Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Anyone here use RegShot?


  • Please log in to reply
23 replies to this topic
pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
It's a great little open-source app for taking snapshots of your registry and selected folders.

link: <!-- m -->http://sourceforge.n...ojects/regshot/<!-- m -->

I plan to start using it on a regular basis for taking snapshots of my registry and selected folders (A_WinDir\system32, A_AppData, A_AppDataCommon, ...) before and after new installs, and saving the comparison text files for potential post-uninstall clean up.

But going over the comparison logs manually is too much trouble, that's where AHK would come in. Please post here if you have any scripts for use with RegShot, or script that could be modified to analyze RegShot log files.

RegShot comparison logs include entries that were added, modified, and deleted between the two snapshots. The basic idea would be to write a script (for use following regular uninstall) that would take the info in the regshot log, get the corresponding current values (if remaining) for the added/modified entries, show you a comparison in tree form with options to Delete, 'Open Containing Folder' or 'Open in RegEdit' etc. How does that sound?

-----------------------------------------------------------------------

Edit: Here's my script so far (with support for regedit). Replace OpenWithRegEdit instances with OpenWithRegWksp if you have Registry Workshop.

I call this RegshotCleaner_RE.ahk. Highlight a regshot log file (txt-format) in Windows Explorer and press CTRL+R.

Update: The script now includes a third gui windows; a listview to display times (from log if available) when new folders or keys were created. Files and reg values created within x seconds of those times are shown in bold. you can adjust the time window and check/uncheck folder/keys used for filtering.

the InCtrl5_Laucher appends the creation times section automatically to the report, but to add it manually use the following format. Example:

----------------------------------
Folder/key creation times:
----------------------------------
8/5/2009 01:02:17 PM (20090805130217), c:\Program Files\Foxit Software\Foxit Reader\plugins
8/5/2009 01:02:18 PM (20090805130218), c:\Documents and Settings\SK\Application Data\Foxit\images
8/5/2009 01:02:26 PM (20090805130226), HKCR\TypeLib\{4B1C1E16-6B34-430E-B074-5928ECA4C150}
8/5/2009 01:02:27 PM (20090805130227), HKCR\CLSID\{571715D7-3395-4DF0-B43C-784836209E60}\TypeLib


The idea is to add the main folder and with the creation times of a newly installed program. That way you can use those times help decide what is noise and what was added by the program.

Also, both 'probably harmless' and entries outside the time window are shown in regular as opposed to bold font. I wanted to use colors, but don't know how to modify treeview entries the way you can bold/unbold them with TV_Modify...

/*
-This script cleans up RegShot output by removing "background noise" 
 defined by the included list of entries (user should customize the list.)
-RegShot log file needs to be in the same directory as the script.
-only tested on winXP/SP3 AutoHotkey v1.0.48.03 and RegShot v1.8.2
*/
#NoEnv
#SingleInstance, Force
SetBatchLines, -1
SetWorkingDir, %A_ScriptDir%

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;                                                               ;;;
;;;   Below specify options                                       ;;;
;;;   (generally, on = 1 and off = 0)                             ;;;
;;;                                                               ;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

denoise_On = 0   ;option to save regshot after initial denoising
saveFileList = 0 ;option to save list of denoised files remaining on system
saveRegList = 0  ;option to save list of denoised reg entries remaining on system

;default time proximity used to highlight entries
threshold:= 10

GroupAdd, Explore, ahk_class CabinetWClass
GroupAdd, Explore, ahk_class ExploreWClass

#IfWinActive ahk_group Explore
^r::
ControlGetText, Dir, Edit1, A
ControlGet, file, List, Focused Col1, SysListView321, A
filepath:= StrLen(Dir)=3 ? dir . file : dir . "\" . file
StringTrimRight, filename, file, 4

shotClean=
If (denoise_On == 1)
  FileDelete, %filename%_denoised.txt ;if exists

Loop, HKEY_CURRENT_USER,Software\Microsoft\Protected Storage System Provider,2
  UserSID:= A_LoopRegName

FileRead, shot, %filepath%

;following loop changes long reg root key names to short form, if necessary
Loop, Parse, shot, `n,`r
{
  ;change long root key names to abbreviations (if necessary)
  StringReplace,thisline,A_LoopField,HKEY_CLASSES_ROOT\,HKCR\
  StringReplace,thisline,thisline,HKEY_CURRENT_USER\,HKCU\
  StringReplace,thisline,thisline,HKEY_LOCAL_MACHINE\,HKLM\
  StringReplace,thisline,thisline,HKEY_USERS\,HKU\
  StringReplace,thisline,thisline,HKEY_CURRENT_CONFIG\,HKCC\
  
  If thisline Contains \ntuser.dat,\Cookies\index.dat,\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG,\Local Settings\desktop.ini
    ,C:\Documents and Settings\Administrator.%A_ComputerName%\Local Settings\Application Data\AnVir\
    ,%A_AppDataCommon%\Application Data\Rising\common\
    ,%A_AppDataCommon%\ABBYY\Retail.ScreenshotReader\9.00\Licenses\ProductLicensing.log
    ,C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    ,C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\ntuser.ini
    ,%A_AppData%\Microsoft\CryptnetUrlCache\Content
    ,%A_AppData%\Microsoft\CryptnetUrlCache\MetaData    
    ,%A_AppData%\Microsoft\HTML Help\hh.dat
    ,%A_AppData%\Mozilla\Firefox\Profiles\k2qzu7cz.default
    ,%A_AppData%\Scooter Software\Beyond Compare 3
    ,C:\Documents and Settings\%A_UserName%\IETldCache\index.dat
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Bill2's Process Manager\
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Bill2_Software
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\IconCache.db
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Mozilla\Firefox\Profiles\k2qzu7cz.default
    ,C:\Documents and Settings\%A_UserName%\Local Settings\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\Local Settings\History\desktop.ini    
    ,C:\Documents and Settings\%A_UserName%\Local Settings\History\History.IE5
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temp\
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temporary Internet Files\Content.IE5
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temporary Internet Files\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\SendTo\Bluetooth File Transfer Wizard.LNK
    ,C:\Documents and Settings\%A_UserName%\SendTo\desktop.ini
    ,%A_ProgramFiles%\Everything\Everything.db,%A_ProgramFiles%\Everything\Everything.ini
    ,%A_WinDir%\0.log,%A_WinDir%\bootstat.dat,%A_WinDir%\bthservsdp.dat
    ,%A_WinDir%\Rav.inf,%A_WinDir%\Rav.ini,%A_WinDir%\Sandboxie.ini,%A_WinDir%\Debug\PASSWD.LOG
    ,%A_WinDir%\erdnt,%A_WinDir%\Prefetch,%A_WinDir%\Security\edb.chk,%A_WinDir%\Security\edb.log
    ,%A_WinDir%\SoftwareDistribution\DataStore\DataStore.edb
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\edb.log
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb  
    ,%A_WinDir%\system32\BsMain.ini
    ,%A_WinDir%\system32\CatRoot2
    ,%A_WinDir%\system32\config\AppEvent.Evt
    ,%A_WinDir%\system32\config\default
    ,%A_WinDir%\system32\config\SecEvent.Evt
    ,%A_WinDir%\system32\config\sam
    ,%A_WinDir%\system32\config\security
    ,%A_WinDir%\system32\config\software
    ,%A_WinDir%\system32\config\SysEvent.Evt
    ,%A_WinDir%\system32\config\system
    ,%A_WinDir%\system32\LogFiles\WUDF\WUDFTrace.etl
    ,%A_WinDir%\system32\perf
    ,%A_WinDir%\system32\wbem
    ,%A_WinDir%\system32\wpa.dbl
    ,%A_WinDir%\Tasks\Clean System Memory.job,%A_WinDir%\Tasks\SA.DAT,%A_WinDir%\Tasks\SCHEDLGU.TXT
    ,%A_WinDir%\Temp\Perflib_Perfdata,%A_WinDir%\Temp\RavTemp,%A_WinDir%\Temp\WGAErrLog.txt
    ,%A_WinDir%\wiadebug.log,%A_WinDir%\wiaservc.log
    ,%A_WinDir%\WindowsUpdate.log
    ,HKLM\HARDWARE\DESCRIPTION\System
    ,HKLM\HARDWARE\DEVICEMAP\Scsi
    ,HKLM\HARDWARE\RESOURCEMAP
    ,HKLM\SOFTWARE\Broadcom\802.11
    ,HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    ,HKLM\SOFTWARE\Microsoft\EventSystem
    ,HKLM\SOFTWARE\Microsoft\Rpc\UuidSequenceNumber
    ,HKLM\SOFTWARE\Microsoft\Rpc\WBEM\CIMON
    ,HKLM\SOFTWARE\Microsoft\Rpc\WBEM\Transports\Decoupled\Server
    ,HKLM\SOFTWARE\Microsoft\SchedulingAgent
    ,HKLM\SOFTWARE\Microsoft\UPnP Device Host
    ,HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
    ,HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RecentDocs
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rav\DisplayVersion
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LicenseInfo
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WgaLogon\Settings
    ,HKLM\SOFTWARE\Microsoft\WZCSVC
    ,HKLM\SOFTWARE\rising\Rav\Version
    ,HKLM\SYSTEM\ControlSet001\Control\Session Manager
    ,HKLM\SYSTEM\ControlSet001\Enum
    ,HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\GlobalSettings\Cmplx\Node000
    ,HKLM\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#    
    ,HKLM\SYSTEM\ControlSet002\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\ControlSet002\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\ControlSet002\Control\Session Manager
    ,HKLM\SYSTEM\ControlSet002\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\ControlSet002\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\ControlSet002\Enum
    ,HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet002\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\ControlSet002\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch\Epoch: 0x0000B0F3
    ,HKLM\SYSTEM\ControlSet002\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9209A459-27B0-4707-9470-6297A52C59C4}\NTEContextList
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\ControlSet002\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\ControlSet002\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\ControlSet002\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T
    ,HKLM\SYSTEM\ControlSet003\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\ControlSet003\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\ControlSet003\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\ControlSet003\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\ControlSet003\Control\ServiceCurrent
    ,HKLM\SYSTEM\ControlSet003\Control\Session Manager    
    ,HKLM\SYSTEM\ControlSet003\Enum    
    ,HKLM\SYSTEM\ControlSet003\Services\a8hdx80i    
    ,HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}    
    ,HKLM\SYSTEM\ControlSet003\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\ControlSet003\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\ControlSet003\Services\mssmbios\Data\BiosData
    ,HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Epoch\Epoch
    ,HKLM\SYSTEM\ControlSet003\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet003\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\DhcpRetryTime
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Lease
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\T
    ,HKLM\SYSTEM\ControlSet003\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\ControlSet003\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T
    ,HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
    ,HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    ,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager    
    ,HKLM\SYSTEM\CurrentControlSet\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\CurrentControlSet\Enum    
    ,HKLM\SYSTEM\CurrentControlSet\Services\a8hdx80i
    ,HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\hpdskflt\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\CurrentControlSet\Services\LVUSBSta\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data\BiosData
    ,HKLM\SYSTEM\CurrentControlSet\Services\PartMgr\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch
    ,HKLM\SYSTEM\CurrentControlSet\Services\snapman380\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\CurrentControlSet\Services\tdrpman174\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\DhcpRetryTime
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Lease
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\T    
    ,HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\CurrentControlSet\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\CurrentControlSet\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T     
    ,HKU\%UserSID%\SessionInformation\ProgramCount
    ,HKU\%UserSID%\Software\Analog Devices\IFShare\{7524D05B-038A-4015-A453-C426CAEB4462}\OEMInfo
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthDom
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthUser
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthPass
    ,HKU\%UserSID%\Software\LopeSoft\FileMenu Tools
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
    ,HKU\%UserSID%\Software\Microsoft\Windows\Shell\Bags
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\Bags
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\MUICache
    ,HKU\%UserSID%\Software\UniExtract\Directory,HKU\%UserSID%\Software\UniExtract\File
    ,HKU\%UserSID%\Software\WinRAR
    Continue
  shotClean.= thisline "`n"
}
shot=

;Checks the output that's left after cleaning
If (shotClean == "")
{
  MsgBox, 4,, No entries left:`nEither they were all noise or or an error occurred.`nDo you wish to continue script?
  IfMsgBox No
    ExitApp
  Return
}
Else If (denoise_On == 1)
  FileAppend, %shotClean%, %filename%_denoised.txt

/*
This script cleans up RegShot output in the following ways:
-drops summary info, empty lines, deleted files/values, etc.
-drops "background noise" defined by the included "IgnoreList.txt" (you 
should customize the file for your needs.)
-checks the existence of the remaining entries, and in the case of
changed registry values, reports their current value as well.

TAGS:
-untagged files and values were "Added" during the installation, or otherwise
recorded by RegShot as "Folders/Files Added" or "Keys/Values Added."
-"modified" tag refers to files that RegShot recorded as "Files [attributes?] 
modified" or "Values modified" that have been re-modified since then.
-"added" and "current" tags refers to "Added" registry entries that still exist, but
have a different value than before.
*/

;clear values (not necessary, but just in case)...
var1:=var2:=var3:=var4:=var5:=root:=rPath:=sub:=val:=valNow:=vname:=FilesX:=RegX:=cTimes:=message1:=""
matcher:= 1, modOld:= 1, section:= ""
FileRead, IgnoreList, %A_ScriptDir%\IgnoreList.txt

;make sure IgnoreList has at least one entry so that subsequent appends may be proceeded by a ","
If (IgnoreList=="")
  IgnoreList:= "C:\Documents and Settings\%A_UserName%\Local Settings\Temp"

