![]() We observe such behavior after installing 7-Zip and Winrar utilities for example. When a new application is installed on the system, if this new application matches with an entry in the configuration file, the application is automatically added to the GUI interface. Actually the file contains 15 entries and use the type of special variable reference like in the Winsys.ini file. The Winreg.ini files contains a set of references to registry, including applications, installer, mui cache, windows service, applications paths, run at startup and many others which can be deleted. Here is an example of an entry in this file with Edge Chromium Session : We noticed the use of SpecialDetect and SpecialKeyX which seem to correspond to a set of variables directly embedded into the binary and not available with the exported configuration file. The Winsys.ini contains system references of recently typeds urls, runmru, network usage and several others related items to built-in applications and metadata system. Then CCleaner scans the disk and removes the corresponding logs files :ĭetect=HKLM\SOFTWARE\Microsoft\Windows DefenderĭetectFile=%ProgramFiles%\Microsoft AntiSpyware\GIANTAntiSpywareMain.exeįileKey1=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Quick|*.*įileKey2=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Resource|*.*įileKe圓=%CommonAppData%\Microsoft\Windows Defender\Support|*.logįileKey4=%ProgramFiles%\Microsoft AntiSpyware|errors.log tracksEraser.log cleaner.log An example of one of these entries with Windows Defender where both the executable and the corresponding key are checked out (note: this give a good reference set for DFIR people :). Currently, 476 entries are listed in this configuration file. The utility detects the presence of the software either with the executable file or a specific configuration file or a registry key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |