Jump to content

SMalik

Experienced Members
  • Posts

    1,747
  • Joined

  • Last visited

Posts posted by SMalik

  1. Revised entry

    Snip & Sketch app is now Snipping Tool. I think entry name should be changed to [Snipping Tool *]

    [Windows Snip & Sketch *]
    LangSecRef=3025
    Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.ScreenSketch_8wekyb3d8bbwe
    FileKey1=%LocalAppData%\Packages\MicrosoftWindows.Client.*\TempState\ScreenClip|*
    RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.ScreenSketch_8wekyb3d8bbwe\PersistedPickerData\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\AppSnipAndSketchFileSaveSettings|LastLocation
    RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.ScreenSketch_8wekyb3d8bbwe\PersistedPickerData\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\DefaultOpenFileSingle|LastLocation

  2. Revised entry

    Added: %LocalAppData%\Packages\Microsoft.WindowsNotepad_*\Settings|*.*|RECURSE
    Files here keep information about Find and Replace words in Notepad.

    Changed: %LocalAppData%\Packages\Microsoft.WindowsNotepad_*\SystemAppData\Helium|*.*|RECURSE

    I think RegKey1 and RegKey2 should be removed. These paths do not exist on Windows 10/11.

    [Windows Notepad *]
    LangSecRef=3025
    Detect=HKCU\Software\Microsoft\Notepad
    DetectFile=%LocalAppData%\Packages\Microsoft.WindowsNotepad_*
    FileKey1=%LocalAppData%\Packages\Microsoft.WindowsNotepad_*\Settings|*.*|RECURSE
    FileKey2=%LocalAppData%\Packages\Microsoft.WindowsNotepad_*\SystemAppData\Helium|*.*|RECURSE
    RegKey1=HKCU\Software\Microsoft\Notepad|replaceString
    RegKey2=HKCU\Software\Microsoft\Notepad|searchString

  3. Removed: xulstore.json

    It stores Firefox window size and style.

    {"chrome://browser/content/browser.xhtml":{"main-window":{"screenX":"230","screenY":"49","width":"1598","height":"968","sizemode":"normal"},"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""}}}

