![]() Then CCleaner scans the disk and removes the corresponding logs files :ĭetect=HKLM\SOFTWARE\Microsoft\Windows DefenderĭetectFile=%ProgramFiles%\Microsoft AntiSpyware\GIANTAntiSpywareMain.exeįileKey1=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Quick|*.*įileKey2=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Resource|*.*įileKe圓=%CommonAppData%\Microsoft\Windows Defender\Support|*.logįileKey4=%ProgramFiles%\Microsoft AntiSpyware|errors.log tracksEraser.log cleaner.log An example of one of these entries with Windows Defender where both the executable and the corresponding key are checked out (note: this give a good reference set for DFIR people :). Currently, 476 entries are listed in this configuration file. The utility detects the presence of the software either with the executable file or a specific configuration file or a registry key. The Winapp.ini file contains a list of desktop applications (web browser, data compression software.) with elements that could be deleted.In the last two items, the X represents a number in case of multiple files and/or keys to delete.Įach configuration file corresponds to an item type: ![]() Default, a boolean value which seem to indicate items selected by default (True) or cleared (false).DetectFile, a path or a file which detects the existence of the program on the system.Detect, a registry key that detects the existence of the program on the system.LangSecRef, a four-digit number that indicates the item’s category (Applications, Utilities, Windows.etc.)., the name of the reference or the application.This command will generate 3 configurations files under C:\Program Files\CCleaner : Winapp.ini, Winreg.ini and Winsys.ini.Īll these files have attributes with the following structure: After digging into the documentation of the editor's website, Piriform, we found a command to retrieve the configuration files from the command line: CCleaner.exe /EXPORT. INI files embedded inside the binary instead. CCleaner workingĪs mentioned in this SANS blog post, CCleaner used to store the configuration of cleaned items inside the registry hive, but now it is stored in. As CCleaner is more widespread, our research led us to another articlewhere the author used Process Monitor to develop a regripper plugin to retrieve CCleaner installation and settings information. ![]() In this article, the author investigates the capabilities of a similar tool CleanAfterMe. Thankfully the subject has already been widely covered.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |