CCleaner Use of the Windows Registry

[LouieB]

Kudos - this is a great product. Just one thing I need to know:Where is the CCleaner "wipe free space" setting stored? I have been all over the documentation and the other forum entries, maybe I missed it. On my Win2k system I can see the settings change in the registry under HKEY_Current_User/software/piriform/ccleaner. For example, once I make a change to the "wipe free space" check box I can see the "Wipe Free Space" key get created the first time and then show up as True or False thereafter.

 

Under XP / Vista it doesn't show up under that registry path and I can't find any other path where it does.

 

The HKEY_Local_Machine/Software/Microsoft/Windows/currentversion/uninistall/ccleaner shows the system was running CCleaner Version 2.29.

 

I know I can force it to be in a .INI file, but I am working on a read-only forensic image and I need to find the setting without booting the system or making any changes.

 

I surely would be grateful for some registry paths that tell me (1) the location of the settings and (2) if the settings are still at the installation defaults.

 

Best Regards,

[DennisD]

Hi Louie, and welcome to Piriform.

 

All settings are found in "HKEY_CURRENT_USER\Software\Piriform\CCleaner" on my XP SP3 machine with CCleaner version 2.36.

 

 

Hope that helps.

 

EDIT: You do have the WFS box checked in "CCleaner\Advanced" and the relevant boxes in "Options\Settings"?

[LouieB]

DennisD, thanks for the reply! Let me rephrase my question.

 

When you open CCleaner some of the check boxes on the left panel are checked and some not. A single corresponding registry label only shows up in my registry after I've clicked and unclicked one of the boxes. Any further checking and unchecking the box toggles the value of the registry label between True and False.

 

If I uninstall CCleaner, all the setting values in the registry path HKEY_CURRENT_USER\Software\Piriform\CCleaner are deleted. When I reinstall CCleaner it restores all of my settings, from before the uninstall, to the check boxes but not the registry. CCleaner must be storing and picking up my old settings from somewhere. I assume that the "remembered" settings are in a registry entry somewhere, but where?

 

I only care about where these things are stored because I need to determine what the setting was on this read-only hard drive image that I have.

 

I'm anxious for your thoughts!

[Andavari]

When I reinstall CCleaner it restores all of my settings, from before the uninstall, to the check boxes but not the registry. CCleaner must be storing and picking up my old settings from somewhere.

 

Also look here for the settings:

C:\Program Files\CCleaner\ccleaner.ini

[LouieB]

Hi Andavari, After reading the Piriform documentation (well before I posted my question in this forum) I looked for C:\Program Files\CCleaner\ccleaner.ini, it does not exist on the target system or on the platform I was running tests on. I searched both drives in their entirety for "piriform" or "ccleaner" (hidden and system files too) - I came up with no hits.

 

Please allow me to ask another question (which I have not found an answer to): what are the "out of the box" default settings on CCleaner?

 

Thanks again!

[Augeas]

There's quite a lot we don't know here.

 

You searched for CCleaner on your target image and had no hits? Is CC installed on the target image? Do you have a c:/program files/ccleaner folder?

 

You imply that there's no registry entry for individual CC check boxes until the boxes are checked (something I didn't know). Is there any registry entry at all for CC or Piriform? If CC is installed and if the user did run it, then maybe he or she used the default settings.

 

What makes you think that the user ran CC? (Computer evidence, we don't want to know about the user.) Without the above info we don't know if CC is installed on the target image. As an aside, even if it were not installed, the user could have run the portable version from a flash drive.

 

You can look at the default settings on your W2k box by right-clicking on the group headings (Internet Explorer, Windows Explorer etc) and selecting Restore Default State (after making a note of your choices so you can put them back again). The options shown will reflect the particular system build, what appears on your w2k box would not necessarily appear on other boxes.

[Andavari]

The default settings I literally haven't used in 6 years, so I don't know exactly what they are.

 

The easiest way to reset CCleaner would be to delete any registry settings for it since you can't find the CCleaner.ini file although if I were you I'd use Windows search/find box to search for CCleaner.ini just in case you've previously installed it elsewhere other than the default location.