Loop,Parse,shotClean,`n,`r
{
  If (A_LoopField == "")
    Continue
  If A_LoopField Not Contains %IgnoreList%
  { ;regshot marks sections heading with a series of dashes
    If (A_LoopField == "----------------------------------")
      matcher*= -1
    Else If (matcher == -1)
    { 
      StringLeft, section, A_LoopField, % InStr(A_LoopField,":")-1       
      StringReplace,section,section,[attributes?]%A_Space%
    }
    Else
    {
      If (section == "Folders added")
      {
        If FileExist(A_LoopField)
        {
          Loop, %A_LoopField%,1
            created:= A_LoopFileTimeCreated
          FilesX.= A_LoopField " (" created ")`n"
        }
        Else IgnoreList.= "," A_LoopField ;if key doesn't exist, ignore values for it
      }
      Else If (section == "Files added") && FileExist(A_LoopField)
      {
        Loop, %A_LoopField%,1
          created:= A_LoopFileTimeCreated
        FilesX.= A_LoopField " (" created ")`n"
      }
      Else If (section == "Files modified") && FileExist(A_LoopField)
        FilesX.= A_LoopField " (modified)`n"
      Else If (section == "Keys added")
      {
        RegExMatch(A_LoopField,"^(HKLM|HKCR|HKCU|HKU|HKCC)?\\(.*(?=\\(.*))|.*)", r)
        created=
        Loop,%r1%,%r2%,2
        {
          If (A_LoopRegName == r3)
          {
            created:= A_LoopRegTimeModified
            Break
          }
        }
        If !created
          IgnoreList.= "," . A_LoopField ;if key doesn't exist, ignore values for it
        Else RegX.= r1 "\" r2 " (" created ")`n"
      }
      Else If (section == "Values added")
      {
        If RegEntrySplit(A_LoopField) != 0
        {
          valNow:= RegValConvert(root,sub,vname)
          If (vname == "") ;use '(Default)' notation for nameless values
            vname:= "(Default)"
          If (val == valNow)
            RegX.= root . "\" . sub . "\" . vname ": " . val . "`n"
          Else RegX.= root . "\" . sub . "\" . vname ": " . val . " (added)`t`t" . root . "\" . sub . "\" . vname ": " . valNow . " (current)`n"
        }
      }
      Else If (section == "Values modified")
      {
        If RegEntrySplit(A_LoopField) != 0
        {
          If (vname == "")
            vname:= "(Default)"
          ;for modified reg entries, regShot displays the new value after the old one
          ;tabs are used instead of newlines to separate before/after/current values 
          ;in order to preserve their order during an alphabetaical sort later on
          ;after the sort, they will be replaced with newlines
          If modOld
            RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_before)`t`t", modOld:=0
          Else
          {
            valNow:= RegValConvert(root,sub,vname)
            If (val == valNow)
              RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_after)`n"
            Else If (val != valNow)
              RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_after)`t`t" . root . "\" . sub . "\" . vname ": " . valNow . " (mod_current)`n", modOld:= 1
          }
        }
      }
      Else If (section == "Folder/key creation times")
      {
        cTimes.= A_LoopField "`n"
      }
    }
  }
}
IgnoreList=

;The next two If statements are used to sort the the file and registry entries
If (FilesX != "")
{
  StringTrimRight,FilesX,FilesX,1 ;remove last empty line
  FilesX:= RegExReplace(FilesX, "(.*?);(\d+)(\n|$)", "$2;$1$3") ;swap number with path
  Sort, FilesX ;sort list in reverse numeric order
  FilesX:= RegExReplace(FilesX, "(\d+);(.*?)(\n|$)", "$2;$1$3") ;swap back
  If (saveFileList == 1)
  {
    message1.= "File log saved to " . filename . "_Files.txt`n"
    FileDelete, %filename%_Files.txt
    FileAppend, %FilesX%, %filename%_Files.txt
  }
}
Else message1.= "No leftover file enries detected`n"
If (RegX != "")
{  
  StringTrimRight,RegX,RegX,1 ;remove last empty line
  RegX := RegExReplace(RegX, "(.*?);(\d+)(\n|$)", "$2;$1$3") ;swap number with path
  Sort, RegX ;sort list in reverse numeric order
  RegX := RegExReplace(RegX, "(\d+);(.*?)(\n|$)", "$2;$1$3") ;swap back
  ;Replace tabs used to separate before/after/current modified registry
  ;values (to preserve their order during sorting) with newlines
  StringReplace, RegX, RegX,%A_Tab%%A_Tab%,`n,All
  If (SubStr(RegX,0,1) == "`n")
    StringTrimRight,RegX,RegX,1
  If (saveRegList == 1)
  {
    message1.= "Registry log saved to " . filename . "_Reg.txt"
    FileDelete, %filename%_Reg.txt
    FileAppend, %RegX%, %filename%_Reg.txt
  }
}
Else message1.= "No leftover reg entries detected"

;Checks the output that's left after cleaning
If (FilesX == "" && RegX == "")
{
  MsgBox,4,No %filepath% entries found:,Either they have already been uninstalled/removed, or an error occurred.`nDo you wish to keep the script active?
  IfMsgBox No
    ExitApp
  Return
}
Else TrayTip, RegShot cleaned, %message1%, 10, 1
;Entries on probably harmless list are displayed in regular font (as opposed to boldface)
;the list is intended to contain values that the user is either still evaluating (before
;adding them to the Ignore List, or that are frequently modified or added during reboots
;or otherwise as part of normal Windows XP operation, and should not be deleted unless
;user has special reason for doing so.
NoHarm=
FileRead, NoHarm, %A_ScriptDir%\ProbablyHarmless.txt
/* 
kudos to hd0202 (Hubert) for the core treeview script here:
http://www.autohotkey.com/forum/viewtopic.php?p=264219#264219
*/

TreeViewWidth:= A_ScreenWidth/2
TreeViewHeight:= A_ScreenHeight*2/3
ListViewWidth:= TreeViewWidth*2
ListViewHeight:= TreeViewHeight/2
ButY:= TreeViewHeight+10

Gui, Add, TreeView, AltSubmit RightClick vFileTree h%TreeViewHeight% w%TreeViewWidth% gFileTree
Gui, Add, TreeView, AltSubmit RightClick vRegTree h%TreeViewHeight% w%TreeViewWidth% x+10 ym gRegTree
Gui +VScroll +HScroll
Gui, Font,cRed, Arial
Gui, Add, ListView, AltSubmit Checked vMyList h%ListViewHeight% w%ListViewWidth% x0 y+50 gMyList, Time|Folder or key
Gui +Resize
; Set the ListView's column widths (this is optional):
Col1Width = 250  ; Narrow to reveal only the YYYYMMDD part.
LV_ModifyCol(1, Col1Width)  ; Allows room for vertical scrollbar.
LV_ModifyCol(2, ListViewWidth - Col1Width - 30)

Gui, Add, StatusBar
SB_SetParts(1.65*TreeViewWidth)
Gui, TreeView, SysTreeView321
AddBranchesToTree(FilesX) ;list needs to be sorted
Gui, TreeView, SysTreeView322
AddBranchesToTree(RegX,1) ;list needs to be sorted
OnMessage(0x203, "DOUBLECLICK") ; double-click opens file in new window
Gui, ListView, SysListView321
AddTimesToTree(cTimes)
cHeight:= TreeViewHeight-40
Gui, Add, Button, section +AltSubmit vFilter xm+10 ym+%cHeight% w60 h40 gFilter, Re-filter
Gui, font, s10 bold cBlack
Gui, Add, Text, +AltSubmit vTxtHeadingTH xm+80 ys w110 h40,Set seconds:`n(filer threshold)
Gui, font,s18
Gui, Add, Edit, +AltSubmit vEditTH xm+200 ys w70 h40 Right
Gui, Add, UpDown, +AltSubmit vThreshold Range1-999 gThreshold, 10.
Gui, font
Gui, Add, Text, vTxtBodyTH xm+290 ys w200 h40,Tree entries within set number of seconds of checked time entries below will be displayed in bold.
Gui, Show  ;Show the window and its TreeView.
Return

GuiSize:  ;Expand/shrink the ListView and TreeView in response to user's resizing of window.
  If (A_EventInfo == 1)  ;The window has been minimized. No action needed.
    Return
  ;Otherwise, the window has been resized or maximized. Resize the controls to match.
  GuiControl, Move, FileTree, % "H" . (A_GuiHeight*2/3-15) . " W" . (A_GuiWidth/2 - 15)
  GuiControl, Move, RegTree,  % "H" . (A_GuiHeight*2/3-15) . " W" . (A_GuiWidth/2 - 15) . " X" . (A_GuiWidth/2+10)
  GuiControl, MoveDraw, MyList, % "H" . (A_GuiHeight*1/3-15) . " W" . (A_GuiWidth - 30) " Y" . (A_GuiHeight*2/3+50)
  GuiControl, MoveDraw, Filter, % "Y" . (A_GuiHeight*2/3+5)
  GuiControl, MoveDraw, TxtHeadingTH, % "Y" . (A_GuiHeight*2/3+5)
  GuiControl, MoveDraw, EditTH, % "Y" . (A_GuiHeight*2/3+5)
  GuiControl, MoveDraw, Threshold, % "Y" . (A_GuiHeight*2/3+5)
  GuiControl, MoveDraw, TxtBodyTH, % "Y" . (A_GuiHeight*2/3+5)
Return

Threshold:
Return

Filter:
Gui, ListView, MyList
tList=
RowNumber = 0 ;This causes the first loop iteration to start the search at the top of the list.
Loop
{
  RowNumber := LV_GetNext(RowNumber,"Checked")
  if not RowNumber
    break
    LV_GetText(Text, RowNumber)
    tList.= SubStr(Text, -14,14) "," 
}
;add loop that checks entries in tree and highlights matches
If tList
{
  StringTrimRight,tList,tList,1 ;remove empty line at end
  ; Causes the loop's first iteration to start the search at the top of the tree.
  trees = FileTree,RegTree
  Loop,Parse,trees,`,
  {
    Gui, TreeView, %A_LoopField%
    ItemID = 0
    rTree:= (A_LoopField == "RegTree") ? 1 : 0
    Loop
    {
      ItemID := TV_GetNext(ItemID, "Full")  ; Replace "Full" with "Checked" to find all checkmarked items.
      If Not ItemID  ; No more items in tree.
        Break
      ;else check time stamp
      If ct:= ct%ItemID%
      {
        Loop,parse,tList,`,
        {
          new:= A_LoopField
          EnvSub,new,%ct%,seconds
          If Abs(new) < threshold
          {
            TV_Modify(ItemID,"Bold")
            If rTree
            {
              ChildID:= ItemID, parents:= ItemID
              Loop
              {
                ChildID:= TV_GetNext(ChildID,"Full"), ParentID:= TV_GetParent(ChildID)
                If ParentID Not In %parents%
                  Break
                TV_Modify(ChildID,"Bold")
                parents.= "," . ChildID
              }
            }
            Break
          }
          Else
          {
            TV_Modify(ItemID,"-Bold")
            If rTree
            {
              ChildID:= ItemID, parents:= ItemID
              Loop
              {
                ChildID:= TV_GetNext(ChildID,"Full"), ParentID:= TV_GetParent(ChildID)
                if ParentID Not In %parents%
                  Break
                TV_Modify(ChildID,"-Bold")
                parents.= "," . ChildID
              }
            }
          }
        }
      }
    }
  }
}
Return

FileTree:  ;This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ;i.e. an event other than "select new tree item".
   Return  ;Do nothing.
TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID:= A_EventInfo
Loop  ;Build the full path to the selected folder.
{
  ParentID:= TV_GetParent(ParentID)
  If not ParentID  ;No more ancestors.
    Break
  TV_GetText(ParentText, ParentID)
  SelectedItemText = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%
StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1

varname:= RegExReplace( varname, "i)\s\((added|current|modified)\)$","",mods)

SB_SetText(SelectedPath, 1)
if ct_selected:= ct%A_EventInfo%
  FormatTime, ct_selected, %ct_selected%, MMM d, yyyy hh:mm:ss tt
SB_SetText(ct_selected, 2)
Return

RegTree:  ;This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ;i.e. an event other than "select new tree item".
   Return  ;Do nothing.
TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID := A_EventInfo

Loop  ;Build the full path to the selected folder.
{
  ParentID := TV_GetParent(ParentID)
  If not ParentID  ; No more ancestors.
    break
  TV_GetText(ParentText, ParentID)
  SelectedItemText  = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%
StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1
varname:= RegExReplace( varname, "\s\((added|current|modified|mod_after|mod_before|mod_current)\)$","",mods)

SB_SetText(SelectedPath, 1)
if ct_selected:= ct%A_EventInfo%
  FormatTime, ct_selected, %ct_selected%, MMM d, yyyy hh:mm:ss tt
SB_SetText(ct_selected, 2)
Return

MyList:
Return

GuiContextMenu:
Menu, RegshotCleanerMenu, Add,
Menu, RegshotCleanerMenu, DeleteAll
If (A_GuiControl == "FileTree")
{
  Gui, TreeView, FileTree
  idd:= TV_GetSelection()
  Menu, RegshotCleanerMenu, Add, Go to selected file entry, MenuHandler
  Menu, RegshotCleanerMenu, Add, Delete file or folder, MenuHandler
  Menu, RegshotCleanerMenu, Add, Add entry to Ignore List, MenuHandler
  Menu, RegshotCleanerMenu, Add, Add entry to Probably Harmeless List, MenuHandler
}
Else If (A_GuiControl == "RegTree")
{
  Gui, TreeView, RegTree
  idd:= TV_GetSelection(), chid_idd:= TV_GetChild(idd)
  Menu, RegshotCleanerMenu, Add, Go to selected reg entry, MenuHandler
  Menu, RegshotCleanerMenu, Add, Delete registry entry, MenuHandler
  If chid_idd
  {
    Menu, RegshotCleanerMenu, Add, Add entry to Ignore List, MenuHandler
    Menu, RegshotCleanerMenu, Add, Add entry to Probably Harmeless List, MenuHandler
  }
}
Menu, RegshotCleanerMenu, Show
Return

DOUBLECLICK()
{
  global SelectedPath, varname

  MouseGetPos,,,, control,1
  If (control == "SysTreeView321")
    Run %COMSPEC% /c explorer.exe /select`, %SelectedPath%\%varname%,, Hide
  Else If (control == "SysTreeView322")
    OpenWithRegEdit(SelectedPath . "\" . varname)
  Else Return
}

MenuHandler:
If (A_ThisMenuItem == "Go to selected file entry")
  Run %COMSPEC% /c explorer.exe /select`, %SelectedPath%\%varname%,, Hide
Else If (A_ThisMenuItem == "Go to selected reg entry")
  OpenWithRegEdit(SelectedPath . "\" . varname)
Else If (A_ThisMenuItem == "Delete file or folder")
{
  MsgBox,4,Confirm Deletetion,Are you sure you want to delete`n%SelectedPath%\%varname%?
  IfMsgBox, Yes
    FileDelete, %SelectedPath%\%varname%
  If !ErrorLevel  
    TV_Delete(idd)
}
Else If (A_ThisMenuItem == "Delete registry entry")
{
  MsgBox,4,Confirm Deletetion,Are you sure you want to delete`n%SelectedPath%\%varname%?
  IfMsgBox, No
    Return
  bsDel:= InStr(SelectedPath,"\"), rootDel:= SubStr(SelectedPath,1,bsDel-1), subDel:= SubStr(SelectedPath, bsDel+1)
  If colDel:= InStr(varname,":")
  {
    valDel:= SubStr(varname,1,colDel-1)
    RegDelete,%rootDel%,%subDel%,%valDel%
  }
  Else RegDelete,%rootDel%,%subDel%\%varname%
  If !ErrorLevel
    TV_Delete(idd)
}
Else If (A_ThisMenuItem == "Add entry to Ignore List")
{
  If FileExist(A_ScriptDir . "\IgnoreList.txt")
    FileAppend, `,%SelectedPath%\%varname%, %A_ScriptDir%\IgnoreList.txt
  Else FileAppend, %SelectedPath%\%varname%, %A_ScriptDir%\IgnoreList.txt
  ;TrayTip,Ignore List addition,`n%SelectedPath%\%varname% was added to`n%A_ScriptDir%\IgnoreList.txt,10
  If !ErrorLevel  
    TV_Delete(idd)
}
Else If (A_ThisMenuItem == "Add entry to Probably Harmeless List")
{
  If FileExist(A_ScriptDir . "\ProbablyHarmless.txt")
    FileAppend, `,%SelectedPath%\%varname%, %A_ScriptDir%\ProbablyHarmless.txt
  Else FileAppend, %SelectedPath%\%varname%, %A_ScriptDir%\ProbablyHarmless.txt
  If !ErrorLevel
  {
    TV_Modify(idd,"-Bold -Expand")
    ItemID:= idd, parents:= idd  ; Causes the loop's first iteration to start the search at the top of the tree.
    Loop
    {
      ItemID:= TV_GetNext(ItemID,"Full"), ParentID:= TV_GetParent(ItemID)
      if ParentID Not In %parents%
        break
      TV_Modify(ItemID,"-Bold")
      parents.= "," . ItemID
    }
  }
}
Return

