UnClean 2 Controls Uninstalls

最新推荐文章于 2024-09-19 09:56:35 发布

wzsy

最新推荐文章于 2024-09-19 09:56:35 发布

阅读量482

点赞数

文章标签： structure microsoft integer windows list internet

UnClean 2 Controls Uninstalls

Where Is It Stored?

The ARP in Windows 2000 and XP provides usage information for some programs in its list, including the program's installed size, the date it was last used, and the frequency of use. But where is this information stored? I examined all the values found in standard Uninstall entries and determined that none of them stored this tracking data. Still, find the data somewhere in the Registry seemed likely.

I loaded up the free RegMon tool from www.sysinternals.com and used it to log everything that took place during loading of ARP. As expected, a vast number of the events involved the standard Uninstall key HKLM/SOFTWARE/Microsoft/Windows/
CurrentVersion/Uninstall, and the corresponding key under HKCU. But there were nearly as many requests for subkeys of HKLM/SOFTWARE/Microsoft/Windows/
CurrentVersion/App Management/ARPCache. The subkeys of the ARPCache key all seemed to match subkeys of the standard Uninstall key. Perhaps this was the source?

Most of the data requests involved a 552-byte binary value named SlowInfoCache. An Internet search turned up nothing useful on the structure of this data, so I dug into it myself. I wrote a simple program to dump all the SlowInfoCache values into a text document. I quickly determined that the last 524 bytes were a filename in Unicode and the first four bytes were a DWORD containing the structure's size. What about the remaining 24 bytes?

I refined my decoding program to list the display name of the corresponding Uninstall entry along with the unknown data expressed as six DWORD values. The Uninstall name allowed me to locate the corresponding item in ARP. I noticed that the first of the unknowns is always 0 if the program name is blank and always 1, otherwise. By comparing the list with data from ARP, I determined that the next eight bytes are an Int64 representing the installed size.

I couldn't figure out the next two right away, but the last of the mystery DWORDs contained small integers, mostly under 30, and these proved to be the frequency data. By observation, ARP reports rarely for values from 0 to 2, occasionally for values 3 to 10, and frequently for values greater than 10.

The last-used date was still not accounted for, with two unknown DWORDs remaining. I experimented with treating them as various date-related Windows data types. The correct type turned out to be TFileTime, an 8-byte structure that corresponds to file date/time stamp values. Putting all these observations together, I was able to create the following type declaration, which let me read and use the tracking data:

type
  TSlowInfoCache = record
    cbSize      : DWORD;
    HasName     : LongBool;
    InstallSize : Int64;
    LastUsed    : TFileTime;
    Frequency   : Integer;
    Name        : ARRAY[0..261] OF WideChar;
  end;

As you can see, just because a data type isn't documented doesn't mean you can't use it. If you have a good set of sample data and a way to verify when you've made a correct deduction, you can often decipher the structure. Of course, the reason Microsoft doesn't document a particular structure may be to leave it open for change. Your cleverly divined definition may last only until the next operating system upgrade. That's just the chance you have to take.