[lesson1] Howto have fun with regsvr32.exe

[Camarade_Tux]

Hey guys

I thought I could share some things I found in the last few months.

Today is regsvr32 fun. And more especially, regsvr32 /s fun.

You probably know dlls can be registered with a command like that one:

regsvr32.exe file.dll

And you probably know the /s switch makes this operation silent.

Now, you certainly know all dlls can't be registered. And the vast majority will fail with this error :

So what's the difference between dlls that can be registered and others ?

I don't know the whole thing. However, I know that dlls than can be registered have a REGINST section in ResHacker.

But, wait, it's strange. The content of this section reminds me of something.

Registry !

Next, something I noticed thanks to nlite. I had no time to make a setup billboard for XP and those "ads" do nothing than getting on my nerves so I used nlite's "classic setup screen".

One nice thing is this gives you much more information on what windows installation is doing. One stage that struck me had to do with registering some things. At first, I thought it registered COM objects. However, newer WinUBCD show a similar stage with GuiRunOnce and afaik COM is removed from these installs.

Meanwhile, I also played with Resource Hacker and shell extensions that need to be registered to work.

I don't know how, one day I understood what was happening : during installation, windows calls regsvr32 /s and registers a number of dlls. As far as I saw, this is a pretty heavy operation and explains why this stage is so long to complete.

And ...?

What it implies:

• A number of settings is set and this explains why some parameters can't be found in hives but are present at the end of the installation.
  
• It overwrites already present keys afaik. That's probably why you
  
• Removing dlls from installation CD will result in smaller registry even if hives stay untouched.
  
• Since nlite doesn't modify these files (really hard to do) you will be getting strange entries in your registry. For example, when you remove CD Burning, you still get corresponding entries such as

  HKCR,"Drive\shellex\ContextMenuHandlers\%CLSID_CDBurn%",,,""

  
  Same applies to WMP.
  

I'm certainly not the first to understand that but I never found such a post and thought it would not be a bad idea to write it. Moreover...

Edited June 22, 2006 by Camarade_Tux

[Camarade_Tux]

Quickly, what can be done in shell32.dll :

-get rid of remanent WMP, CDBurn, Time Service entries.

-remove search from My Computer and My Documents (each take 5 lines in the dll)

-modify the webservice Windows uses when trying to open an file with an unknown extension (takes 3 lines)

-play with context menus, labels and titles

And now, what I found in a few minutes:

Format is :

Componant{
	.dllname.[sectionname]
		data1
		data2

CDBurn:

Burn{
	.Shell32.[RegShellNamespace]{
		HKCR,"CLSID\%CLSID_CDBurn%\%EXTVIEW%\%VID_WebView%"
		HKLM,"%PATH_EXPLORER%\CD Burning\Handlers"
		HKCR,"CLSID\%CLSID_CDBurnFolder%",,,"%DESC_CDBurnFolder%"
		HKCR,"CLSID\%CLSID_CDBurnFolder%\%IPS%",,%REGEXSZ%,"%_SYS_MOD_PATH%"
		HKCR,"CLSID\%CLSID_CDBurnFolder%\%IPS%",ThreadingModel,,Apartment
	}
	.Shell32.[RegShellObjects]{
		HKCR,"CLSID\%CLSID_CDBurn%",,,"%DESC_CDBurn%"
		HKCR,"CLSID\%CLSID_CDBurn%\%IPS%",,%REGEXSZ%,"%_SYS_MOD_PATH%"
		HKCR,"CLSID\%CLSID_CDBurn%\%IPS%",ThreadingModel,,Apartment
		HKLM,"%SHLSVC_DELAY%","CDBurn",,"%CLSID_CDBurn%"
		HKCR,"CLSID\%CLSID_CDBurn%\MergedFolder","Attributes",,"0x0"
		HKCR,"CLSID\%CLSID_CDBurn%\MergedFolder","AttributeMask",,"0xffffffff"
		HKCR,"CLSID\%CLSID_CDBurn%\MergedFolder","Location",,"@shell32.dll,-12589"
		HKCR,"CLSID\%CLSID_CDBurn%\MergedFolder","ConflictOverlayIcon",%REGEXSZ%,"%_SYS_MOD_PATH%,-232"
		HKCR,"Drive\shellex\ContextMenuHandlers\%CLSID_CDBurn%",,,""
		HKCR,"Drive\shellex\PropertySheetHandlers\%CLSID_CDBurn%",,,""
		HKCR,"Drive\shellex\FolderExtensions\%CLSID_CDBurn%",,,""
		HKCR,"Drive\shellex\FolderExtensions\%CLSID_CDBurn%","DriveMask",%REGDW%,0x20
		HKCR,"CLSID\%CLSID_CDStagingFolder%",,,"%DESC_CDStagingFolder%"
		HKLM,"%PATH_EXPLORER%\CD Burning\ExcludedFS","UDF",,
		HKLM,"%PATH_EXPLORER%\CD Burning\ExcludedFS","CDUDF",,
		HKLM,"%PATH_EXPLORER%\CD Burning\ExcludedFS","CDUDFRW",,
		HKLM,"%PATH_EXPLORER%\CD Burning\ExcludedFS","UDFREADR",,
		HKLM,"%PATH_EXPLORER%\CD Burning\ExcludedFS","UDF1.50",,
		HKCR,"CLSID\%CLSID_CDStagingFolder%\MergedFolder","Location",,"@shell32.dll,-12590"
		HKCR,"CLSID\%CLSID_CDStagingFolder%\MergedFolder","Attributes",,"0x8000"
		HKCR,"CLSID\%CLSID_CDStagingFolder%\MergedFolder","AttributeMask",,"0xffffffff"
		HKCR,"CLSID\%CLSID_CDStagingFolder%\MergedFolder","DropEffect",,"0x2"
		HKCR,"CLSID\%CLSID_CDStagingFolder%\MergedFolder","DefaultOverlayIcon",%REGEXSZ%,"%_SYS_MOD_PATH%,-231"
	}
}

WMP:

WMP{
	.Shell32.[RegShellObjects]{
		HKLM,"%PATH_EXPLORER%\WMPInfo","verb",,"WMPBurnAsAudioCD"
		HKLM,"%PATH_EXPLORER%\WMPInfo","CLSID",,"{8dd448e6-c188-4aed-af92-44956194eb1f}"
		HKLM,"%PATH_EXPLORER%\WMPInfo\FileExts","MP3",,
		HKLM,"%PATH_EXPLORER%\WMPInfo\FileExts","WAV",,
		HKLM,"%PATH_EXPLORER%\WMPInfo\FileExts","WMA",,
		HKCR,"CLSID\%CLSID_WMPExtension%",,,"%DESC_WMPExtension%"
		HKCR,"CLSID\%CLSID_WMPExtension%\%IPS%",,%REGEXSZ%,"%_SYS_MOD_PATH%"
		HKCR,"CLSID\%CLSID_WMPExtension%\%IPS%",ThreadingModel,,Apartment
	}
}

Time:

Time.Shell32.[RegShellNamespace]{
		HKLM,"Software\Microsoft\Windows\CurrentVersion\DateTime\Servers",,,"1"
		HKLM,"Software\Microsoft\Windows\CurrentVersion\DateTime\Servers","1",,"time.windows.com"
		HKLM,"Software\Microsoft\Windows\CurrentVersion\DateTime\Servers","2",,"time.nist.gov"

}

Now, you have to know all needed CLSIDs are also written in the same dll.

Parts of Mine:

CLSID_CDBurn			= "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
CLSID_CDBurnFolder	  = "{00eebf57-477d-4084-9921-7ab3c2c9459d}"
CLSID_CDStagingFolder   = "{00da2f99-f2a6-40c2-b770-a920f8e44abc}"

CLSID_WMPExtension	  = "{f83cbf45-1c37-4ca1-a78a-28bcb91642ec}"

PATH_EXPLORER = "Software\Microsoft\Windows\CurrentVersion\Explorer"

(of course, it's not the format that can be found in the dll, but it's easier for me to maintain something like that)

This is a quick list of reg keys that are present on your computer though you removed the corresponding components with nlite. Now, why not delete them ? (make a registry backup first, I'm not responsible of any damage. )

I hope you now want to get rid of this. This list is far from being complete but I'll work on it.

Edited June 22, 2006 by Camarade_Tux

[enderandrew]

Outstanding!

I think you're really on to something here. I can't wait to see the list you come up with.

[Camarade_Tux]

Thanks.

I was starting to wonder if anybody could find this interesting.

Reading so many lines is pretty hard but it lets you learn new things, such as how to change which infos are displayed in dialogs such as this one:

Also, I've just found more Autoplay things (the dialog that pops up when you insert a CD in your drive).

[Camarade_Tux]

I just finished a first pass for shell32.dll.

Best seen in Notepad++, with C as a language :

This can be used in 2 ways :

-editing shell32.dll's REGINST section with Reshacker

-editing the registry after installation (in fact starting at T-13 afaik)

Also, this shows which settings cannot be set before T-13 because they will be overwritten.

Everything musn't be deleted. I fully realized there was a lot of things that were needed. I also understood it would be interesting to have them listed (visual tweaks especially).

Also, important : the shell32.dll I used is the latest available for XP SP1a. Some things may have been added or removed (1).

I think I've sorted 40% of the REGINST section at this moment.

(1) I guess that when installing a service pack, the installer first calls "regsvr32 /u *.dll" to clean the registry, and then it uses "regsvr32.dll *.dll".

regsrv32.7z

[enderandrew]

Honestly, the simplest method for users is to drop in a reg file and wipe out the entries.

However, how much do you think it affects the install process to put in all those registry entries in the first place?

Removing the data from all the dll files in the first place will make the install that much faster.

Here's the kicker.

Let's say that you do all this work. Then you drop in RyanVM's Update pack addon which overwrites many of the system .dll files (or XPize for that matter), and your work is lost.

After you slipstream in your addons, you'll have to extract these files, edit them, and repack the cabs.

