Jump to content

Looking for Windows registry editor that would allow empty strings in REG_MULTI_SZ values...


UCyborg

Recommended Posts

...without having to drop to binary editing mode to do it. Windows' own Registry Editor removes empty strings. Same story with RegCool and Registry Workshop. Is there a tool out there that would preserve whatever I type in the editing field when working with REG_MULTI_SZ values?

Link to comment
Share on other sites


1 hour ago, UCyborg said:

...without having to drop to binary editing mode to do it. Windows' own Registry Editor removes empty strings. Same story with RegCool and Registry Workshop. Is there a tool out there that would preserve whatever I type in the editing field when working with REG_MULTI_SZ values?

Can you explain better? :unsure:

I mean if you type something, then it is not an empty string.

jaclaz

Link to comment
Share on other sites

I see now :).

The empty string reference is misleading.

Registrar Lite (old 2.00) produces a "better" error "Values of type REG_MULTI_SZ are not allowed to contain empty lines. Remove them?"

Technically "empty string" is appropriate, as the value in binary is an actual string, 00 terminated, and a double 00 00 means "end of value", but in default view the Registry editor renders the 00 as "newline", so "empty line" is more descriptive of what you see.

Newer Registrar Lite (6.50) removes the "newline" without warning :w00t:

Try this one ;):
http://aezay.dk/aezay/regcmd/

jaclaz

 

 

 

 

 

Link to comment
Share on other sites

Right, I wrote the post assuming one knows what goes on in the background.

Registry Commander handles multi-string values correctly. :thumbup

I found another two editors that handle those values correctly: O&O RegEditor and Advanced Regedit. The latter doesn't show 64-bit specific parts of registry and is non-Unicode application, so some parts of registry are inaccessible on 64-bit Windows and there might be trouble reading/setting certain values. Its editing window for REG_MULTI_SZ values is more interesting though, it allows to easily reorder strings.

Link to comment
Share on other sites

  • 2 weeks later...

So this piece of crap anti-virus AVG (or its updater) spammed PendingFileRenameOperations with thousands of entries on my work computer, many of them look like duplicates. I somehow ended up with two exported text files of the said registry setting with slightly different content. One is the current state of the entry and the other is the previous. I remember making backup of the content the last time (actually in May) and it apparently changed until current date. I notice both have some unique entries that are still to be taken care of, not just at the end. There was no reboot since february.

So Registry Commander has the most convenient UI for this particular case, I'd just like to merge the two files content and just let Windows do its thing on reboot. Not concerned about anti-virus as much, I could probably just completely purge it via alternative means, rendering its entries in PendingFileRenameOperations irrevelant. It's just that it would be preferable to let the stuff in between that's not related to anti-virus being taken care of, so I figured it'd be the easiest to just paste content of both files in, one after another. But Registry Commander has the problem handling that giant multi-string, which consists of about 15000 entries. Can't paste or type anything new, I can use backspace key on existing entries, but that's about it.

O&O RegEditor, which also has suitable editing window, just crashes opening PendingFileRenameOperations setting.

I wouldn't have started poking around in registry, but that stupid anti-virus started occasionally showing popup that its GUI is having a bad day (literally). I really hate anti-viruses and other such software, all they ever did was get in my way.

Link to comment
Share on other sites

I thought about that, but it's such a mess that it doesn't seem really helpful. The files are below, the first's from May, the seconds one's from today. Straight copy-paste from Registry Editor's text field:

https://drive.google.com/file/d/1vxSRrFPMQQsyjCSOk2EDVN1I621CB0co/view?usp=sharing

https://drive.google.com/file/d/1_rba7dofD88Ny8qpGsLcK2H7Y-ay5x9z/view?usp=sharing

Link to comment
Share on other sites

You mean that each of the two files is a copy/paste from Regedit of a single “PendingFileRenameOperations” REG_MULTI_SZ value? :unsure:

It isn't however IMHO that bad.

The copy paste seemingly creates:

1) an empty line (line feed+carriage return) in case of deletion
2) a line starting with "!" in case of rename

This allows importing to (say) Excel and re-order/deduplicate lines.

The "queer" thing seems that AVG for whatever stupid reason creates a "delete line" for directories just before the delete line for a file (which accounts for a lot of entries and that cannot possibly work).

A quick test seems to me like producing some 2000 lines (as opposed to the more than 32000 given by appending the second file to the first), that could still be "too much" to import via reg.exe or regedit (let alone Copy/paste).

Since the DEL command only deletes files (and not directories) it is safe to use it on a batch, it will throw an error but won't make damage, and the batch comes out as 634 lines.