GuiEscape:
GuiClose:
ExitApp

RegEntrySplit(RegString="")
{
  global
  RegExMatch(RegString,"i)^(HKLM|HKCR|HKCU|HKU|HKCC)\\(?:((.*)\\(.*?)(?::\s)(.*)|.*))", rPath)
  
  root:= rPath1
  If rPath3 <>
  {
    sub:= rPath3, vname:= rPath4, val:= rPath5
    
    If SubStr(val,1,1) = """" && SubStr(val, 0,1) = """"
      StringMid,val,val,2,% StrLen(val)-2  ;remove excess "
    Else If SubStr(val,1,1) = "'" && SubStr(val, 0,1) = "'"
      StringMid,val,val,2,% StrLen(val)-2  ;remove excess '
    RegRead, valNow, %root%, %sub%, %vname%
    If (valNow != "")
      Return root "`n" sub "`n" vname "`n" val "`n" valNow
    Else Return 0
  }
  Else
  {
    sub:= rPath2, keycount:= 0
    Loop %root%, %sub%, 1  ;checks if key exists
      keycount++
    If (keycount > 0)
      Return root "`n" sub
    Else Return 0
  }
}

;RegValConvert (tbe function below) converts AHK format of REG_DWORD and REG_BINARY
;values to the format used by RegShot. Other value types already use equivalent
;formats. The point is to enable the script to compare the current registry values
;to those recorded by RegShot
RegValConvert(root="",sub="",vname="")
{
  Loop, %root%, %sub%
  {
    If (A_LoopRegName == vname)
    {
      VarSetCapacity(valNow,20)
      If (A_LoopRegType == "REG_DWORD")
      {
        SetFormat, IntegerFast, H
        RegRead, valNow, %root%, %sub%, %vname%
        valNow:= % "0x" SubStr("00000000" SubStr(valNow+0, 3), -7)
        SetFormat, IntegerFast, D
      }
      Else
      {
        RegRead, valNow, %root%, %sub%, %vname%
        If (A_LoopRegType == "REG_BINARY")
          valNow:= RegExReplace(valNow, "..(?=.)", "$0 ")
        Else If (A_LoopRegType == "REG_MULTI_SZ")
          StringTrimRight,valNow,valNow,1
      }
      Break
    }
  }    
  Return valNow
}

AddBranchesToTree(filelist,logtype=0)
{
  global
  local tOptions:= "bold expand", level:= 0, parent0:= 0
  local bs,file,file0,file1,prev_file,parent1,pLev,prev_parent 
  Loop,Parse,filelist,`n
  {
    If A_LoopField =
      Continue
    
    If logtype = 0
      stringsplit, parts, A_LoopField, \ ;drive + folders ( + file)
    ;remove time stamps
    parts%parts0% := RegExReplace(parts%parts0%," \(\d{14}\)$","",replaced)
    cTime:= replaced ? SubStr(A_LoopField,-14,14) : 0
    
    If logtype = 1
    {
      If colon1:= InStr(A_LoopField,":")
      {
        regstr1:= SubStr(A_LoopField, 1, colon1), regstr2:= SubStr(A_LoopField, colon1+1)
        stringsplit, parts, regstr1, \ ;drive + folders ( + file)
        parts%parts0% .= regstr2
      }
      Else 
      {
        stringsplit, parts, A_LoopField, \ ;drive + folders ( + file)
        parts%parts0% := RegExReplace(parts%parts0%," \(\d{14}\)$","",replaced)
        if replaced
          cTime:= SubStr(A_LoopField,-14,14)
      }
    }
    If (level == 0) ;first record, insert all parts
    {
      gosub build_tree
      continue
    }
    IfInString, A_LoopField, %prev_file% ;sub folders or files
    {
      gosub build_tree
      continue
    }
    line:= A_LoopField ;other drive or folder
    If (parts0 > level) ;ignore parts > level
      loop, % parts0 - level - 1
        StringLeft, line, line, % InStr(line,"\",false,0)
    Else level:= parts0 ;set level to no of parts
    loop, % level
    {
      StringLeft, line, line, % InStr(line,"\",false,0)-1  
      level--
      If (level == 0) ;other drive
        prev_file:= "", bs:= ""
      Else ;find corresponding level
      {
        prev_file:= file%level%, lineTmp:= line . "\"
        IfNotInString, lineTmp, %prev_file%\
          Continue
        If (level == 0)
          level++
      }
      gosub build_tree
      Break
    }
  }
  Return

  build_tree:
  loop, % parts0 - level
  {
    If (A_Index == 1)
    {
      tOptions:= "bold expand"
      label:= SubStr(parts%parts0%,-10)
    }
    prev_parent = parent%level%
    level++
    
    if label In (mod_after),mod_before),od_current), (modified)
      tOptions:= "expand"
    
    parent%level% := tv_add(parts%level%, %prev_parent%, tOptions)
    pLev:= parent%level%, ct%pLev%:= cTime
    
    If (level <> 1)
      bs = \
    file%level%:= prev_file bs parts%level%, prev_file:= file%level%
  }
  Return
}

AddTimesToTree(timelist)
{
  LV_Delete()  ; Clear all rows.
  GuiControl, -Redraw, MyListView  ; Improve performance by disabling redrawing during load.
  Loop, Parse, timelist, `n, `r
  {
    StringSplit, timeData,A_LoopField,`,
    LV_Add("Check", timeData1, timeData2)
  }
  GuiControl, +Redraw, MyListView
}

;kudos to JBensimon from AHK forum for the 'LastKey' trick
OpenWithRegEdit(path="")
{
  path:= "My Computer\" . path
  StringReplace,path,path,HKCR,HKEY_CLASSES_ROOT
  StringReplace,path,path,HKCU,HKEY_CURRENT_USER
  StringReplace,path,path,HKLM,HKEY_LOCAL_MACHINE
  StringReplace,path,path,HKU,HKEY_USERS
  StringReplace,path,path,HKCC,HKEY_CURRENT_CONFIG
    
  IfWinExist, Registry Editor ahk_class RegEdit_RegEdit
    WinClose
  RegWrite,REG_SZ,HKCU,Software\Microsoft\Windows\CurrentVersion\Applets\Regedit,LastKey,%path%
  run regedit.exe
}

I also wrote an InCtrl5 launcher that includes the previous script (the original log is not deleted, the launcher simply automates a few steps, then converts the InCtrl5-log (CSV-format required) into RegShot format, and saves it under the original name, but with TXT extension:

/*
THIS SCRIPT HAS TO RESIDE IN THE SAME FOLDER AS InCtrl5.EXE
IN ORDER FOR THE SETTINGS IN InCtrl5.INI TO TAKE EFFECT

written on AutoHotkey v1.0.48.03 and tested only on Windows XP/SP3

Note: Since the user may wish to load or save snapshots prior to
creating a comparison report, all 'Save As' and 'Open' windows (of the
ahk_class #32770 variety) will have to be closed before the comparison
button click will be automated.
*/

#NoEnv
#SingleInstance force
#Persistent
SetWorkingDir % A_ScriptDir
SendMode Input
SetTitleMatchMode Regex
SetBatchLines -1
SetControlDelay -1
SetWinDelay -1
Process,Priority,,AboveNormal
OnExit, HouseKeep
Menu, tray, icon, InCtrl5.exe ;InCtrl5 tray icon

     ;specify location where shots and reports should be stored
shotsDir:= "Z:\_Backups\InCtrl5logs"

;set get_cTimes to 0 to not retrieve creation times for new folders and keys
get_cTimes:= 1

;to record additional info (default = files on C:\ only and boot.ini content)
;set recordExtraInfo:= 1 and specify a folder for AHK recorded shots.
recordExtraInfo:= 0
ahkShotsDir:= "Z:\_Backups\AhkShots"
;monitoredFiles = 

IfWinExist, InCtrl5 - Install Control for Windows ahk_class TMainForm
   ExitApp

;if specified folder does not exist, use the one from InCtrl5.ini
If !InStr(FileExist(shotsDir),"D")
   IniRead,shotsDir,InCtrl5.ini,Settings,ReptPath
;if that folder doesn't exist either, use 'My Documents'
If !InStr(FileExist(shotsDir),"D")
   shotsDir:= A_MyDocuments

InputBox, repName, InCtrl5 Launcher, Input a name for this shot:,,,130
;If ErrorLevel
;   ExitApp
;Sleep, 50
WinWaitClose, InCtrl5 Launcher ahk_class #32770

If recordExtraInfo
{
   ;delete previous shots of same name
   FileDelete,%ahkShotsDir%\%repName%_InCtrl1.ini
   FileDelete,%ahkShotsDir%\%repName%_InCtrl2.ini
   ;record new shot
   Gosub, RecordAhkShot
}

Process,Exist,InCtrl5.exe
If !pid:= ErrorLevel
   Run,InCtrl5.exe,,,pid
PID = ahk_pid %pid%
WinWait,%PID%,,5
If ErrorLevel
   ExitApp
   
;if the first shot has already been taken, click install complete
ControlGetText,buttext,TButton2,%PID%
If (buttext == "&Install complete")
   ClickUntil("&Install complete",PID,"Enabled",0)
Else If (repName != "") ;set report name, take shot
{
   ClickUntil("TButton3",PID,"WinWait","Choose Report Filename")
   ControlSetText,Edit1,%shotsDir%\%repName%,Choose Report Filename
   ClickUntil("&Save","Choose Report Filename","WinWaitClose","Choose Report Filename")
}
SetTimer, check, 250

check:
   IfWinExist, InCtrl5 report preview ahk_class TReptForm
   {
      SetTimer, check, Off
      ControlGetText,repPath,TPanel1,InCtrl5 report preview ahk_class TReptForm
      If (repPath != shotsDir "\" repName ".CSV")
      {
         bs:= InStr(repPath,"\",False,0), repName2:= SubStr(repPath, bs+1), repDir2:= SubStr(repPath,1,bs-1)
         StringTrimRight,repName2,repName2,4
          
         MsgBox,4,Previous report name does not match the name specified by user
         ,Change report name to %repName2% in directory %repDir2%
         IfMsgBox, No
            ExitApp
         Else shotsDir:=repDir2, repName:=repName2
      }
      
      ClickUntil("TButton2","InCtrl5 report preview ahk_class TReptForm","WinWaitClose","InCtrl5 report preview ahk_class TReptForm")
      ClickUntil("TButton4",PID,"WinWaitClose",PID)
      If ErrorLevel
         Process, Close, InCtrl5.exe
      
      If recordExtraInfo
         Gosub, RecordAhkShot         
         
      ;check for new folders and keys and append their creation times to the report
      loop,
      {
         If FileExist(shotsDir . "\" . repName . ".CSV")
            Break
         Sleep, 250
         If (A_Index > 40)
         {
            MsgBox,,Error, cannot find report
            ExitApp
         }
      }
      Gosub, trimReport
      
      Run %shotsDir%\%repName%.TXT
      ExitApp
   }
   IfWinNotExist %PID%
      ExitApp
Return

trimReport:
   FileRead,report,%shotsDir%\%repName%.CSV
   reportClean:= "InCtrl5`nComments:`nDatetime:"

   ;folders matching RegEx criteria below will be dropped
   pattern1 = iU)C:\\(Documents\sand\sSettings\\.*\\(Application\sData\\Rising\\common|Cookies|IETldCache|Local\sSettings\\(History\\History\.IE5|Temporary\sInternet\sFiles\\Content\.IE5))|WINDOWS\\(Prefetch|system32\\Returnil\\RVS3))\\

   ;keys matching the RegEx criteria below will be dropped (these are from InCtrl5)
   pattern2 = iU)HKLM\\SYSTEM\\ControlSet002\\Control\\(Class\\\{(53D29EF7-377C-4D14-864B-EB3A85769359|7EBEFBC0-3200-11D2-B4C2-00A0C9697D07|C06FF265-AE09-48F0-812C-16753D7CBA83)}\\|MediaResources\\(icm|msacm)\\.*)
   ;convert to regshot format
   Loop,Parse,report,`n,`r
   {
      If StrLen(A_LoopField) > 65534
         Continue
      Loop,Parse,A_LoopField,CSV
         var0:= A_Index, var%A_Index%:= A_LoopField
      If var1 In Type,Header
      {
         If (A_Index == 5)
            reportClean.= var2 " " var3 "`nComputer:" A_ComputerName "`nUsername:" A_UserName
         Continue
      }
      If var3 In ignored,tracked,Action,------------
         Continue
      If (var3 == "deleted" && SubStr(var1,-3) != "file")
         Continue
      StringReplace,var3,var3,changed,modified
      section:= (var1 == "INI file" || var1 == "Text file") ? var1 " " var2 " changed" : var2 " " var3

      If (section != prevsection)
      {
         If reportCleanTemp
         {
            Sort,reportCleanTemp,U
            StringReplace,reportCleanTemp,reportCleanTemp,%A_Tab%%A_Tab%,`n,All
            reportClean.= reportCleanTemp
            reportCleanTemp=
         }
         reportClean.= "`n`n----------------------------------`n" section ":`n----------------------------------"
      }
      prevsection:= section
      If (var1 == "Registry")
      {
         StringReplace,var4,var4,HKEY_CLASSES_ROOT,HKCR
         StringReplace,var4,var4,HKEY_CURRENT_USER,HKCU
         StringReplace,var4,var4,HKEY_LOCAL_MACHINE,HKLM
         StringReplace,var4,var4,HKEY_USERS,HKU
         StringReplace,var4,var4,HKEY_CURRENT_CONFIG,HKCC
         StringReplace,var8,var8,`,,,All
         StringReplace,var9,var9,`,,,All

         If (var2 == "Keys") 
         {
            If RegExMatch(var4,pattern2)
               Continue
            reportCleanTemp.= "`n" var4
			
			If get_cTimes
			{
               created=
               bs:= InStr(var4,"\"), root:= SubStr(var4,1,bs-1), sub:= SubStr(var4, bs+1), bs:= InStr(sub,"\",False,0), key:= SubStr(sub, bs+1), sub:= SubStr(sub,1,bs-1)
               