 

Other than that the only other settings possible would be in the registry. You can open RegEdit and search for CCleaner, and Piriform in "HKEY_CURRENT_USER\Software" and in "HKEY_LOCAL_MACHINE\Software" and manually delete the CCleaner or Piriform keys, this will allow CCleaner to be back at default settings.

 

This of course wouldn't be a bit of a chore if the settings tab allowed to set CCleaner back to default settings without uninstalling.

[DennisD]

DennisD, thanks for the reply! Let me rephrase my question.

 

 

 

Well, let me rephrase my answer then.

 

That's a different question.

 

Louie, I don't pretend to understand how you are examining that Image, or whether this information will be of any use to you, but another location where the same settings reside is in ...

 

HKEY_USERS\S-1-5-21-2436634489-3716022376-2615223600-1008\Software\Piriform\CCleaner

 

That may in fact be the same location as I'm no expert on Windows registry, but I do understand exactly what you are saying regarding CCleaner restoring all settings although the settings in the registry address named above are gone when CCleaner goes.

 

A test just then shows that the CCleaner settings in this other (by name) location disappear when CCleaner is uninstalled, but I don't know if the same rules would apply in your situation with an Image.

 

Hope that might be of some use.

 

EDIT: To place CCleaner into its default settings, go into "Options\Advanced" and hit the "Restore Default Settings" button. This restores all checkboxes in all sections of CCleaner to "out of the box" state.

[LouieB]

I had trouble logging into the forum for the last 15 hours...

 

Thank you all for your questions, comments, and directions. Isn't it amazing how we think we're being so precise in these posts yet all these questions come up? I've moved my "bottom line" to the top of this text lest the answers to your questions turn into red herrings. New info: the target system was Win 7.

 

The whole purpose to my inquiry(ies) has been that if I could find the place where a CCleaner re-installation was picking up the defaults then I could explicitly verify the settings that were in use on the target system the last time it was run.

 

Allow me to add another questions to the mix (it may help): how can I tell the date of the last time CCleaner was run? There was no prefetch file (C:/Windows/Prefetch/ccleaner.exe*.pf) on the target system.

 

Augeas: Let me answer your questions in sequence:

 

"You searched for CCleaner on your target image and had no hits?"

I had no search hits in the registry and hard drive on my TEST systems after uninstalling. I verified this behavior under W2K, XP PRO, and XP Home versions. I did this to try and find ccleaner "residue" as a clue to where it might be picking up the defaults. That strategy obviously didn't work. (yet?)

 

"Is CC installed on the target image? Do you have a c:/program files/ccleaner folder?"

Yes, the path exists: c:/program files/ccleaner/ccleaner.exe

 

"You imply that there's no registry entry for individual CC check boxes until the boxes are checked (something I didn't know)."

No implication! It's really cool to sit there with the registry open, looking at the HKEY_CurrentUser\Software\Piriform\CCleaner path and watch the entries get created and then toggled between True and False! Try it! You can also watch these entries get created in the registry during the install process. Some of the registry stuff gets created at install-time and some the first time you run CC. In addition, the registry path below also gets updated.:

 

HKEY_USERS\S-1-5-21-2436634489-3716022376-2615223600-1008\Software\Piriform\CCleaner

 

After uninstalling CCleaner on my test system I came up with no hits when searching the hard drive or the registry - the uninstall seems to do a very thorough job. HOWEVER, when I reinstalled version 2.29 for testing it pulled my previous settings from somewhere. I also searched file contents (after uninstalling from my test system) and came up with no hits for CCleaner or Piriform. I also searched the entire C drive for ccleaner.ini - no hits. As I said, CCleaner seems to do a really good job removing itself.

 

The target system has multiple entries for CCleaner in the registry and the hard drive. The one that convinced me that it was installed was the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner Entries under this key on the target system entry also report the version number.

 

DennisD, Andavari: Thank you for pointing me to the default settings, at least I can find out what the default settings were supposed to be!

 

Update: version 2.29 doesn't seem to have a "restore default settings button" ??

[ident]

I tried to replicate your issue on 3 different machines that had ccleaner installed on. I checked WFS before i un installed. I then un installed ccleaner on each then reinstalled.

 

CCleaner each time opened with WFS not checked.

 

CCleaners built in uninstaller cleans up well after it self.

[Alan_B]

I suggest you download the old 2.29 PORTABLE version from filehippo.

 

It uses the CCleaner.INI file instead of the registry,

but apart from that you may initially have a default configuration

You will not have default registry keys,

but you should see what cleaning options are checked and what are unchecked.

 

If you install the NON-portable v 2.29 it should be pure default on a P.C. that has never had the pleasure of CC.

If you install on a P.C. that has already had the pleasure it may become NON-default,

but after manually altering all the checkbox options to match the Portable configuration,

you should then be close to having a default registry as well.

 

Alan

[LouieB]

Thank you all for your insights and recommendations. I have not yet found the repository (registry or otherwise) for CCleaner settings from a previous installation. I would still find this information valuable if anybody finds out, or if you are able to get this information from the CCleaner developers.

 

Best regards to all, I await further updates to this thread...

[Alan_B]

I know I can force it to be in a .INI file, but I am working on a read-only forensic image and I need to find the setting without booting the system or making any changes.

 

I cannot restrain my curiosity any longer.

I believe a "normal" forensic investigation of a disc starts by duplicating the original drive and holding the original in quarantine for safe keeping, and then scrutinizing the duplicate.

 

If the duplicate is booted that will alter file date stamps and the O.S. will tweak some system files,

but you should still be able to accurately detect with RegShot etc what changes in the registry when you tweak WFS.

 

Why do you need to do it the hard way ?

 

Alan

[LouieB]

Alan_B, Recall the story about the lawyer that came to town and was starving until another lawyer moved into town and they both became rich. In every forensic exams there are (at least) two parties. One side will impugn the other's methodology to try to discredit them.

 

You are correct, a pristine image of the original drive is made, slack space, free list, MFT, every bit of every sector AND the read-only copy is maintained unaltered. You are also correct in that I could, in principle, reconstruct a bootable drive from the image (while preserving the read-only copy) however that has its problems, compatible hardware and Windows Genuine Advantage withstanding. I have a copy of the bits, the opposing side pulled the hard drive and I don't know who has retained the physical computer.

 

The most pernicious part of booting a reconstructed copy is that once the booted reconstructed system starts changing stuff I would then have to be able to prove that the stuff I'm claiming as evidence didn't change as a consequence of Windows doing some Kabuki dance on it. So while this may be the "hard way" there are legal and procedural reasons for it. Engineering forensics and digital forensics is tricky legal field to work in.

 

Paraben has a free download (http://www.paraben.com/p2-explorer.html) that allows an image to be mounted and browsed, but not booted. My method has been to use regedit (on a host system) to examine the mounted read-only image by loading selective hives from the image registry. I figured if I could find the CCleaner setting repository on my own system that would indicate where to look on the imaged system - alas, no joy [:-( but still looking...

[Alan_B]

I suggest you download V2.29 from FileHippo and install on bog-standard P.C.

 

Download RegShot.

 

Optionally you may disconnect the Internet and disable all A.V. / Firewall / Behavior blocking protection.

 

Launch CCleaner v2.29

Launch Regshot and take first shot of the system

toggle the WFS checkbox to the opposite state;

take second shot of the system;

then compare the two shots.

That will give you a report showing all folder/file/registry changes.

Then you can focus attention upon the registry key(s) that is(are) significant.

 

This should tell you where to look in your read only image.

 

I always disconnect the Internet and fully disable my Comodo protection,

otherwise the change I want to see may be buried in an avalanche of changes that Comodo makes to its registry keys.

 

Just to be sure you could first identify whether the read-only image used the "slim" version or the full,

and if the full then whether any toolbars etc were installed,

but I doubt that would influence the registry key that holds WFS.

 

If required you can reproducibly demonstrate that you have found the correct key,

and this should carry far more weight in a court than a statement that Alan_B on some forum says it is so.

 

Alternatively perhaps you could make a direct approach to the developers.

 

If things turn nasty perhaps a CCleaner developer could accept a fee as an expert witness.

 

Alan

[Augeas]

Even if you could find the registry entries, it's very easy to show that changing the settings in CC changes the registry without running CC, so that WFS=True doesn't mean that WFS has been run. You can also show that you can have WFS (for instance) unchecked and then right click on it and select Clean, which will run WFS without changing the registry. So CC registry entries do not necessarily reflect the last run of CC.

 

Perhaps Alan's expert witness could also show that downloading and running CC is no indication of any impropriety whatsoever.

[LouieB]

Alan_B, Augeas, Thank you for your replies. Alan_B, your idea should work if the between-installation memory is in the registry. I think I have a Ghost image of a brand spanking new XP installation. I'll restore that and let you know what I find (just for grins).

 

Augeas, You're certainly correct about running CC not being inherently malicious but this is not the only item the investigation hinges on, it's only my piece of the investigation. For instance, if the opposing side is using CC to paint a picture for the jury but it can be shown that CC was never run, perhaps in a certain time frame, and/or that the settings were benign, normal cleanup settings, well, you get the idea. In the legal realm can be equally important to show positive proof that something did happen or that it could not have happened, or is just plain hypothetical and unproven. Good lawyers just need to know what is real and what can the jury might be taught.

 

With regard to your logic, you're correct the run date is as important as the settings in making the point - I hadn't overlooked that. The part I've got trouble with comes from this scenario: the default setting for WFS is off. Ergo if it was EVER set to true then there would be an entry in the registry. If you watch the registry, the first time you change from a default it creates a registry entry, subsequent toggles on/off change the entry between True & False. Uninstalling CC wipes out these registry entries and reinstalling picks the old entries up from somewhere - but they don't show in the registry until you make a change in the new installation. If WFS was set to True (entry made in the registry), CC was uninstalled (entries wiped from registry & stored somewhere) , reinstalled (CC install picks up stored values from somewhere), then WFS could be set to True and not show in the registry.

 

Direct evidence is easier to teach to a jury than logic, therefore I'm still looking for CC's secret between-install repository of settings... I will give Alan_B's method a try - give me a few days to muck with it. Thanks to all!

[Augeas]

The point I'm perhaps labouring is that the WFS entry in the registry, whatever its setting, does not mean that CC has run WFS, or has been run at all.

 

In the most simple and likely case, user installs CC, clicks a few settings on and off until a desired setup is reached, and then runs (or doesn't run) CC. The WFS entry in the registry indicates nothing except perhaps curiosity. I have the WFS entry in my registry yet I have never run WFS.

 

The registry entry is also of no value unless you have the associated Disk-I'm-going-to-wipe setting. WFS could have been run on another partition, another fixed or temporarily attached HD, or a flash drive.

[mr don]

Alan_B, Augeas, Thank you for your replies. Alan_B, your idea should work if the between-installation memory is in the registry. I think I have a Ghost image of a brand spanking new XP installation. I'll restore that and let you know what I find (just for grins).

 

Augeas, You're certainly correct about running CC not being inherently malicious but this is not the only item the investigation hinges on, it's only my piece of the investigation. For instance, if the opposing side is using CC to paint a picture for the jury but it can be shown that CC was never run, perhaps in a certain time frame, and/or that the settings were benign, normal cleanup settings, well, you get the idea. In the legal realm can be equally important to show positive proof that something did happen or that it could not have happened, or is just plain hypothetical and unproven. Good lawyers just need to know what is real and what can the jury might be taught.

 

With regard to your logic, you're correct the run date is as important as the settings in making the point - I hadn't overlooked that. The part I've got trouble with comes from this scenario: the default setting for WFS is off. Ergo if it was EVER set to true then there would be an entry in the registry. If you watch the registry, the first time you change from a default it creates a registry entry, subsequent toggles on/off change the entry between True & False. Uninstalling CC wipes out these registry entries and reinstalling picks the old entries up from somewhere - but they don't show in the registry until you make a change in the new installation. If WFS was set to True (entry made in the registry), CC was uninstalled (entries wiped from registry & stored somewhere) , reinstalled (CC install picks up stored values from somewhere), then WFS could be set to True and not show in the registry.

 

Direct evidence is easier to teach to a jury than logic, therefore I'm still looking for CC's secret between-install repository of settings... I will give Alan_B's method a try - give me a few days to muck with it. Thanks to all!

[mr don]

--> "(CC install picks up stored values from somewhere)"...