If I were you I would make a batch and run it, possibly from a PE/Another booted OS.

Attached is what I came out with.

jaclaz

 

 

 

 

Edited by jaclaz
Attachment removed
Link to comment
Share on other sites

1 hour ago, jaclaz said:

You mean that each of the two files is a copy/paste from Regedit of a single “PendingFileRenameOperations” REG_MULTI_SZ value? :unsure:

Yes.

And thanks, that looks less depressing, so I can just get rid of PendingFileRenameOperations registry value and run the BAT in WinPE. Among other things, I noticed entries that are supposed to delete Program Files and System32 directories. I tested the functionality behind the registry setting some time back myself and indeed the folder has to be emptied first in order for it be removed anyway.

BTW, you left those two...

DEL "C:\Program Files\AVG\Antivirus"
DEL "C:\Program Files\AVG"

...in there. That doesn't really make sense, right, deleting all files (and only files) in those folders? Probably just another glitch in AVG I suppose. Like with original entries in the files I uploaded dealing with System32 and Program Files folders, which would be a no-operation since those folders wouldn't be empty.

That's some messed up auto-update...who knows if AVG will magically work again after this.

Link to comment
Share on other sites

I don't know, it was just a quick check/test, I removed duplicates (there are hundreds of them), but left the "first" occurrence.

Needs to be redone with some time and attention.

Procedure I used (basically).

Copy to a new Excel sheet the two files (copied from notepad) one after the other in Column C.

Add in column A a progressive line number (then copy / paste values).

Put in column B a formula *like* (this is for B1):
=IF(C2="";"DEL";if(left(C2;1)="!";"REN";""))

Put in column D (D1 and paste down):
=IF(B1="REN";right(C2;length(C2)-1);"")

Copy the whole stuff and paste values.

Then use data sorting to:
1) remove all lines with B empty (sort by B)
2) order by C and by B

Put in E (starting from E2) a formula *like*:
=IF(C2=C1;"Duplicate";"")

Copy paste values, reorder by E, remove duplicates
Remove Column E
Reorder by column A.

This is the base, then removed the \??\, added "" quotes, etc.

Then (on second thought) I made a mistake in the further processing, the lines with DEL and the lines with REN needs to be modified, something *like* the following:

Line with DEL (OK):

IF EXIST <file to be deleted> DEL <file to be deleted>

Line with REN (needs to be changed as REN won't work if the <target file> already exists):
IF EXIST <file to be renamed> IF EXIST <target file> DEL <target file>&&REN <file to be renamed> <target file>

About the AVG (and possibly) others, it is perplexing to say the least.

These two make sense:
 

55 DEL \??\C:\Program Files\Basilisk\tobedeleted\moz1BA7.tmp

56

57 DEL \??\C:\Program Files\Basilisk\tobedeleted

58

i.e. probably Basilisk first deletes the (only) file in C:\Program Files\Basilisk\tobedeleted and then removes the directory.

These do not:

133	DEL	\??\C:\Program Files\AVG\Antivirus	
134			
135	DEL	\??\C:\Program Files\AVG\Antivirus\aswData.dll.sum	
136			
137	DEL	\??\C:\Program Files\AVG\Antivirus	
138			
139	DEL	\??\C:\Program Files\AVG\Antivirus\health.dll.sum	
140			
141	DEL	\??\C:\Program Files\AVG\Antivirus	
142			
143	DEL	\??\C:\Program Files\AVG\Antivirus\AVGUI.exe.sum	

In the case of the basilisk entry the "risk" is that of leaving behind an empty directory, it would be of course possible to check if any entry is a directory in batch, but is it worth the hassle?

jaclaz

Link to comment
Share on other sites

  • 2 weeks later...

At this point, I wonder if AVG leaves files anywhere else besides obvious AVG folders in Program Files and Common Files and the drivers folder. I know there's also temp folder, but this one is obvious target anyway.

I'm thinking of running AVG Clear at some point and manually remove left overs, if any, then take care of remaining things that were written to PendingFileRenameOperations, which should be manageable. Maybe re-install AVG then or just enable Windows Defender, though I suppose the latter should be automatically enabled in absence of any other anti-virus software.

Basilisk entries - there must be a bug in the updater as the referenced entries are already taken care of when it's finished. I've never seen left-over tobedeleted folder in its installation folder.

Link to comment
Share on other sites

  • 2 months later...

AVG managed to revive itself after reboot, though it started crapping in that registry setting again. The most important thing, I wanted to make sure temp files from other installations were cleaned up.

Ended up uninstalling AVG. Until I use that machine, viruses are the least of concerns.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...