               Loop,%root%,%sub%,2
               {
                  If (A_LoopRegName == key)
                  {
                     created:= A_LoopRegTimeModified
                     Break
                  }
               }
               If created <>
                  cTimes.= created "," var4 "`n"
			}
         }
         Else 
         {
            reportCleanTemp.= "`n" var4 "\" var5 ": "
			If (var3 == "added")
               reportCleanTemp.= var7
			Else If (var3 == "modified")
               reportCleanTemp.= var8 "`t`t" var4 "\" var5 ": " var9
         }
      }
      Else If (var1 == "Disk contents")
      {		
		If RegExMatch(var4,pattern1)
			Continue
		If Var4 Contains c:\Documents and Settings\%A_UserName%\Local Settings\Temp
		,c:\Documents and Settings\%A_UserName%\Recent
		,%A_ProgramFiles%\Rising\Rav\
		,%A_ProgramFiles%\Tall Emu\Online Armor\
		,%A_WinDir%\Temp\
			Continue
		If Var5 In 0.log,catdb,desktop.ini,edb.chk,edb.log
		,ntuser.dat,ntuser.dat.LOG,rvs3.log,software.LOG,system.LOG,tmp.edb
			Continue

         If (var2 == "Folders")
         {
			reportCleanTemp.= "`n" var4
			If get_cTimes
			{
				created=
				Loop, %var4%, 1
					created:= A_LoopFileTimeCreated
				If created <>
					cTimes.= created "," var4 "`n"
			}
         }
         Else reportCleanTemp.= "`n" var4 var5
      }
      Else If (var1 == "INI file")
      {
         reportCleanTemp.= "`n" var4 ": value '" var5 "' " var3
         If (var3 == "modified")
            reportCleanTemp.= " from " var6 " to " var7
      }
      Else If (var1 == "Text file")
         tmp:= (var3 == "added") ? "to" : "from", reportCleanTemp.= (var5 == "") ? "`n" var4 ": new line " var3 " " tmp " line " var6 : "`n" var4 ": '" var5 "' " var3 " " tmp " line " var6
   }
   report=
   If reportCleanTemp
   {
      Sort,reportCleanTemp,U
      StringReplace,reportCleanTemp,reportCleanTemp,%A_Tab%%A_Tab%,`n,All
         reportClean.= reportCleanTemp
}

;append times new folder and keys were created
If (get_cTimes && cTimes != "")
{
   reportClean.= "`n`n----------------------------------`nFolder/key creation times:`n----------------------------------"
   varOld:= "NoZeroLengthError", var1:= var2:= ""
	
   ;remove duplicates	
   Sort, cTimes, N U
   StringTrimRight,cTimes,cTimes,1
   Loop,Parse,cTimes,`n
   {
      ;remove subfolders with same time stamps
      lo:= StrLen(varOld), varNew:= SubStr(A_LoopField,1,lo)
      If (varOld == varNew)
         Continue
      StringSplit,var,A_LoopField,`,
      If (var1 == var1old)
         reportClean.= "`t|`t" var2
      Else
      {
         FormatTime, cTime, %var1%, M/d/yyyy hh:mm:ss tt
         reportClean.= "`n" cTime " (" var1 "), " var2
      }
      var1old:= var1, var2old= var2, varOld:= A_LoopField
   }
}

;remove emtry section headings
pattern3 = mU)-{34}\n[a-zA-Z: ]+\n-{34}\n(\n|$)
reportClean:= RegExReplace(reportClean,pattern3,"")

;delete previous copy (not original) if one exists
FileDelete, %shotsDir%\%repName%.TXT
FileAppend, %reportClean%,%shotsDir%\%repName%.TXT
Return

/*
the RecordAhkShot subroutine is a carry-on from my regshot launcher, which I added to
it to mimic InCtrl5's built-in tracking capability for user-specified ini and text files.

I left it in for users (maybe myself) who, for example, want to only track files added
to C:\ without the manadatory recursion into subfolders programmed into InCtrl5.
*/
RecordAhkShot:
   sNum:= FileExist(ahkShotsDir . "\" . repName . "_InCtrl1.ini") ? 2 : 1, ahkShot:= "[MAIN]", contents:= ""
   
   Loop, C:\*.*, 1, 0
   {
      ahkShot.= "`n" A_LoopFileName "=" A_LoopFileTimeCreated "," A_LoopFileTimeModified "," A_LoopFileAttrib
      
      If A_LoopFileName In %monitoredFiles%
      {
         FileRead, fileContent, %A_LoopFileFullPath%
         StringReplace,fPath,A_LoopFileFullPath,:
         StringReplace,fPath,fPath,\,_,All
         StringReplace,fileContent,fileContent,[,{{,All
         StringReplace,fileContent,fileContent,],}},All         
         contents.= "[" . fPath . "]`n" . fileContent . "`n"
      }
   }
   FileAppend,%ahkShot%`n`n%contents%,%ahkShotsDir%\%repName%_InCtrl%sNum%.ini
Return

HouseKeep:
   If cTimes
   {
      ;remove duplicates
      Sort, cTimes, U
      reportClean.= "`n`n----------------------------------`nFolder/key creation times:`n----------------------------------`n" cTimes
      FileAppend, %reportClean%,%shotsDir%\%repName%.TXT
   }
   If (recordExtraInfo == 1 && sNum == 1)
      FileAppend,%ahkShot%`n`n%contents%,%ahkShotsDir%\%repName%_InCtrl2.ini
ExitApp

ClickUntil(button="",window="",action="",waitFor="")
{
   loop, 6
   {
      ControlClick,%button%,%window%
      If (action == "WinWait")
      {
         WinWait,%waitFor%,,0.5
         If !ErrorLevel
            Break
      }
      Else If (action == "WinWaitClose")
      {
         WinWaitClose,%waitFor%,,0.5
         If !ErrorLevel
            Break         
      }
      Else If (action = "Enabled")
      {
         controlget,state,%action%,,%button%,%window%
         If (state == waitfor)
            Break
         Sleep, 500
      }
   }
}

disclaimer: use at your own risk... work in progress... customize the ignore lists... bla bla bla...

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


Icarus
  • Members
  • 851 posts
  • Last active: Jan 02 2012 11:17 AM
  • Joined: 24 Nov 2005
Sounds good pajenn
RegShot is command line I assume, yes?

EDIT:
In fact - why would you need to use an external utility?
Why not use AHKs registry functions, to save your own "shots"?
Sector-Seven - Freeware tools built with AutoHotkey

pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009

Sounds good pajenn
RegShot is command line I assume, yes?


No.

]EDIT:
In fact - why would you need to use an external utility?
Why not use AHKs registry functions, to save your own "shots"?


Maybe, but RegShot is fast, free, and most importantly, it's already there. The problem is the output - it logs a big text file of all changes. You can specify directories and registry keys to exclude in the ini file, but even then it's too much trouble to manually look up those all log file entries.

Here's the scenario: You uninstall a some program with Windows Add/Remove, Revo Uninstaller, or some other uninstaller. Because you don't like leftovers/problems on your machine, you had spent an extra ~5 min to create a RegShot log of the changes made by the installer. But the log is 1000 lines long (maybe...), so looking up each value manually is too slow. That's where AHK would come in.

I'm writing a script that (a) cleans up the original log file, (B) checks the entties and drops values from it that don't exist anymore, © displays the result in TreeView with option to delete the file/folder/reg entry, or jump to it in windows explorer or a reg editor of your choice.

So far I'm still on (a) where test_file.txt is a RegShot log file (this script should be in the same directory):

#SingleInstance, Force

#r::
FileRead, RegShot, test_file.txt
matcher := 1, section = ""
Sleep, 500
If not ErrorLevel  ; Successfully loaded.
{ Loop  ;remove empty lines
  { StringReplace,RegShot,RegShot, `r`n`r`n, `r`n, UseErrorLevel
    if ErrorLevel = 0  ; No more replacements needed.
      break
  }
  Sleep, 500  ;split file into sections
  Loop, parse, RegShot, `n, `r, %A_Space%%A_Tab%
  { If A_LoopField = ----------------------------------   
      matcher *= -1  
    Else If matcher = -1     
      StringTrimRight, section, A_LoopField, 4
    Else If section !=
      FileAppend, %A_LoopField%`n, tester_%section%.txt
  }
  FileDelete, tester_%section%.txt  ; remove "Total changes" file
}
matcher = RegShot = section =
SoundPlay *-1  ; beeps when done
TrayTip, RegShot file modified, Empty Lines removed, 10, 1
Return

And my regshot.ini file:

[Setup]
Flag=3
ExtDir=C:\WINDOWS;C:\Documents and Settings;C:\Program Files\Common Files;C:\Program Files\InstallShield Installation Information;
OutDir=Z:\_Backups\RegShots
UseLongRegHead=0

[SkipRegKey]
0=ShellNoRoam
1=ControlSet001
2=ControlSet002
3=ControlSet003
4=FastCopy
5=iexplore
6=Hardware
7=Prefetcher
8=Power
9=RecentDocs
10=RNG
11=SchedulingAgent
12=SessionInformation
13=UserAssist
14=Explorer
15=LopeSoft

[SkipDir]
0=wbem
1=CatRoot2
2=Temp
3=Prefetch
4=Rising
5=Start Menu
6=regshot_1.8.2_src_bin
7=ERDNT
8=CleanMem
9=Recent
10=Bill2_Software
11=Bill2's Process Manager
12=RegFromApp
13=Tasks
14=Copernic
15=OnlineArmor


Note: I only scan windows, docs&settings, and a few program file folders because I just want the tricky leftovers that a regular uninstaller may miss. Not sure ignoring iexplore and explorer keys is safe, but I don;t use the former, and the latter picks up way too much noise so that's why... Any suggestions for folders/keys to include or exclude are welcome.

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


Icarus
  • Members
  • 851 posts
  • Last active: Jan 02 2012 11:17 AM
  • Joined: 24 Nov 2005
Alright.
Sounds like this RegShot is not doing much....

There is a Loop Registry function in AHK, where you can create your shots with a single line.
Sector-Seven - Freeware tools built with AutoHotkey

pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
A snapshot of a the registry is ~40MB for my laptop (.hiv-file). The idea is to use RegShot to record a shot before and after an installation, then compare the two, and produce a small log file of the differences. I realize AHK can do that too, but you'd probably have to be serious programmer to do it efficiently. I'm only an enthusiast, so I'd rather stick with RegShot, and use AHK to analyze its output.

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


Slanter
  • Members
  • 739 posts
  • Last active: Jul 08 2011 05:26 AM
  • Joined: 28 May 2008
It shouldn't be too difficult to do with AHK, here's a rather basic one that seems to get the job done
SetBatchLines, -1
Roots = HKLM|HKU|HKCU|HKCR|HKCC
Reg  := A_Now
Loop, Parse, Roots, |
{
   Loop, %A_LoopField%,, 0, 1
   {
      RegRead, Value
      IniWrite, %Value%, Reg_%Reg%.ini
        , %A_LoopRegKey%\%A_LoopRegSubKey%
        , % A_LoopRegName ? A_LoopRegName : "Default"
   }
}

EDIT: You can also back up the entire registry via command line (probably similar to what regshot does).
regedit /e C:\MyReg.hiv
; AHK
Run, %comspec% /c regedit /e C:\MyReg.hiv,, HIDE

Unless otherwise stated, all code is untested

(\__/) This is Bunny.
(='.'=) Cut, copy, and paste bunny onto your sig.
(")_(") Help Bunny gain World Domination.

pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009

; AHK
Run, %comspec% /c regedit /e C:\MyReg.hiv,, HIDE


Thanks for the code. Maybe I'll use it later to try to duplicate RegShot's function i.e. Compare the before and after shots for differences, parse the result to exclude certain keys and values, then append it to a log file. Plus I'd have to also take snapshots of certain directories; C:\Windows, C:\Documents and Settings and some program files. For now though I'm still working with the RegShot output.

Below is my current code. It takes a Regshot log (test_file.txt in this example), and chops it up into 6 separate text files (for the moment), with only the entries that still exist.

edit: I added "SetFormat, IntegerFast, Hex" to script, and "if..." checks to remove excess quotes from registry values put in by RegShot.

#SingleInstance, Force
SetFormat, IntegerFast, Hex

#r::
filename := "testlog"  ;name of RegShot file
FileRead, RegShot, %filename%.txt
Sleep, 500
matcher := 1, section := ""
If not ErrorLevel  ; Successfully loaded.
{ Loop  ;remove empty lines
  { StringReplace,RegShot,RegShot, `r`n`r`n, `r`n, UseErrorLevel
    if ErrorLevel = 0  ; No more replacements needed.
      break
  }
  Sleep, 500  ;split file into sections
  Loop, parse, RegShot, `n, `r, %A_Space%%A_Tab%
  { If A_LoopField = ----------------------------------
      matcher*= -1
    Else If matcher = -1     
    { colon:= InStr(A_LoopField, ":" ) - 1   
      section:= SubStr(A_LoopField, 1, colon)   
      StringReplace, section, section, [attributes?]%A_Space%
    }
    Else
    { If (section = "Folders added") && FileExist(A_LoopField)        
        FileAppend, %A_LoopField%`n, %filename%_%section%.txt
      If (section = "Files added") && FileExist(A_LoopField)  
        FileAppend, %A_LoopField%`n, %filename%_%section%.txt
      If (section = "Files modified") && FileExist(A_LoopField)
        FileAppend, %A_LoopField%`n, %filename%_%section%.txt
      If (section = "Keys added")
      { keycount:= 0, slash1:= InStr(A_LoopField, "" )
        root:= SubStr(A_LoopField, 1, slash1-1), sub:= SubStr(A_LoopField, slash1+1)
        Loop %root%, %sub%, 1, 1  ; checks if key exists
          keycount++
        If (keycount > 0)
          FileAppend, %root%\%sub%`n, %filename%_%section%.txt
      }
      If (section = "Values added")
      { slash1:= InStr(A_LoopField, "" ), colon1:= InStr(A_LoopField, ":" )     
        temp:= SubStr(A_LoopField, 1, colon1), slash2:= InStr(temp,"",false,0)
        StringLeft, root, A_LoopField, % slash1-1
        StringMid, sub, A_LoopField, slash1+1, slash2-slash1-1
        StringMid, vname, A_LoopField, slash2+1, colon1-slash2-1
        StringRight, val, A_LoopField, % StrLen(A_LoopField)-colon1-1
        If InStr(val, """", false, 1) = 1 && InStr(val, """", false, 0) = StrLen(val)
          StringMid, val, val, 2, % StrLen(val)-2  ;remove excess "
        RegRead, valNow, %root%, %sub%, %vname%
        If ErrorLevel != 1  ;if no problem
        { If ( val = valNow )
            FileAppend, %root%\%sub%\%vname%:%A_Space%%val%`n, %filename%_%section%.txt
          else
            FileAppend, %root%\%sub%\%vname%:`n%A_Tab%%val%%A_Tab%[BEFORE]`n%A_Tab%%valNow%%A_Tab%[AFTER]`n, %filename%_%section%.txt
        }
      }
      If (section = "Values modified")
      { slash1:= InStr(A_LoopField, "" ), colon1:= InStr(A_LoopField, ":" )     
        temp:= SubStr(A_LoopField, 1, colon1), slash2:= InStr(temp,"",false,0)
        StringReplace, section, section, [attributes?]%A_Space%
        StringLeft, root, A_LoopField, % slash1-1
        StringMid, sub, A_LoopField, slash1+1, % slash2-slash1-1
        StringMid, vname, A_LoopField, slash2+1, % colon1-slash2-1
        StringRight, val, A_LoopField, % StrLen(A_LoopField)-colon1-1
        If InStr(val, """", false, 1) = 1 && InStr(val, """", false, 0) = StrLen(val)
          StringMid, val, val, 2, % StrLen(val)-2  ;remove excess "
        RegRead, valNow, %root%, %sub%, %vname%
        If ErrorLevel != 1  ;if no problem
        { If ( val = valNow )
            FileAppend, %root%\%sub%\%vname%:%A_Space%%val%`n, %filename%_%section%.txt
          else
            FileAppend, %root%\%sub%\%vname%:`n%A_Tab%%val%%A_Tab%[BEFORE]`n%A_Tab%%valNow%%A_Tab%[AFTER]`n, %filename%_%section%.txt
        }
      }
    }
  }
}
SoundPlay *-1
TrayTip, RegShot cleaned, Script done, 10, 1
return

Problem: RegRead retrieves a different version of the value than RegShot for instances such as shown in the pic (actual value show in an open reg editor, ValB4 is from RegShot log while ValNow is from RegRead):
Posted Image

Any idea how to get the other type of REG_DWORD value?

Still to do:
Need to combine all existing entries into tree- or list view interface that let's me jump to the folder or reg key containing the clicked entry.

For Later: I'd like to add options to automatically search for entries created at the time of the installation, maybe double check (do a search) to see if some of the non-existent entries have moved to a different location, and also to automatically google a file name or reg value name (in case you are trying to decide whether it's safe to delete or not).

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
I was missing

SetFormat, IntegerFast, Hex

now RegRead retrieves the value in the same format as RegShot.

Now I need to figure out how to put these into tree- or listview with available actions when clicked.

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
UPDATE:

Here's a barebones verion of the RegShot project. I plan to keep working on this, but may or may not post updates (not sure anyone else is interested in this so...)

Requires:
1. RegShot (v1.8.2) log with UseLongRegHead=0 option enabled. i.e. I'm using abbreviations for root keys, HKLM instead of HKEY_LOCAL_MACHINE. If you do not abbreviate, the script may require changes to accommodate.
2. Sean's ShellFolder.ahk script to use the current Hotkey, APPSKEY+LeftClick on RegShot log, or replace the hotkey portion at the beginning.
3. RegWorkshop: I use it to to open Reg entries from TreeView. RegEdit doesn't have the 'jump to' option as far as I know, but you may substitute in your own favorite RegEditor.

Here's my current RegShot.ini file (ignore dirs include just my antivirus, firewall and recent documents):

Note: I suggest to monitor only the ExtDir below to keep logging fast (about 1 minute per shot). IMO, include all of program files dir in the snapshot is a waste of time because the regular uninstaller will normally take care of that, and the program's main folder is easy to find (and delete) anyway, the idea here is more to find those tricky left-behind files and values that normal uninstallers miss:

[Setup]
Flag=3
ExtDir=C:\WINDOWS;C:\Documents and Settings;C:\Program Files\Common Files;C:\Program Files\InstallShield Installation Information;
OutDir=Z:\_Backups\RegShots
UseLongRegHead=0

[SkipRegKey]
0=
1=
2=
3=

[SkipDir]
0=Rising
1=OnlineArmor
2=Recent
3=

Next, you need an IgnoreList.txt of files and directories to ignore. Here's mine as an example (I would have used the built-in variables, %A_WINDIR%, %A_AppData%, etc. but they wouldn't go through the FileRead function):

ntuser.dat
,Mozilla\Firefox\Profiles\k2qzu7cz.default
,Cookies\index.dat
,C:\Documents and Settings\pajenn\Application Data\Microsoft\HTML Help\hh.dat
,C:\Documents and Settings\pajenn\Application Data\Scooter Software\Beyond Compare 3
,C:\Documents and Settings\pajenn\Application Data\Microsoft\CryptnetUrlCache\MetaData
,C:\Documents and Settings\pajenn\Local Settings\Application Data\Bill2_Software
,C:\Documents and Settings\pajenn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
,C:\Documents and Settings\pajenn\Local Settings\Application Data\Mozilla\Firefox\Profiles\k2qzu7cz.default
,C:\Documents and Settings\pajenn\Local Settings\History\History.IE5
,C:\Documents and Settings\pajenn\Local Settings\Temporary Internet Files\Content.IE5
,C:\Documents and Settings\pajenn\Local Settings\Temporary Internet Files\desktop.ini
,C:\Windows\Debug\PASSWD.LOG
,C:\Windows\erdnt
,C:\Windows\Prefetch
,C:\Windows\Rav.ini
,C:\Windows\Sandboxie.ini
,C:\Windows\Security\edb.chk
,C:\Windows\Security\edb.log
,C:\Windows\system32\CatRoot2
,C:\Windows\system32\config\AppEvent.Evt
,C:\Windows\system32\config\default
,C:\Windows\system32\config\SecEvent.Evt
,C:\Windows\system32\config\sam
,C:\Windows\system32\config\security
,C:\Windows\system32\config\software
,C:\Windows\system32\config\SysEvent.Evt
,C:\Windows\system32\config\system
,C:\Windows\system32\wbem
,C:\Windows\Tasks\Clean System Memory.job
,C:\Windows\wiadebug.log
,C:\Windows\wiaservc.log
,C:\Windows\WindowsUpdate.log
,HKLM\HARDWARE\RESOURCEMAP
,HKLM\SOFTWARE\Microsoft\Cryptography\RNG
,HKLM\SOFTWARE\Microsoft\EventSystem
,HKLM\SOFTWARE\Microsoft\SchedulingAgent
,HKLM\SOFTWARE\Microsoft\UPnP Device Host
,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State
,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RecentDocs
,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
,HKLM\SOFTWARE\Microsoft\WZCSVC
,HKLM\SYSTEM\ControlSet001\Control\Session Manager
,HKLM\SYSTEM\ControlSet001\Enum
,HKLM\SYSTEM\ControlSet002\Control\Session Manager
,HKLM\SYSTEM\ControlSet002\Enum
,HKLM\SYSTEM\ControlSet003\Control\Session Manager
,HKLM\SYSTEM\ControlSet003\Enum
,HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
,HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
,HKLM\SYSTEM\CurrentControlSet\Enum
,SessionInformation\ProgramCount
,Software\LopeSoft\FileMenu Tools
,Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
,Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
,Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories
,Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
,Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
,Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
,Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
,Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
,Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
,Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
,Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
,Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
,Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
,Software\Microsoft\Windows\CurrentVersion\Ext\Stats
,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
,Software\Microsoft\Windows\CurrentVersion\Shell Extensions
,Software\Microsoft\Windows\Shell\Bags
,Software\Microsoft\Windows\ShellNoRoam\BagMRU
,Software\Microsoft\Windows\ShellNoRoam\Bags
,Software\Microsoft\Windows\ShellNoRoam\MUICache
,Software\UniExtract\Directory
,Software\UniExtract\File
,Software\WinRAR

I suggest taking a few snapsnots without installing anything between them, and looking at the logs as controls for what to add to the ignore list i.e. what's noise.

The main script is currently in two parts - I just found it easier to work on it like that. The first script 'cleans' a RegShot log by removing the IgnoreList items, and entries that don't exist anymore - the idea is to run the script post regular uninstall, so ideally there should be no entries remaining, it saves the cleaned output into two text files (for files and registry values, respectively):

/*
This script cleans up RegShot output in the following ways:

-drops summary info, empty lines, deleted files/values, etc.
-drops "background noise" defined by the included "IgnoreList.txt" (you 
should customize the file for your needs.)
-checks the existence of the remaining entries, and in the case of
changed registry values, reports their current value as well.

TAGS:
-untagged files and values were "Added" during the installation, or otherwise
recorded by RegShot as "Folders/Files Added" or "Keys/Values Added."
-"modified" tag refers to files that RegShot recorded as "Files [attributes?] 
modified" or "Values modified" that have been re-modified since then.
-"old" and "new" tags refers to "Added" registry entries that still exist, but
have a different value than before.
-"mod_old" and "mod_new" refers to "Modified" registry entries that still exist, 
but have a different (re-modified) value from before.
*/

#SingleInstance, Force
SetBatchLines, -1

#IfWinActive ahk_class CabinetWClass
APPSKEY & LBUTTON::
SF := ShellFolder()
StringSplit,SFV, SF, `r`n
filename:= RegExReplace( SFV2, "Focus:	" )
StringTrimRight, filename, filename, 4
SF =
SFV =
matcher := 1, section := ""
Loop, Read, IgnoreList.txt
	IgnoreList .= A_LoopReadLine
Loop, Read, %filename%.txt
{
  If A_LoopReadLine !=
  {
    If A_LoopReadLine not contains %IgnoreList%
    {
      If A_LoopReadLine = ----------------------------------  
        matcher*= -1
      Else If matcher = -1     
      { 
        StringLeft, section, A_LoopReadLine, % InStr(A_LoopReadLine,":")-1       
        StringReplace, section, section, [attributes?]%A_Space%
      }
      Else
      {
        If (section = "Folders added")
        {
          If FileExist(A_LoopReadLine)
            FileAppend, %A_LoopReadLine%`n, %filename%_Files.txt
          Else
            IgnoreList .= A_LoopReadLine
        }
        If (section = "Files added") && FileExist(A_LoopReadLine)  
          FileAppend, %A_LoopReadLine%`n, %filename%_Files.txt
        If (section = "Files modified") && FileExist(A_LoopReadLine)
          FileAppend, %A_LoopReadLine%%A_Space%(modified)`n, %filename%_Files.txt
        If (section = "Keys added")
        { 
          If RegEntrySplit(A_LoopReadLine) = 0
            IgnoreList .= A_LoopReadLine
          Else
            FileAppend, %root%\%sub%`n, %filename%_RegEntries.txt
        }
        If (section = "Values added")
        { 
          If RegEntrySplit(A_LoopReadLine) != 0
          {
            valNow:= RegValConvert(root,sub,vname)
            If vname =
              vname:= "(Default)"
            If (val = valNow)
              FileAppend, %root%\%sub%\%vname%:%A_Space%%val%`n, %filename%_RegEntries.txt
            Else
              FileAppend, %root%\%sub%\%vname%:%A_Space%%val%%A_Space%(old)`n%root%\%sub%\%vname%:%A_Space%%valNow%%A_Space%(new)`n, %filename%_RegEntries.txt
          }
        }
      }
      If (section = "Values modified")
      {
        If RegEntrySplit(A_LoopReadLine) != 0
        {
          valNow:= RegValConvert(root,sub,vname)
          If vname =
              vname:= "(Default)"
          If (val = valNow)
            FileAppend, %root%\%sub%\%vname%:%A_Space%%val%%A_Space%(modified)`n, %filename%_RegEntries.txt
          Else
            FileAppend, %root%\%sub%\%vname%:%A_Space%%val%%A_Space%(mod_old)`n%root%\%sub%\%vname%:%A_Space%%valNow%%A_Space%(mod_new)`n, %filename%_RegEntries.txt
        }
      }
    }
  }
}
IgnoreList =
RegShot =
files := values := 0
Sleep, 100

;The next two If statements are used to sort the the file and registry value entries
If FileExist(filename . "_Files.txt")
{
  files := 1
  FileRead, list, %filename%_Files.txt
  list := RegExReplace(list, "(.*?);(\d+)(\n|$)", "$2;$1$3") ; swap number with path
  Sort, list ; sort list in reverse numeric order
  list := RegExReplace(list, "(\d+);(.*?)(\n|$)", "$2;$1$3") ; swap back
  FileDelete, %filename%_Files.txt
  FileAppend, %list%, %filename%_Files.txt
}
Sleep, 100
If FileExist(filename . "_RegEntries.txt")
{
  values := 1
  FileRead, list, %filename%_RegEntries.txt
  list := RegExReplace(list, "(.*?);(\d+)(\n|$)", "$2;$1$3") ; swap number with path
  Sort, list ; sort list in reverse numeric order
  list := RegExReplace(list, "(\d+);(.*?)(\n|$)", "$2;$1$3") ; swap back
  FileDelete, %filename%_RegEntries.txt
  FileAppend, %list%, %filename%_RegEntries.txt
  list =
}

; Checks the output that's left after cleaning
If (files = 1) && (values = 1)
  TrayTip, RegShot cleaned, Saved to %filename%_Files.txt`n and %filename%_RegEntries.txt, 10, 1
Else If (files = 1) && (values = 0)
  TrayTip, Regshot cleaned: No reg enries.,File log saved to %filename%_Files.txt, 10, 1
Else If (files = 0) && (values = 1)
  TrayTip, Regshot cleaned: No file enries., Registry log saved to %filename%_Files.txt, 10, 1
Else
{
  MsgBox, No %filename% entries found:`nEither they've already been uninstalled and removed, or an error occurred.
  ExitApp
}

;the code below is used to launch the output in treeview

Sleep, 100
MsgBox, 4,, Do you wish to see the output in TreeView?
IfMsgBox No
  ExitApp

oCB := ClipboardAll
ClipBoard := filename      

Run RegShotTrees.ahk
WinWait, RegShotTrees.ahk
Sleep, 100
ClipBoard := oCB

RegEntrySplit(RegString="")
{ 
  bslash:= InStr(RegString, "\" )
  global root:= SubStr(RegString, 1, bslash-1), sub:= SubStr(RegString, bslash+1)
  If colon:= InStr(sub, ":" )
  {
    global val:= SubStr(sub, colon+2),valNow:=""
    If SubStr(val,1,1) = """" && SubStr(val, 0,1) = """"
      StringMid,val,val,2,% StrLen(val)-2  ;remove excess "
    sub:= SubStr(sub, 1, colon-1)
    bslash:= InStr(sub,"\",false,0)
    global vname:= SubStr(sub, bslash+1)
    sub:= SubStr(sub, 1, bslash-1)
        
    RegRead, valNow, %root%, %sub%, %vname%
    If !valNow
      Return 0
    Else
      Return root "`n" sub "`n" vname "`n" val "`n" valNow
  }
  Else
  {
    Loop %root%, %sub%, 1, 1  ; checks if key exists
      keycount++
    If (keycount > 0)
      Return root "`n" sub
    Else
      Return 0
  }
}

RegValConvert(root="",sub="",vname="")
{
  Loop, %root%, %sub%
  {
    If A_LoopRegName = %vname%
    {
      VarSetCapacity(valNow,20)
      If A_LoopRegType = REG_DWORD
      {
        SetFormat, IntegerFast, H
        RegRead, valNow, %root%, %sub%, %vname%
        valNow:= % "0x" SubStr("00000000" SubStr(valNow+0, 3), -7)
        SetFormat, IntegerFast, D
      }
      Else If A_LoopRegType = REG_BINARY
      {
        RegRead, valNow, %root%, %sub%, %vname%
        valNow:= RegExReplace(valNow, "..(?=.)", "$0 ")
      }
      Else
        RegRead, valNow, %root%, %sub%, %vname%
      Break
    }
  }
  Return valNow
}

Last, here's a script that will represent the out in TreeView format. The status bar shows the parent path, and time the file was created, or last write time in case of registry (sub)keys. You should jot down the creation time of the main program folder pre-uninstall to you for identifying leftovers; in fact, I like to do a full reg and file search for entries created at the very time +/-1 minute to identify extras. Right-clicking a tree item should open the folder containing it, or (if you have RegWorkshop) the key containing it. If you don't use RegWorkshop, then you should replace it with you own preferred editor in the script below:

filename:= Clipboard
filelog:= filename . "_Files.txt"
reglog:= filename . "_RegEntries.txt"

TreeViewWidth := 500
Gui +Resize
Gui, Add, TreeView, AltSubmit RightClick vFileTree r40 w%TreeViewWidth% gFileTree
Gui, Add, TreeView, AltSubmit RightClick vRegTree r40 w%TreeViewWidth% ym gRegTree
Gui, Add, StatusBar
SB_SetParts(1.65*TreeViewWidth)

Gui, TreeView, SysTreeView321
AddBranchesToTree(filelog) ; list needs to be sorted
Gui, TreeView, SysTreeView322
AddBranchesToTree(reglog,1) ; list needs to be sorted
Gui, Show  ; Show the window and its TreeView.
Return

FileTree:  ; This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ; i.e. an event other than "select new tree item".
   Return  ; Do nothing.

TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID := A_EventInfo
Loop  ; Build the full path to the selected folder.
{
   ParentID := TV_GetParent(ParentID)
   If not ParentID  ; No more ancestors.
      Break
   TV_GetText(ParentText, ParentID)
   SelectedItemText  = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%

StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1

StringRight, check, varname, 10
If check = (modified)
   StringTrimRight, varname, varname, 11
check=

SB_SetText(SelectedPath, 1)

Loop, %SelectedPath%\%varname%,1
   created:= A_LoopFileTimeCreated
FormatTime, created, %created%, MMM d, yyyy hh:mm:ss tt
SB_SetText("Created: " created, 2)
Return

RegTree:  ; This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ; i.e. an event other than "select new tree item".
   Return  ; Do nothing.
TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID := A_EventInfo

Loop  ; Build the full path to the selected folder.
{
   ParentID := TV_GetParent(ParentID)
   If not ParentID  ; No more ancestors.
      break
   TV_GetText(ParentText, ParentID)
   SelectedItemText  = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%

StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1

StringRight, check1, varname, 10
StringRight, check2, varname, 5
StringRight, check3, varname, 9

If check1 = (modified)
   StringTrimRight, varname, varname, 11
If check2 in (new),(old)
   StringTrimRight, varname, varname, 6
If check3 in (mod_new),(mod_old)
   StringTrimRight, varname, varname, 10
SB_SetText(SelectedPath, 1)
check1=
check2=
check3=

bs1:= InStr(SelectedPath, "\" )
rkey:= SubStr(SelectedPath, 1, bs1-1), skey:= SubStr(SelectedPath, bs1+1)
last_write=
Loop,%rkey%,%skey%,2
{
   If A_LoopRegName = %varname%
   {
      last_write:= A_LoopRegTimeModified
      ;Break
   }
}
If last_write !=
   FormatTime, last_write, %last_write%, MMM d, yyyy hh:mm:ss tt
SB_SetText("Last write: " last_write, 2)
Return

GuiContextMenu:
If SubStr(SelectedPath,1,2) = "HK"
{
   ;col1:= InStr(varname, ":" )
   ;RegValname:= SubStr(varname, 1, bs1-1)
   Run "C:\Program Files\Registry Workshop\RegWorkshop.exe" /g %SelectedPath%
}
Else
   Run %COMSPEC% /c explorer.exe /select`, %SelectedPath%\%varname%,, Hide
Return

GuiSize:  ; Expand/shrink the ListView and TreeView in response to user's resizing of window.
If A_EventInfo = 1  ; The window has been minimized.  No action needed.
    return
; Otherwise, the window has been resized or maximized. Resize the controls to match.
GuiControl, Move, FileTree, % "H" . (A_GuiHeight - 30)  ; -30 for StatusBar and margins.
GuiControl, Move, RegTree, % "H" . (A_GuiHeight - 30)  ; -30 for StatusBar and margins.
return

GuiEscape:
GuiClose:  ; Exit the script when the user closes the TreeView's GUI window.
ExitApp

AddBranchesToTree(filelist,logtype=0)
{
   level = 0
   parent0 = 0
   loop, read, % filelist
   {
      If A_LoopReadLine =
         continue
      If logtype = 0
         stringsplit, parts, A_LoopReadLine, \   ; drive + folders ( + file)
      If logtype = 1
      {
         If colon1:= InStr(a_loopreadline,":")
         {
            regstr1:= SubStr(a_loopreadline, 1, colon1)
            regstr2:= SubStr(a_loopreadline, colon1+1)
            stringsplit, parts, regstr1, \   ; drive + folders ( + file)
            parts%parts0% .= regstr2
         }
         Else
            stringsplit, parts, a_loopreadline, \   ; drive + folders ( + file)
      }
      If level = 0            ; first record, insert all parts
      {
         gosub build_tree
         continue
      }
      IfInString, A_LoopReadLine, %prev_file%   ; sub folders or files
      {
         gosub build_tree
         continue
      }
                     ; other drive or folder
      line := A_LoopReadLine              
      If (parts0 > level)         ; ignore parts > level
         loop, % parts0 - level - 1
            StringLeft, line, line, % InStr(line,"\",false,0)
      Else
         level := parts0         ; set level to no of parts
      loop, % level
      {
         StringLeft, line, line, % InStr(line,"\",false,0)-1  
         level--
         If level = 0         ; other drive
         {
            prev_file =
            bs =
         }
         Else               ; find corresponding level
         {
            prev_file := file%level%
            ifnotinstring, line, %prev_file%
               continue
            If level = 0
               level++
         }
         gosub build_tree
         break
      }
   }
   return

build_tree:
   loop, % parts0 - level
   {
      prev_parent = parent%level%
      level++
      parent%level% := tv_add(parts%level%, %prev_parent%, "expand")
      If level <> 1
         bs = \
      file%level% := prev_file bs parts%level%
      prev_file := file%level%
   }
   return
}

Kudos:
Credit for the treeview script goes to hd0202 (Hubert) and I also got valuable tips from Lexikos and others.

Warning: I'm a still an AHK amateur, so this script could probably be implemented much more elegantly. Also, this script probably has bugs in it, as I've only tested it on my own logs on my own laptop.

To do:
I may or may not post updates, but that aside I will continue to work on the script. I want to add options to the right-click "menu," and I want to run add a strict install time to the RegShot log, or another log, and use it in conjunction with NirSoft's RegScanner and SearchMyFiles (both tiny freewares) to search and log for files and reg entries created at that time, and then incorporate those logs into the existing treeview. For example, I could highlight the entries that match the installation time - if an entry is in the RegShot log and was created at the same time as the program was installed, then you can be close to 100% sure it's a leftover from the program.

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
By the way, I also found a modified versions of RegShot. One by Paraglider, that saves the logs in .reg format, and can also be used on BartPE rescue media. The other, an unofficial unicode version of RegShot, aka RegShot2, was available on various Russian or Czech sites. The version I tried did not have the option to include files in snapshots, but the registry side appeared more advanced...

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


ShayneM
  • Guests
  • Last active:
  • Joined: --
There is a little tool for undoing changes made as detcted by RegShot - its called UndoREG;

You can fine it here

http://www.majorgeek...oad.php?det=966

Hope this helps :-)

paxophobe
  • Members
  • 93 posts
  • Last active: Jan 22 2011 07:01 PM
  • Joined: 10 Nov 2007

By the way, I also found a modified versions of RegShot. One by Paraglider, that saves the logs in .reg format, and can also be used on BartPE rescue media. The other, an unofficial unicode version of RegShot, aka RegShot2, was available on various Russian or Czech sites. The version I tried did not have the option to include files in snapshots, but the registry side appeared more advanced...


Not true... Regshot2 takes snapshots of file changes.

here is my ini file
[Settings]
Language=English
UseRemote=no
ReportFolder=d:\regshots
ReportName=whatever
ButtonsMenu=no
AutoCompare=yes
StoreOnQuit=no
Fileshot=yes

[Report]
DataLimit=128
DeletedKey=RootKeyOnly
NewKey=AllValues
SelectIgnoreKeys=no
CurrentUser=yes
UseExclude=yes

[Registry.Exclude]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography=1
HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VFILT=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\VFILT=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VFILT=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme=1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop=1

[Restore.Reg]
MakeUndo=yes
MakeRedo=yes
TxtExtension=no
Open=no
Regedit5=yes

[Restore.Inf]
MakeUndo=no
MakeRedo=no
TxtExtension=no
Open=no
UseVariables=yes

[Fileshot]
CRC32=no
MD5=no
SizeLimit=no
SizeMax=1024

[Folders]
C:\=1


[Folders.Exclude]

[Templates]
*.*=1
*.=1

also, here is a launcher I made for regshot2 which makes it so you can't accidently forget to put in a new name for the shot and also forget to take the first shot (a problem I had many times)

regshot2Launcher.ahk
#NoEnv
#SingleInstance 	Ignore
#Persistent
SetWorkingDir 		% A_ScriptDir
SendMode 			Input
SetTitleMatchMode 	Regex
SetBatchLines		-1
SetControlDelay 	-1
SetWinDelay 		-1

shots = d:\regshots
Menu, tray, icon, regshot.exe

IfWinExist Regshot ahk_class #32770
	ExitApp

Else
{
	Run Regshot.exe,,, PID

	PID = ahk_pid %pid%

	Loop
	IfWinExist %pid%
		break
	
}



InputBox, i, Regshot, Input a name for this shot:,,, 120
if ErrorLevel
{
	winkill %pid%
	Exitapp
}

ControlSetText Edit2, %i%, %pid%
ControlClick Button1, %pid%
settimer check, 10

check:
	WinGet state, MinMax, %PID%
	If State = -1
	{
		process, close, regshot.exe
		run %shots%
		Exitapp
	}	

	IfWinNotExist %pid%
		ExitApp
return

Regshot2 is superior. It creates an html file of all changes, plus it creates registry redo and undo files with no conversion to .reg from some extra program needed.

oldHacker
  • Members
  • 14 posts
  • Last active: Oct 20 2009 12:04 AM
  • Joined: 05 Feb 2008
defacto app for those making non-portable apps portable. also check out RegFromApp.

RegFromApp monitors the Registry changes made by the application that you selected, and creates a standard RegEdit registration file (.reg) that contains all the Registry changes made by the application. You can use the generated .reg file to import these changes with RegEdit when it's needed.


i'm sure most will find many other usefull apps at nirSoft.

pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009
Been away (without internet) for 3 weeks, but at least I had time to work a bit more on this RegShot project. This script is much improved, and works well for me, but I'm sure I'll find some bugs in there. Also, I haven't finished several of the features I wanted to include.

to do:
-you can add file and reg entries to the "probably harmless" list, I haven't figured out how to integrate it with the treeview portion i.e. I want to display entries on the "probably harmless" list in non-bold, faded, gray, ... font.
-I want to add an option to snapshot a drive or folder, say C:, without having to include all subfolders.
-I want to use AHK to retrieve creation times for new folders and registry keys right after the second snapshot/compare, and append those to the regshot report. then display entries created within x seconds of those times in different color in the treeview. (for small programs, all the new files are often created within 1 or 2 seconds of each other, so I often use that to determine if a file or reg value was added by the program or whether it's just background noise).
-I still use RegWorkshop as my editor of choice, so the script uses that to open reg entries, but I plan to write a version of the OpenWithRegWksp function for the built-in windows RegEdit.

Here's the script (although I will be tweaking and updating it for the next few days):

/*
-This script cleans up RegShot output by removing "background noise" 
 defined by the included list of entries (user should customize the list.)
-RegShot log file needs to be in the same directory as the script.
-only tested on winXP/SP3 AutoHotkey v1.0.48.03 and RegShot v1.8.2
*/
#NoEnv
#SingleInstance, Force
SetBatchLines, -1
SetWorkingDir, %A_ScriptDir%

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;                                                               ;;;
;;;   Below specify options                                       ;;;
;;;   (generally, on = 0 on and off = 1)                          ;;;
;;;                                                               ;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

denoise_On = 0   ;option to save regshot after initial denoising
saveFileList = 1 ;option to save list of denoised files remaining on system
saveRegList = 1  ;option to save list of denoised reg entries remaining on system

GroupAdd, Explore, ahk_class CabinetWClass
GroupAdd, Explore, ahk_class ExploreWClass

#IfWinActive ahk_group Explore
^r::
ControlGetText, Dir, Edit1, A
ControlGet, file, List, Focused Col1, SysListView321, A
filepath:= StrLen(Dir)=3 ? dir . file : dir . "\" . file
StringTrimRight, filename, file, 4

shotClean=
If (denoise_On == 1)
  FileDelete, %filename%_denoised.txt ;if exists

Loop, HKEY_CURRENT_USER,Software\Microsoft\Protected Storage System Provider,2
  UserSID:= A_LoopRegName

FileRead, shot, %filepath%

;following loop changes long reg root key names to short form, if necessary
Loop, Parse, shot, `n,`r
{
  ;change long root key names to abbreviations (if necessary)
  StringReplace,thisline,A_LoopField,HKEY_CLASSES_ROOT\,HKCR\
  StringReplace,thisline,thisline,HKEY_CURRENT_USER\,HKCU\
  StringReplace,thisline,thisline,HKEY_LOCAL_MACHINE\,HKLM\
  StringReplace,thisline,thisline,HKEY_USERS\,HKU\
  StringReplace,thisline,thisline,HKEY_CURRENT_CONFIG\,HKCC\
  
