================================I opend this folder after renaming again ->no other timestamp
NirSoft - LastActivityView detects the folders and pathes from extern HDDs and USB-Sticks as well. So where is the memory of all these not existing files and folders?
-
Hello
I thought CCleaner can delete all traces of activity - that seems not true.
I found a long list of all visited files and folders after! running CCleaner since I bought my PC in june up today.
A sample:
==================================================
Handlungszeitpunkt: 04.06.2012 06:29:20
Beschreibung : Ordner im Explorer betrachtet
Dateiname : +Java+
Pfad : V:\TWEAKs\+Java+
Zusatzinformationen:
==================================================
I used this new tool from NirSoft - LastActivityView
http://www.nirsoft.n...ivity_view.html
to display all those entries.
- Open file or folder: The user opened the specified filename from Windows Explorer or from another software.
- View Folder in Explorer: The user viewed the specified folder in Windows Explorer.
How can I delete all this traces - please help - I have no idea where the informations came from - oh and it’s not Rot13-coded
P.S. sorry - my English is not the best
- Open file or folder: The user opened the specified filename from Windows Explorer or from another software.
CCleaner can't delete all traces ?
in CCleaner
Posted · Edited by Nergal
added code tags for easier reading and formatted as per untranslated version
Google Translater #63 - some things are strange for me in this translation - hope you'll understand - so please don't laugh.
CCleaner is a very good, powerful (and free) program that will detect as his equal. My compliments to the developers who have accomplished something.
Windows is a data collector, but I do not primarily to spy on users, but it is easy to make them (think of the Unix times, at the command prompt, etc.). This "Just Do" poses many dangers, however, and many programs leave traces and are not designed to the computer so they leave as they found him when they are uninstalled.
I was amazed how many residues or residues were found after I had used CCleaner. The small program by Nir Sofer, however, showed traces of which I thought they should not really be there, I had the options in the start menu / deselected Policy. Now, however, they were there - and even by non-affiliated removable media! This was the reason to sign me in this professional forum - I wanted to help and support - and of course I tried to find a solution.
So I looked for the place where the information was stored - initially unsuccessful. I conducted telephone calls with software developers, found so few in the net and learned over the course of this search. Here is a guess, there is a reference or a new concept. I did not stop, however, was initially on the wrong track, namely forensics. I now sought a program that was able to delete file-Slack (Slack & Ram Drive Slack) and MTF-Slack, or to overwrite. Looking for it, I found the way the program by Juergen Haage - and the entries were gone with one click.
Nir Sofer has not responded to the request (he is too busy to be) where the program has the information displayed and it was coming to a roundabout way behind. The information was there, and also in the registry, it's not made in plain text. I was looking for a program that was able to show changes in the registry and on. So I came up with this and their sub keys that have been deleted.
These were modified
If all informations are written to HKEY_CURRENT_USER from HKEY_USERS when a user logs in, emptying the HKCU-BagMRUs uses nothing at, because they are on every systemstart again re-read.
But even without the program by Juergen Haage it goes. A snapshot before you one or more new folder (s) applies (in this example, only one), then after. When comparing you see the new entries in the registry.
Keys added: 12
Values added: 40
After cleaning with the program by Juergen Haage it looked like this
Keys deleted: 6
Values deleted: 12
WARNING - I have replaced some pairs of numbers such as A5, F1, etc. by 00!
Another program by Nir Sofer "ShellBagsView" helped me then these bags-locations for this folder to find (2590)
- Amazing here is that the entries in the bags when deleting but apparently play no role and continue to be found in the registry.
Finally - I do not blame you CCleaner - he (still) not being able to eliminate these signs - and have never done! Communication difficulties, there are in my native language - they multiply, however, when you are in the foreign language is not fit to resort to cumbersome and a dictionary and what they have learned from days gone by have.
But one thing remains - there is a feeling, a feeling for what people are doing to each other - and this is not been a good one.