• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 82
  • Last Modified:

Registery misunderstanding

Sometimes I need to delete the registery of the each software manually since some of them left some registery keys for unknown purposes.
Please inform me why some software leave some registery keys after uninstall and how to understand the hierarchy of registery and how to recognize if there is a virus in these registery please.
0
sam kam
Asked:
sam kam
  • 4
  • 3
  • 2
  • +2
4 Solutions
 
JohnBusiness Consultant (Owner)Commented:
There appears to be an assumption by some vendors that you may reinstall the software.

I do not use or recommend registry cleaners for this purpose. The aggressive cleaners (or aggressive use of any cleaner) often create more problems than they solve.

If you are using good software, uninstalling is generally not a problem.
0
 
sam kamITAuthor Commented:
Thank you John,
As you know some software are making problem when you uninstall it because they leave some registery keys. And I want to understand how software place registery keys. Would you help me to understand the following:

HKEY Classes root, current user, local machine, users and current config
0
 
JohnBusiness Consultant (Owner)Commented:
Good software does not cause a problem leaving a key or two left over. What software? Maybe we can see what keys may possibly be an issue
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
JohnBusiness Consultant (Owner)Commented:
That area (Classes Root) is highly detailed, often with alphanumeric key names, and you need to know precisely and exactly what you are looking for. Local Machine , Software is much more informative.

You have to know the precise keys you are looking for (which is why, if you do not know and experiment, you can easily wreck your machine)
1
 
BillDLCommented:
The first places to look are under:
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWARE
Some software creates keys in Current_User AND Local_Machine, while other software might only create a key in one of those.

Some software creates a new sub-key with the vendor name and then the actual program name as another sub-key inside that, whereas some other software will create separate keys with the program names in that key.

For example, on the computer I am using VLC Media Player creates:
HKEY_LOCAL_MACHINE\SOFTWARE\VideoLAN\VLC
but there is no VideoLAN key in:
HKEY_CURRENT_USER\Software
because it is installed for all users.
VideoLAN is the company name.  VLC Media Player is the program.  VideoLAN has other products, and if you installed another of their a new key could be created under VideoLAN for that one

Mozilla Firefox browser is another example.  You would find:

HKEY_CURRENT_USER\Software\Mozilla
HKEY_CURRENT_USER\Software\Mozilla\Firefox

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
and probably other keys.

If you also had Mozilla Thunderbird installed, there would be keys for that application.  I do not have Thunderbird installed, but let's say that the key name would probably be:
HKEY_CURRENT_USER\Software\Mozilla\Thunderbird
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Thunderbird

If you were uninstalling Thunderbird BUT NOT Firefox, you would obviously NOT delete the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKEY_CURRENT_USER\Software\Mozilla
You would ONLY delete the Thunderbird sub-key.

There are several reasons why some software uninstallers leave registry keys in these main keys.  Even "good" software often leaves registry keys.

  1. Trial versions want to stop you from uninstalling when you get to the end of your your 30 day trial period and then reinstalling to get another 30 days for free.
  2. Software that is updated regularly usually leaves details of the last version installed and the date.  Vendors like to know this if the software is reinstalled later, so they often leave these details in the registry.
  3. Some customised user settings may be left so that if you later reinstall the software it can pick those up again.
  4. An uninstaller routine may prompt you to override permissions by switching to an "admin" profile.  If registry values can only be removed the next time the computer is rebooted, it may not remove them when the system is rebooted to a standard user profile.

You have to remember that there will also be references to previously installed software elsewhere in the registry.  These references could be to plugins or add-ons that are also used by other programs, or they could be for special drivers that needed to be installed for the software to work.  If you start digging too deeply in the registry you can accidentally remove something that is still needed.

If you completely uninstall an application it should remove its folder from your "Program Files" folder, but it sometimes does not.  If you are confident that the folder is no longer needed by any other software or by Windows, you can then test by first MOVING the folder to another non system folder to test for any dependencies BEFORE completely deleting it later.

The same is true of the registry.  BEFORE deleting any key that is left over after software uninstallation, EXPORT the key to a backup *.REG file somewhere safe in case it is needed and causes problems later.

Utility programs that find and allow you to delete leftover registry entries are usually fine for people who already know for certain that the registry entries it finds are definitely not required.  Unfortunately being able to recognise these things takes years of experience.

Asking how to identify registry keys that relate to viruses is another very separate subject.  Viruses do not want to be detected, so they rarely leave traces of themselves in the registry.  If they do, the entries would most likely be well disguised as ones that appear to be legitimate or would be hidden very deeply.  If you have any suspicion about malware, then it would be better to ask a separate question and explain why you think you may ave a virus.
4
 
JohnBusiness Consultant (Owner)Commented:
I just mentioned Local Software as it covers all / most of that above.

But the CLASSES stuff is pretty much off limits because of the precision of knowledge required.
0
 
BillDLCommented:
Hello sam kam
Do you have any other questions or things that need further explanation?
0
 
AmitIT ArchitectCommented:
Are you facing any issue? Which you can share.
0
 
dbruntonCommented:
>>  Please inform me why some software leave some registry keys after uninstall

Poorly written uninstall application or errors on running the uninstall application.  Even good uninstall applications can sometimes have problems.  Some vendors have applications that will go through the registry and remove any reference to their products in case such a situation occurs.  For example the AVG removal tool  https://www.bleepingcomputer.com/download/avg-remover/  Similar products exist for other anti-virus products and there are utils for both Nvidia and Radeon drivers that will clean up the system by removing any drivers and registry entries.

>>  how to recognize if there is a virus in these registry please.

A good anti-virus will usually do that for you.  There aren't viruses in the registry but links to viruses, for example, a virus may alter the registry to load the virus on startup.  Tools like Sysinternals Autoruns  https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns  can be used to examine these startup locations but again a good anti-virus will do those checks for you.  Note that viruses can use the registry for other purposes besides the example given above.

>>  and how to understand the hierarchy of registry

I believe that has been covered by other experts.
2
 
dbruntonCommented:
I believe that the comments from the experts listed answer the question asked.
0
 
BillDLCommented:
Thank you db
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now