  If thisline Contains \ntuser.dat,\Cookies\index.dat,\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG,\Local Settings\desktop.ini
    ,C:\Documents and Settings\Administrator.%A_ComputerName%\Local Settings\Application Data\AnVir\
    ,%A_AppDataCommon%\Application Data\Rising\common\
    ,%A_AppDataCommon%\ABBYY\Retail.ScreenshotReader\9.00\Licenses\ProductLicensing.log
    ,C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    ,C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\ntuser.ini
    ,%A_AppData%\Microsoft\CryptnetUrlCache\Content
    ,%A_AppData%\Microsoft\CryptnetUrlCache\MetaData    
    ,%A_AppData%\Microsoft\HTML Help\hh.dat
    ,%A_AppData%\Mozilla\Firefox\Profiles\k2qzu7cz.default
    ,%A_AppData%\Scooter Software\Beyond Compare 3
    ,C:\Documents and Settings\%A_UserName%\IETldCache\index.dat
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Bill2's Process Manager\
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Bill2_Software
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\IconCache.db
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Application Data\Mozilla\Firefox\Profiles\k2qzu7cz.default
    ,C:\Documents and Settings\%A_UserName%\Local Settings\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\Local Settings\History\desktop.ini    
    ,C:\Documents and Settings\%A_UserName%\Local Settings\History\History.IE5
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temp\
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temporary Internet Files\Content.IE5
    ,C:\Documents and Settings\%A_UserName%\Local Settings\Temporary Internet Files\desktop.ini
    ,C:\Documents and Settings\%A_UserName%\SendTo\Bluetooth File Transfer Wizard.LNK
    ,C:\Documents and Settings\%A_UserName%\SendTo\desktop.ini
    ,%A_ProgramFiles%\Everything\Everything.db,%A_ProgramFiles%\Everything\Everything.ini
    ,%A_WinDir%\0.log,%A_WinDir%\bootstat.dat,%A_WinDir%\bthservsdp.dat
    ,%A_WinDir%\Rav.inf,%A_WinDir%\Rav.ini,%A_WinDir%\Sandboxie.ini,%A_WinDir%\Debug\PASSWD.LOG
    ,%A_WinDir%\erdnt,%A_WinDir%\Prefetch,%A_WinDir%\Security\edb.chk,%A_WinDir%\Security\edb.log
    ,%A_WinDir%\SoftwareDistribution\DataStore\DataStore.edb
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\edb.log
    ,%A_WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb  
    ,%A_WinDir%\system32\BsMain.ini
    ,%A_WinDir%\system32\CatRoot2
    ,%A_WinDir%\system32\config\AppEvent.Evt
    ,%A_WinDir%\system32\config\default
    ,%A_WinDir%\system32\config\SecEvent.Evt
    ,%A_WinDir%\system32\config\sam
    ,%A_WinDir%\system32\config\security
    ,%A_WinDir%\system32\config\software
    ,%A_WinDir%\system32\config\SysEvent.Evt
    ,%A_WinDir%\system32\config\system
    ,%A_WinDir%\system32\LogFiles\WUDF\WUDFTrace.etl
    ,%A_WinDir%\system32\perf
    ,%A_WinDir%\system32\wbem
    ,%A_WinDir%\system32\wpa.dbl
    ,%A_WinDir%\Tasks\Clean System Memory.job,%A_WinDir%\Tasks\SA.DAT,%A_WinDir%\Tasks\SCHEDLGU.TXT
    ,%A_WinDir%\Temp\Perflib_Perfdata,%A_WinDir%\Temp\RavTemp,%A_WinDir%\Temp\WGAErrLog.txt
    ,%A_WinDir%\wiadebug.log,%A_WinDir%\wiaservc.log
    ,%A_WinDir%\WindowsUpdate.log
    ,HKLM\HARDWARE\DESCRIPTION\System
    ,HKLM\HARDWARE\DEVICEMAP\Scsi
    ,HKLM\HARDWARE\RESOURCEMAP
    ,HKLM\SOFTWARE\Broadcom\802.11
    ,HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    ,HKLM\SOFTWARE\Microsoft\EventSystem
    ,HKLM\SOFTWARE\Microsoft\Rpc\UuidSequenceNumber
    ,HKLM\SOFTWARE\Microsoft\Rpc\WBEM\CIMON
    ,HKLM\SOFTWARE\Microsoft\Rpc\WBEM\Transports\Decoupled\Server
    ,HKLM\SOFTWARE\Microsoft\SchedulingAgent
    ,HKLM\SOFTWARE\Microsoft\UPnP Device Host
    ,HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
    ,HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
    ,HKLM\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RecentDocs
    ,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rav\DisplayVersion
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LicenseInfo
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    ,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WgaLogon\Settings
    ,HKLM\SOFTWARE\Microsoft\WZCSVC
    ,HKLM\SOFTWARE\rising\Rav\Version
    ,HKLM\SYSTEM\ControlSet001\Control\Session Manager
    ,HKLM\SYSTEM\ControlSet001\Enum
    ,HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\GlobalSettings\Cmplx\Node000
    ,HKLM\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#    
    ,HKLM\SYSTEM\ControlSet002\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\ControlSet002\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\ControlSet002\Control\Session Manager
    ,HKLM\SYSTEM\ControlSet002\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\ControlSet002\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\ControlSet002\Enum
    ,HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet002\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\ControlSet002\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch\Epoch: 0x0000B0F3
    ,HKLM\SYSTEM\ControlSet002\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9209A459-27B0-4707-9470-6297A52C59C4}\NTEContextList
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\ControlSet002\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\ControlSet002\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\ControlSet002\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T
    ,HKLM\SYSTEM\ControlSet003\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\ControlSet003\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\ControlSet003\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\ControlSet003\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\ControlSet003\Control\ServiceCurrent
    ,HKLM\SYSTEM\ControlSet003\Control\Session Manager    
    ,HKLM\SYSTEM\ControlSet003\Enum    
    ,HKLM\SYSTEM\ControlSet003\Services\a8hdx80i    
    ,HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}    
    ,HKLM\SYSTEM\ControlSet003\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\ControlSet003\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\ControlSet003\Services\mssmbios\Data\BiosData
    ,HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Epoch\Epoch
    ,HKLM\SYSTEM\ControlSet003\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\ControlSet003\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\DhcpRetryTime
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Lease
    ,HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\T
    ,HKLM\SYSTEM\ControlSet003\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\ControlSet003\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T
    ,HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
    ,HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid
    ,HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime
    ,HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    ,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager    
    ,HKLM\SYSTEM\CurrentControlSet\Control\Watchdog\Display\ShutdownCount
    ,HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime
    ,HKLM\SYSTEM\CurrentControlSet\Enum    
    ,HKLM\SYSTEM\CurrentControlSet\Services\a8hdx80i
    ,HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\hpdskflt\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0\HardwareInformation.Crc32
    ,HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\Guid
    ,HKLM\SYSTEM\CurrentControlSet\Services\LVUSBSta\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data\BiosData
    ,HKLM\SYSTEM\CurrentControlSet\Services\PartMgr\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch
    ,HKLM\SYSTEM\CurrentControlSet\Services\snapman380\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\DetectTimeMS
    ,HKLM\SYSTEM\CurrentControlSet\Services\tdrpman174\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\DhcpRetryTime
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Lease
    ,HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\T    
    ,HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum
    ,HKLM\SYSTEM\CurrentControlSet\Services\{9B5BD65E-7AB9-4A8B-BD34-FC9647252CFC}\Parameters\Tcpip
    ,HKLM\SYSTEM\CurrentControlSet\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\Lease
    ,HKLM\SYSTEM\CurrentControlSet\Services\{CB5197AD-D73A-4647-A7B9-21959A0AC4DF}\Parameters\Tcpip\T     
    ,HKU\%UserSID%\SessionInformation\ProgramCount
    ,HKU\%UserSID%\Software\Analog Devices\IFShare\{7524D05B-038A-4015-A453-C426CAEB4462}\OEMInfo
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthDom
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthUser
    ,HKU\%UserSID%\Software\Broadcom\802.11\AuthPass
    ,HKU\%UserSID%\Software\LopeSoft\FileMenu Tools
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    ,HKU\%UserSID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
    ,HKU\%UserSID%\Software\Microsoft\Windows\Shell\Bags
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\Bags
    ,HKU\%UserSID%\Software\Microsoft\Windows\ShellNoRoam\MUICache
    ,HKU\%UserSID%\Software\UniExtract\Directory,HKU\%UserSID%\Software\UniExtract\File
    ,HKU\%UserSID%\Software\WinRAR
    Continue
  shotClean.= thisline . "`n"
}
shot=

;Checks the output that's left after cleaning
If (shotClean == "")
{
  MsgBox, 4,, No entries left:`nEither they were all noise or or an error occurred.`nDo you wish to continue script?
  IfMsgBox No
    ExitApp
  Return
}
Else If (denoise_On == 1)
  FileAppend, %shotClean%, %filename%_denoised.txt

/*
This script cleans up RegShot output in the following ways:
-drops summary info, empty lines, deleted files/values, etc.
-drops "background noise" defined by the included "IgnoreList.txt" (you 
should customize the file for your needs.)
-checks the existence of the remaining entries, and in the case of
changed registry values, reports their current value as well.

TAGS:
-untagged files and values were "Added" during the installation, or otherwise
recorded by RegShot as "Folders/Files Added" or "Keys/Values Added."
-"modified" tag refers to files that RegShot recorded as "Files [attributes?] 
modified" or "Values modified" that have been re-modified since then.
-"added" and "current" tags refers to "Added" registry entries that still exist, but
have a different value than before.
*/

;clear values (not necessary, but just in case)...
var1:=var2:=var3:=var4:=var5:=root:=rPath:=sub:=val:=valNow:=vname:=FilesX:=RegX:=message1:=""
matcher:= 1, modOld:= 1, section:= ""
FileRead, IgnoreList, %A_ScriptDir%\IgnoreList.txt

Loop,Parse,shotClean,`n,`r
{
  If (A_LoopField == "")
    Continue
  If A_LoopField Not Contains %IgnoreList%
  { ;regshot marks sections heading with a series of dashes
    If (A_LoopField == "----------------------------------")
      matcher*= -1
    Else If (matcher == -1)
    { 
      StringLeft, section, A_LoopField, % InStr(A_LoopField,":")-1       
      StringReplace,section,section,[attributes?]%A_Space%
    }
    Else
    {
      If (section == "Folders added")
      {
        If FileExist(A_LoopField)
          FilesX.= A_LoopField . "`n"
        Else IgnoreList.= ( IgnoreList=="" ) ? A_LoopField : "," . A_LoopField ;if key doesn't exist, ignore values for it
      }
      If (section == "Files added") && FileExist(A_LoopField)  
        FilesX.= A_LoopField . "`n"
      If (section == "Files modified") && FileExist(A_LoopField)
        FilesX.= A_LoopField . " (modified)`n"
      If (section == "Keys added")
      {
        If RegEntrySplit(A_LoopField) = 0
          IgnoreList.= ( IgnoreList == "" ) ? A_LoopField : "," . A_LoopField ;if key doesn't exist, ignore values for it
        Else RegX.= root . "\" . sub . "`n"
      }
      If (section == "Values added")
      {
        If RegEntrySplit(A_LoopField) != 0
        {
          valNow:= RegValConvert(root,sub,vname)
          If (vname == "") ;use '(Default)' notation for nameless values
            vname:= "(Default)"
          If (val == valNow)
            RegX.= root . "\" . sub . "\" . vname ": " . val . "`n"
          Else RegX.= root . "\" . sub . "\" . vname ": " . val . " (added)`t`t" . root . "\" . sub . "\" . vname ": " . valNow . " (current)`n"
        }
      }
      If (section == "Values modified")
      {
        If RegEntrySplit(A_LoopField) != 0
        {
          If (vname == "")
            vname:= "(Default)"
          ;for modified reg entries, regShot displays the new value after the old one
          ;tabs are used instead of newlines to separate before/after/current values 
          ;in order to preserve their order during an alphabetaical sort later on
          ;after the sort, they will be replaced with newlines
          If modOld
            RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_before)`t`t", modOld:=0
          Else
          {
            valNow:= RegValConvert(root,sub,vname)
            If (val == valNow)
              RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_after)`n"
            Else If (val != valNow)
              RegX.= root . "\" . sub . "\" . vname ": " . val . " (mod_after)`t`t" . root . "\" . sub . "\" . vname ": " . valNow . " (current)`n", modOld:= 1
          }
        }
      }
    }
  }
}
;MsgBox ignores: %IgnoreList%
IgnoreList=

;The next two If statements are used to sort the the file and registry entries
If (FilesX != "")
{
  StringTrimRight,FilesX,FilesX,1 ;remove last empty line
  FilesX:= RegExReplace(FilesX, "(.*?);(\d+)(\n|$)", "$2;$1$3") ;swap number with path
  Sort, FilesX ;sort list in reverse numeric order
  FilesX:= RegExReplace(FilesX, "(\d+);(.*?)(\n|$)", "$2;$1$3") ;swap back
  If (saveFileList == 1)
  {
    message1.= "File log saved to " . filename . "_Files.txt`n"
    FileDelete, %filename%_Files.txt
    FileAppend, %FilesX%, %filename%_Files.txt
  }
}
Else message1.= "No leftover file enries detected`n"
If (RegX != "")
{  
  StringTrimRight,RegX,RegX,1 ;remove last empty line
  RegX := RegExReplace(RegX, "(.*?);(\d+)(\n|$)", "$2;$1$3") ;swap number with path
  Sort, RegX ;sort list in reverse numeric order
  RegX := RegExReplace(RegX, "(\d+);(.*?)(\n|$)", "$2;$1$3") ;swap back
  ;Replace tabs used to separate before/after/current modified registry
  ;values (to preserve their order during sorting) with newlines
  StringReplace, RegX, RegX,%A_Tab%%A_Tab%,`n,All
  If (SubStr(RegX,0,1) == "`n")
    StringTrimRight,RegX,RegX,1
  If (saveRegList == 1)
  {
    message1.= "Registry log saved to " . filename . "_Reg.txt"
    FileDelete, %filename%_Reg.txt
    FileAppend, %RegX%, %filename%_Reg.txt
  }
}
Else message1.= "No leftover reg enries detected"

;Checks the output that's left after cleaning
If (FilesX == "" && RegX == "")
{
  MsgBox,4,No %filepath% entries found:,Either they have already been uninstalled/removed, or an error occurred.`nDo you wish to keep the script active?
  IfMsgBox No
    ExitApp
  Return
}
Else TrayTip, RegShot cleaned, %message1%, 10, 1

;RegX.= "`nHKU\S-1-5-21-1343024091-57989841-839522115-1003x\XXX\{29B0828D-FC91-1173-6CDA-3CB0CF6A44BB}\Version\(Default):"

;Entries on probably harmless list are displayed in regular font (as opposed to boldface)
;the list is intended to contain values that the user is either still evaluating (before
;adding them to the Ignore List, or that are frequently modified or added during reboots
;or otherwise as part of normal Windows XP operation, and should not be deleted unless
;user has special reason for doing so.
NoHarm=
FileRead, NoHarm, %A_ScriptDir%\ProbablyHarmless.txt
/* 
kudos to hd0202 (Hubert) for the core treeview script here:
http://www.autohotkey.com/forum/viewtopic.php?p=264219#264219
*/