Why not post a guide and allow both options for users? Attach a reg file to remove the registry entries after the fact, but also post instructions for what can be removed from each .dll

This can be a MAJOR undertaking, but at the same time, it will help drop the size of the registry which is getting ridiculously large.

[Camarade_Tux]

It's hard and long...

However, reshacker accepts directives files (or so). Once the file is written, you just run reshacker with the switch telling it to use a directives file. It will do everything that is needed (CPU consumming but not to long)

XPize works just the same way, but not in the same sections. This is not an overwrite (visual mods used to but all use reshaker now).

Btw, I'm using Xpize right now.

However, how much do you think it affects the install process to put in all those registry entries in the first place?

Not that much I think.

Lots of things still have to be put in the registry.

But I think visual tweaks could probably be applied by modding shell32.dll. And maybe many others.

Why not post a guide and allow both options for users? Attach a reg file to remove the registry entries after the fact, but also post instructions for what can be removed from each .dll

It's too beta right now and the posts here are probably enough if you want to experiment (if not, tell me).

Once it is proven stable, doable and usable, I can post a few files for reshacker that will do all the work (WMP, CDBurning, Time, AutoPlay, file associations and open with menu).

And, btw, once extracted from the registry, the AutoPlay thing takes 48KB on its own.

It's a lot and not much at the same time.

Not much compared to the size of the registry (approx. 0.25%).

But a lot because it is a stupid, simple thing that is repeated many times.

[i'm not ophiel]

i don't think some people can fully comprehend what you discovered, but it's very interesting.

one thing i have to note about your observations: (regsrv32 /i) != (regsvr32 /s)

found a reginst in shdocvw.dll, shgina.dll, not finding them anywhere else so far...i think i've opened like 50

some strange bitmaps in windows DLLs, did you see the banners for codename Whistler in msgina?

and stringtable 126 in xpsp3res.dll says:

STRINGTABLE
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
2000, 	"Microsoft Windows"
2001, 	"Version 2006"
2002, 	"Version 1.0"
}

122.bmp

Edited June 30, 2006 by i'm not ophiel

[Camarade_Tux]

Whistler and Windows 2k6, excellent!

I did not really discovered that. I'm just trying to highlight it.

I know there's a reginst section in browseui.dll.

And depending on the results of some benchmarks I'll start tomorrow, I'll see how I can automate the finding of [REGINST].

(possibly : make reshacker retrieve REGINST section for each dll and then parse the log to see is something was really retrieved.)

PS: I'm using some "shell extensions" and I never had to use /i with regsvr32.

[Camarade_Tux]

Some news.

It seems this saves some memory. Not that much but it does. I'll have to do other more precise tests to have usable stats. I will have to wait the same amount of time before running ProcessExplorer and I'll have to wait the same amount of time in all configs before taking a screenshot with VMWare (two processes [wmi*] start then stop).

Then, I created a small bug : a "folder" without name appeared on the desktop. :?

I don't think this will be a problem later on because I modified my shell32.dll in a few minutes.

And, last but not least : I successfully used this to have unattended visual settings!

No shadow under my pointer, no fade, no scroll...

This is one is very easy to do and does not created any bug (the "folder" bug was present on another hacked shell32.dll) .

^100

[Guest Nazi Moderation]

hell yah, good show

[Clint]

Very nicely done, parts of this should ofcourse be taken care of with nlite.

Lots of things can be done at "reshacker level"

There is a BIG chunk of size to be cut down there, pretty lame that it hasnt been implemented before actually.

Loads of unused bitmaps, entries and so on....well, now you are getting there.

Edited July 2, 2006 by Clint

[Clint]

After a initial lookover it looks like you have messed up a few entries.

these are in shell32.dll already located under [DelRegShell]:

HKCR,"CLSID\%CLSID_CDBurn%\%EXTVIEW%\%VID_WebView%"

HKLM,"%PATH_EXPLORER%\CD Burning\Handlers"

..not [RegShellNamespace] as in your regsrv32.txt

That would make those obsolete then.

Look it over, maybe there are more...

[Camarade_Tux]

After a initial lookover it looks like you have messed up a few entries.

these are in shell32.dll already located under [DelRegShell]:

HKCR,"CLSID\%CLSID_CDBurn%\%EXTVIEW%\%VID_WebView%"

HKLM,"%PATH_EXPLORER%\CD Burning\Handlers"

..not [RegShellNamespace] as in your regsrv32.txt

That would make those obsolete then.

Look it over, maybe there are more...

Indeed.

I noticed it yesterday while I was reshacking my dll but forgot to change it. I'll probably make a new version, maybe with other dlls. I'm trying to make the reshacking automatic and I don't really know how does reshacker behaves. I think I will retrieve the content of the section, modify it with an autohotkey script and then let the user copy it to reshacker so he can click on 'compile script' (don't forget that one otherwise you will get corrupted things at the very beginning of the graphical mode install)

PS: it think this was one of the only mistake, one of the first entry I copied.

[Clint]

Yes, you are perfectly right

Good initiative to try to automate reshack, will come in handy for sure