 

Direct evidence is easier to teach to a jury than logic, therefore I'm still looking for CC's secret between-install repository of settings... I will give Alan_B's method a try - give me a few days to muck with it. Thanks to all!

 

Louie, I am going to suggest something that may have been overlooked in all the excitement here. You were asking earlier what CCleaner default settings are. I recommend downloading & installing CCleaner 2.36 & reverting to default on a test system. It is also suggestible to try the oldest version you can find on FileHippo.com

 

The oldest versions of CCleaner DID use .ini files to store settings in. Later, for the default programs, the .ini file was built into the CCleaner .EXE file. Could this possibly be what you are referring to about it "picking up the old settings?"

 

Could it be that you have been referring to the default settings built into CCleaner all along? I know that earlier versions stored these in the same folder as CCleaner, but newer ones integrated the main ini into CCleaner while leaving an additional settings.ini, etc that can be stored optionally depending on user selection.

 

Let me know if this helps.

[LouieB]

Mr Don, I did not know about the old versions of CC using an INI file. I also overlooked the fact that a version newer than 2.29 had the "set to default" settings. Have the default settings always been the same for all versions of CC? Proving the default settings for 2.29 may be, uh, problematic.

 

It may have gotten lost in the thread... my tests showed that changing the settings (with 2.29), uninstalling, and then reinstalling restores my settings, not the default settings.

 

I'm still open and looking... Thanks for the input!

[DennisD]

Hi Louie.

 

Thought I'd have a mess around with this, so I "Revo Uninstalled" CCleaner, and then did a manual trawl through the registry for anything Piriform or CCleaner related, and there was absolutely nothing remaining. Just the entries for Piriforms other software.

 

I then installed Version 2.29.1111 and none of my old settings were picked up.

 

The content of the ccleaner.ini file confirmed this, as after installation, the following are the only entries in the ini file when the "Save settings to INI file" option is chosen.

 

[Options]

Language=1033

UpdateKey=10/15/2010 08:30:30 PM

WINDOW_HEIGHT=450

WINDOW_LEFT=202

WINDOW_MAX=0

WINDOW_TOP=144

WINDOW_WIDTH=620

 

The following screenshots show the default settings of version 2.29.1111, and I'll repeat, none of these settings appear in the ccleaner.ini file, which confirms that they are the default settings. Any deviation from these settings would immediately appear in the ccleaner.ini file.

 

Windows Tab:

 

 

Applications Tab:

 

 

Options - Advanced:

 

 

Options - Settings:

 

 

Registry Integrity - Settings:

 

 

There are no user customisation options as above for the "Include" and "Exclude" windows, and these are obviously blank. I also unchecked the "Save to INI file" box after using it, as unchecked is the default setting.

 

Hope that helps.

[LouieB]

DennisD - Wow! Above and beyond the call of duty! Thank you! Except for the choice of uninstaller, we followed the same "uninstall, search the registry, & reinstall" process, with the same results up to that point. So now I'm confused - why did my reinstall pick up my previous settings? It looks like I did the same registry search you did looking for "piriform" or "ccleaner". What a puzzle. I'll have to do all that again just to make sure I wasn't hallucinating! It may be a couple of days - the calendar is stacked up - but I'll post my final results.

[ident]

May i just ask. Is this thread still continuing because this "one" time you uninstalled ccleaner. Reinstalled and rather then default it used your custom settings?

[LouieB]

ROTFL! Well, it didn't start out that way! While your summary is succinct (after the fact) I certainly had no idea where things would go. The result was "one" result, on "three" different Windows platforms. Are you asking me if I'm sure of my results? When you make an observation and take a screen-shot of the result, how many times do you need to redo the test?

 

Judging from the participation in this discussion it generated some interest, perhaps of zero use to anybody but me. Thank God for the curious minds contributing here! The CC settings are just one facet that needed to be nailed down and I mean NAILED DOWN. While your summary is concise, and we routinely live with more than a little "undeterminism" in the Windows environment, I hope you're not trivializing the need for absolute accuracy to withstand harsh legal cross examination! I admit, it's not a path we often tread in the world of software.

 

I'm still chuckling at the brevity of your summary, great observation!