TreeViewWidth:= (A_ScreenWidth-30)/2
Gui, Add, TreeView, AltSubmit RightClick vFileTree r40 w%TreeViewWidth% gFileTree
Gui +Resize
Gui, Add, TreeView, AltSubmit RightClick vRegTree r40 w%TreeViewWidth% ym gRegTree
Gui +VScroll +HScroll
Gui, Add, StatusBar
SB_SetParts(1.65*TreeViewWidth)

Gui, TreeView, SysTreeView321
AddBranchesToTree(FilesX) ;list needs to be sorted
Gui, TreeView, SysTreeView322
AddBranchesToTree(RegX,1) ;list needs to be sorted
OnMessage(0x203, "DOUBLECLICK") ; double-click opens file in new window
Gui, Show  ;Show the window and its TreeView.
Return

FileTree:  ;This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ;i.e. an event other than "select new tree item".
   Return  ;Do nothing.
TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID:= A_EventInfo
Loop  ;Build the full path to the selected folder.
{
   ParentID:= TV_GetParent(ParentID)
   If not ParentID  ;No more ancestors.
      Break
   TV_GetText(ParentText, ParentID)
   SelectedItemText = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%
StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1
varname:= RegExReplace( varname, "i)\s\((added|current|modified)\)$","")

SB_SetText(SelectedPath, 1)

Loop, %SelectedPath%\%varname%,1
   created:= A_LoopFileTimeCreated
FormatTime, created, %created%, MMM d, yyyy hh:mm:ss tt
SB_SetText("Created: " created, 2)
Return

RegTree:  ;This subroutine handles user actions (such as clicking).
If A_GuiEvent <> S  ;i.e. an event other than "select new tree item".
   Return  ;Do nothing.
TV_GetText(SelectedItemText, A_EventInfo)
varname:= SelectedItemText
ParentID := A_EventInfo

Loop  ;Build the full path to the selected folder.
{
  ParentID := TV_GetParent(ParentID)
  If not ParentID  ; No more ancestors.
    break
  TV_GetText(ParentText, ParentID)
  SelectedItemText  = %ParentText%\%SelectedItemText%
}
SelectedPath = %TreeRoot%\%SelectedItemText%
StringTrimLeft, SelectedPath, SelectedPath, 1
StringTrimRight, SelectedPath, SelectedPath, % StrLen(varname)+1
varname:= RegExReplace( varname, "\s\((added|current|modified|mod_after|mod_before)\)$","")

SB_SetText(SelectedPath, 1)

RegExMatch(SelectedPath,"i)(HKLM|HKCR|HKCU|HKU|HKCC)\\(?:((.*)\\(.*?)(?::\s)(.*)|.*))", rPath)

last_write=
Loop,%rPath1%,%rPath2%,2
{
  If (A_LoopRegName == varname)
  {
    last_write:= A_LoopRegTimeModified
    Break
  }
}
If last_write <>
  FormatTime, last_write, %last_write%, MMM d, yyyy hh:mm:ss tt
SB_SetText("Last write: " last_write, 2)
Return

GuiContextMenu:
Menu, RegshotCleanerMenu, Add,
Menu, RegshotCleanerMenu, DeleteAll
If (A_GuiControl == "FileTree")
{
  Menu, RegshotCleanerMenu, Add, Go to selected file entry, MenuHandler
  Menu, RegshotCleanerMenu, Add, Delete file or folder, MenuHandler
  Menu, RegshotCleanerMenu, Add, Add entry to Ignore List, MenuHandler
  Menu, RegshotCleanerMenu, Add, Add entry to Probably Harmeless List, MenuHandler
}
Else
{
  Menu, RegshotCleanerMenu, Add, Go to selected reg entry, MenuHandler
  Menu, RegshotCleanerMenu, Add, Delete registry entry, MenuHandler
  
  idd:= TV_GetSelection(), chid_idd:= TV_GetChild(idd)
  
  If chid_idd
  {
    Menu, RegshotCleanerMenu, Add, Add entry to Ignore List, MenuHandler
    Menu, RegshotCleanerMenu, Add, Add entry to Probably Harmeless List, MenuHandler
  }
}
Menu, RegshotCleanerMenu, Show
Return

DOUBLECLICK()
{
  global SelectedPath, varname
  
  MouseGetPos,,,, control,1
  winNum:= SubStr(control,0,1)
  If (winNum == "2")
    OpenWithRegWksp(SelectedPath . "\" . varname)
  Else Run %COMSPEC% /c explorer.exe /select`, %SelectedPath%\%varname%,, Hide
}

MenuHandler:
If (A_ThisMenuItem == "Go to selected file entry")
  Run %COMSPEC% /c explorer.exe /select`, %SelectedPath%\%varname%,, Hide
Else If (A_ThisMenuItem == "Go to selected reg entry")
  OpenWithRegWksp(SelectedPath . "\" . varname)
Else If (A_ThisMenuItem == "Delete file or folder")
{
  MsgBox,4,Confirm Deletetion,Are you sure you want to delete`n%SelectedPath%\%varname%?
  IfMsgBox, Yes
    FileDelete, %SelectedPath%\%varname%
}
Else If (A_ThisMenuItem == "Delete registry entry")
{
  MsgBox,4,Confirm Deletetion,Are you sure you want to delete`n%SelectedPath%\%varname%?
  IfMsgBox, No
    Return
  bsDel:= InStr(SelectedPath,"\"), rootDel:= SubStr(SelectedPath,1,bsDel-1), subDel:= SubStr(SelectedPath, bsDel+1)
  If colDel:= InStr(varname,":")
  {
    valDel:= SubStr(varname,1,colDel-1)
    RegDelete,%rootDel%,%subDel%,%valDel%
  }
  Else RegDelete,%rootDel%,%subDel%\%varname%
}
Else If (A_ThisMenuItem == "Add entry to Ignore List")
{
  If FileExist(A_ScriptDir . "\IgnoreList.txt")
    FileAppend, `,%SelectedPath%\%varname%, %A_ScriptDir%\IgnoreList.txt
  Else FileAppend, %SelectedPath%\%varname%, %A_ScriptDir%\IgnoreList.txt
  TrayTip,Ignore List addition,`n%SelectedPath%\%varname% was added to`n%A_ScriptDir%\IgnoreList.txt,10
}
Else If (A_ThisMenuItem == "Add entry to Probably Harmeless List")
{
  If FileExist(A_ScriptDir . "\ProbablyHarmless.txt")
    FileAppend, `,%SelectedPath%\%varname%, %A_ScriptDir%\ProbablyHarmless.txt
  Else FileAppend, %SelectedPath%\%varname%, %A_ScriptDir%\ProbablyHarmless.txt
  TrayTip,Probably Harmeless List addition,%SelectedPath%\%varname% was added to`n%A_ScriptDir%\ProbablyHarmless.txt,10
}
Return

GuiSize:  ;Expand/shrink the ListView and TreeView in response to user's resizing of window.
If (A_EventInfo == 1)  ;The window has been minimized.  No action needed.
  Return
;Otherwise, the window has been resized or maximized. Resize the controls to match.
GuiControl, Move, FileTree, % "H" . (A_GuiHeight - 30)  ;-30 for StatusBar and margins.
GuiControl, Move, RegTree, % "H" . (A_GuiHeight - 30)  ;-30 for StatusBar and margins.
Return

GuiEscape:
GuiClose:  ;Exit the script when the user closes the TreeView's GUI window.
ExitApp

RegEntrySplit(RegString="")
{
  global
  RegExMatch(RegString,"i)^(HKLM|HKCR|HKCU|HKU|HKCC)\\(?:((.*)\\(.*?)(?::\s)(.*)|.*))", rPath)
  
  root:= rPath1
  If rPath3 <>
  {
    sub:= rPath3, vname:= rPath4, val:= rPath5
    
    If SubStr(val,1,1) = """" && SubStr(val, 0,1) = """"
      StringMid,val,val,2,% StrLen(val)-2  ;remove excess "
    Else If SubStr(val,1,1) = "'" && SubStr(val, 0,1) = "'"
      StringMid,val,val,2,% StrLen(val)-2  ;remove excess '
    RegRead, valNow, %root%, %sub%, %vname%
    If (valNow != "")
      Return root "`n" sub "`n" vname "`n" val "`n" valNow
    Else Return 0
  }
  Else
  {
    sub:= rPath2, keycount:= 0
    Loop %root%, %sub%, 1  ;checks if key exists
      keycount++
    If (keycount > 0)
      Return root "`n" sub
    Else Return 0
  }
}

;RegValConvert (tbe function below) converts AHK format of REG_DWORD and REG_BINARY
;values to the format used by RegShot. Other value types already use equivalent
;formats. The point is to enable the script to compare the current registry values
;to those recorded by RegShot
RegValConvert(root="",sub="",vname="")
{
  Loop, %root%, %sub%
  {
    If (A_LoopRegName == vname)
    {
      VarSetCapacity(valNow,20)
      If (A_LoopRegType == "REG_DWORD")
      {
        SetFormat, IntegerFast, H
        RegRead, valNow, %root%, %sub%, %vname%
        valNow:= % "0x" SubStr("00000000" SubStr(valNow+0, 3), -7)
        SetFormat, IntegerFast, D
      }
      Else
      {
        RegRead, valNow, %root%, %sub%, %vname%
        If (A_LoopRegType == "REG_BINARY")
          valNow:= RegExReplace(valNow, "..(?=.)", "$0 ")
        Else If (A_LoopRegType == "REG_MULTI_SZ")
          StringTrimRight,valNow,valNow,1
      }
      Break
    }
  }    
  Return valNow
}

AddBranchesToTree(filelist,logtype=0)
{
  level:= 0, parent0:= 0
  Loop,Parse,filelist,`n
  {
    If A_LoopField =
      Continue
    If logtype = 0
      stringsplit, parts, A_LoopField, \   ;drive + folders ( + file)
    If logtype = 1
    {
      If colon1:= InStr(A_LoopField,":")
      {
        regstr1:= SubStr(A_LoopField, 1, colon1), regstr2:= SubStr(A_LoopField, colon1+1)
        stringsplit, parts, regstr1, \   ;drive + folders ( + file)
        parts%parts0% .= regstr2
      }
      Else stringsplit, parts, A_LoopField, \   ; drive + folders ( + file)
    }
    If (level == 0)            ;first record, insert all parts
    {
      gosub build_tree
      continue
    }
    IfInString, A_LoopField, %prev_file%   ;sub folders or files
    {
      gosub build_tree
      continue
    }
    line:= A_LoopField ;other drive or folder
    If (parts0 > level) ;ignore parts > level
      loop, % parts0 - level - 1
    StringLeft, line, line, % InStr(line,"\",false,0)
    Else level:= parts0 ;set level to no of parts
    loop, % level
    {
      StringLeft, line, line, % InStr(line,"\",false,0)-1  
      level--
      If (level == 0) ;other drive
        prev_file:= "", bs:= ""
      Else ;find corresponding level
      {
        prev_file:= file%level%
        
        ;add backslashes
        lineTmp:= line . "\"
        IfNotInString, lineTmp, %prev_file%\
          Continue
        If (level == 0)
          level++
      }
      gosub build_tree
      Break
    }
  }
  Return

  build_tree:
  
  loop, % parts0 - level
  {
    prev_parent = parent%level%
    level++

    tOptions:= "bold expand"
    
    parent%level% := tv_add(parts%level%, %prev_parent%, tOptions)
    If (level <> 1)
      bs = \
    file%level%:= prev_file bs parts%level%
    prev_file:= file%level%
  }
  Return
}

note: you should edit the built-in Ignore List. the script also let's you right-click on entries to add them on a separate txt-file based ignore list. the reason for two separate lists is that i was only able to get the relative paths and variables (e.g. %A_Windir%, %A_AppData%,...) to work as part of the built-in list.

here's the regWorkshop function - I'll plan to add one for regedit later on:

OpenWithRegWksp(regString)
{
  SetBatchLines, -1
  SetTitleMatchMode, 2
  SendMode, Input

  StringSplit, regPath, regString,`n,`r][%A_Space%
  RegExMatch(regPath1,"i)(HKLM|HKCR|HKCU|HKU|HKCC|HKEY_LOCAL_MACHINE|HKEY_USERS|HKEY_CURRENT_USER|HKEY_CLASSES_ROOT|HKEY_CURRENT_CONFIG)\\(?:((.*)\\(.*?)(?::\s)(.*)|.*))", rPath)
  If (rPath1 = "") ;if no rootkey present, run editor without path
  {
    IfWinExist, Registry Workshop
      WinActivate
    Else Run %A_ProgramFiles%\Registry Workshop\RegWorkshop.exe
    Return
  }
  If (rPath3 != "") ;If reg values available, check with AHK
  {
    rSteps:=0		
    RegRead, exists, %rPath1%, %rPath3%, %rPath4%	
    If !Errorlevel
    {
      SelectedPath:= rPath1 . "\" . rPath3
      Loop %rPath1%,%rPath3%,2
        rSteps++	  
      If (rPath4 = "(Default)") || (rPath4 = "")
        rPath4:= SelectedPath ;this is specific to regWksp
      Else
      {
        Loop %rPath1%,%rPath3%
          rNames.= A_LoopRegName . "`n"
        StringTrimRight,rNames,rNames,1
        Sort,rNames
        Loop,Parse,rNames,`n
        {
          rSteps++					
          If (A_LoopField = rPath4)
            Break
        }
      }
    }
    Else rPath4=
  }
  Else rPath3:= rPath2  ;update variable names to match
  While SelectedPath = ""
  {	
    Loop %rPath1%, %rPath3%, 1  ; checks if key exists
    {
      SelectedPath:= rPath1 "\" rPath3
        Break
    }
    RegExMatch(rPath3,".*(?=\\)",rPath3)
  }
  IfWinNotExist, Registry Workshop
    Run, "%A_ProgramFiles%\Registry Workshop\RegWorkshop.exe" /g "%SelectedPath%"
  Else setPath:= 1
  WinWait, Registry Workshop
  If hRegWksp:= WinExist("Registry Workshop")
  {
    IfWinNotActive, ahk_id %hRegWksp%
      WinActivate, ahk_id %hRegWksp%
    WinWaitActive, ahk_id %hRegWksp%
  }    
  If setPath
  {
    ControlSetText, Edit1, %SelectedPath%, ahk_id %hRegWksp%
    ControlClick, ToolbarWindow323, ahk_id %hRegWksp%
  }
  If rPath4
  {
    ControlFocus, ATL:0050C4901, ahk_id %hRegWksp%
    Send {Left}{Down %rSteps%}
  }
}
Return

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet


pajenn
  • Members
  • 391 posts
  • Last active: Feb 06 2015 07:57 AM
  • Joined: 07 Feb 2009

There is a little tool for undoing changes made as detcted by RegShot - its called UndoREG;

You can fine it here

<!-- m -->http://www.majorgeek...oad.php?det=966<!-- m -->

Hope this helps :-)


thanks.

Hardware: fast laptop with SSD
Software: Win 7 Home Premium 64-bit, android for phone and tablet