    [Firefox Caches *]
    LangSecRef=3026
    Detect1=HKCU\Software\LibreWolf
    Detect2=HKLM\Software\ComodoGroup\IceDragon
    Detect3=HKLM\Software\FlashPeak\SlimBrowser
    Detect4=HKLM\Software\Mozilla\Basilisk
    Detect5=HKLM\Software\Mozilla\Pale Moon
    Detect6=HKLM\Software\Mozilla\SeaMonkey
    Detect7=HKLM\Software\Mozilla\Waterfox
    DetectFile1=%AppData%\Mozilla\Firefox
    DetectFile2=%LocalAppData%\Packages\Mozilla.Firefox_*
    FileKey1=%AppData%\ArtistScope\ArtisBrowser\Profiles\*|*.corrupt|RECURSE
    FileKey2=%AppData%\ArtistScope\ArtisBrowser\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey3=%AppData%\ArtistScope\ArtisBrowser\Profiles\*\notificationstore|*
    FileKey4=%AppData%\ArtistScope\ArtisBrowser\Profiles\*\security_state|*
    FileKey5=%AppData%\ArtistScope\ArtisBrowser\Profiles\*\shader-cache|*
    FileKey6=%AppData%\ArtistScope\ArtisBrowser\Profiles\*\storage\temporary|*|RECURSE
    FileKey7=%AppData%\Comodo\IceDragon\Profiles\*|*.corrupt|RECURSE
    FileKey8=%AppData%\Comodo\IceDragon\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey9=%AppData%\Comodo\IceDragon\Profiles\*\notificationstore|*
    FileKey10=%AppData%\Comodo\IceDragon\Profiles\*\security_state|*
    FileKey11=%AppData%\Comodo\IceDragon\Profiles\*\shader-cache|*
    FileKey12=%AppData%\Comodo\IceDragon\Profiles\*\storage\temporary|*|RECURSE
    FileKey13=%AppData%\FlashPeak\SlimBrowser\Profiles\*|*.corrupt|RECURSE
    FileKey14=%AppData%\FlashPeak\SlimBrowser\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey15=%AppData%\FlashPeak\SlimBrowser\Profiles\*\notificationstore|*
    FileKey16=%AppData%\FlashPeak\SlimBrowser\Profiles\*\security_state|*
    FileKey17=%AppData%\FlashPeak\SlimBrowser\Profiles\*\shader-cache|*
    FileKey18=%AppData%\FlashPeak\SlimBrowser\Profiles\*\storage\temporary|*|RECURSE
    FileKey19=%AppData%\LibreWolf\Profiles\*|*.corrupt|RECURSE
    FileKey20=%AppData%\LibreWolf\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey21=%AppData%\LibreWolf\Profiles\*\notificationstore|*
    FileKey22=%AppData%\LibreWolf\Profiles\*\security_state|*
    FileKey23=%AppData%\LibreWolf\Profiles\*\shader-cache|*
    FileKey24=%AppData%\LibreWolf\Profiles\*\storage\temporary|*|RECURSE
    FileKey25=%AppData%\Moonchild Productions\*\Profiles\*|*.corrupt|RECURSE
    FileKey26=%AppData%\Moonchild Productions\*\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey27=%AppData%\Moonchild Productions\*\Profiles\*\notificationstore|*
    FileKey28=%AppData%\Moonchild Productions\*\Profiles\*\security_state|*
    FileKey29=%AppData%\Moonchild Productions\*\Profiles\*\shader-cache|*
    FileKey30=%AppData%\Moonchild Productions\*\Profiles\*\storage\temporary|*|RECURSE
    FileKey31=%AppData%\Mozilla\*\Profiles\*|*.corrupt|RECURSE
    FileKey32=%AppData%\Mozilla\*\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey33=%AppData%\Mozilla\*\Profiles\*\notificationstore|*
    FileKey34=%AppData%\Mozilla\*\Profiles\*\security_state|*
    FileKey35=%AppData%\Mozilla\*\Profiles\*\shader-cache|*
    FileKey36=%AppData%\Mozilla\*\Profiles\*\storage\temporary|*|RECURSE
    FileKey37=%AppData%\Waterfox\Profiles\*|*.corrupt|RECURSE
    FileKey38=%AppData%\Waterfox\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey39=%AppData%\Waterfox\Profiles\*\notificationstore|*
    FileKey40=%AppData%\Waterfox\Profiles\*\security_state|*
    FileKey41=%AppData%\Waterfox\Profiles\*\shader-cache|*
    FileKey42=%AppData%\Waterfox\Profiles\*\storage\temporary|*|RECURSE
    FileKey43=%LocalAppData%\Basilisk-Dev\Basilisk\Profiles\*\*cache*|*|REMOVESELF
    FileKey44=%LocalAppData%\Basilisk-Dev\Basilisk\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey45=%LocalAppData%\Basilisk-Dev\Basilisk\Profiles\*\thumbnails|*|REMOVESELF
    FileKey46=%LocalAppData%\Flashpeak\SlimBrowser\Profiles\*\*cache*|*|REMOVESELF
    FileKey47=%LocalAppData%\Flashpeak\SlimBrowser\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey48=%LocalAppData%\Flashpeak\SlimBrowser\Profiles\*\thumbnails|*|REMOVESELF
    FileKey49=%LocalAppData%\LibreWolf\Profiles\*\*cache*|*|REMOVESELF
    FileKey50=%LocalAppData%\LibreWolf\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey51=%LocalAppData%\LibreWolf\Profiles\*\thumbnails|*|REMOVESELF
    FileKey52=%LocalAppData%\Moonchild Productions\*\Profiles\*\*cache*|*|REMOVESELF
    FileKey53=%LocalAppData%\Moonchild Productions\*\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey54=%LocalAppData%\Moonchild Productions\*\Profiles\*\thumbnails|*|REMOVESELF
    FileKey55=%LocalAppData%\Mozilla\*\Profiles\*\*cache*|*|REMOVESELF
    FileKey56=%LocalAppData%\Mozilla\*\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey57=%LocalAppData%\Mozilla\*\Profiles\*\thumbnails|*|REMOVESELF
    FileKey58=%LocalAppData%\Packages\Mozilla.Firefox_*\AC|*|RECURSE
    FileKey59=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*|*.corrupt|RECURSE
    FileKey60=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*|AlternateServices.txt;notificationstore.json;parent.lock;serviceworker.txt;webappsstore.sqlite;cert9.db;ClientAuthRememberList.txt
    FileKey61=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*\*cache*|*|RECURSE
    FileKey62=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*\notificationstore|*
    FileKey63=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*\security_state|*
    FileKey64=%LocalAppData%\Packages\Mozilla.Firefox_*\LocalCache\Roaming\Mozilla\Firefox\Profiles\*\storage\temporary|*|RECURSE
    FileKey65=%LocalAppData%\Packages\Mozilla.Firefox_*\Settings|*.log*
    FileKey66=%LocalAppData%\Packages\Mozilla.Firefox_*\TempState|*|RECURSE
    FileKey67=%LocalAppData%\Waterfox\Profiles\*\*cache*|*|REMOVESELF
    FileKey68=%LocalAppData%\Waterfox\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey69=%LocalAppData%\Waterfox\Profiles\*\thumbnails|*|REMOVESELF
    FileKey70=%LocalAppData%\Waterfox\Profiles\Profiles\*\Safebrowsing-failedupdate|*|REMOVESELF
    FileKey71=%LocalAppData%\Waterfox\Profiles\Profiles\*\thumbnails|*|REMOVESELF
    FileKey72=%ProgramData%\Mozilla*|cache2.*
    FileKey73=%ProgramFiles%\Basilisk|*.tmp|RECURSE
    FileKey74=%ProgramFiles%\Firefox*|*.tmp|RECURSE
    FileKey75=%ProgramFiles%\LibreWolf|*.tmp|RECURSE
    FileKey76=%ProgramFiles%\Mozilla*|*.tmp;*_tmp.exe|RECURSE
    FileKey77=%ProgramFiles%\Pale Moon|*.tmp|RECURSE
    FileKey78=%ProgramFiles%\SeaMonkey|*.tmp|RECURSE
    FileKey79=%ProgramFiles%\SlimBrowser|*.tmp|RECURSE
    FileKey80=%ProgramFiles%\Waterfox|*.tmp|RECURSE
    FileKey81=%ProgramFiles%\WindowsApps\Mozilla.Firefox_*\VFS\ProgramFiles\Firefox Package Root|*.tmp;*_tmp.exe|RECURSE
    FileKey82=%UserProfile%\AppData\LocalLow\Mozilla\Temp-*|*|REMOVESELF

  4. New entry

    [Firefox Jump List Cache *]
    LangSecRef=3026
    DetectFile1=%AppData%\Mozilla\Firefox
    DetectFile2=%LocalAppData%\Packages\Mozilla.Firefox_*
    FileKey1=%LocalAppData%\Mozilla\Firefox\Profiles\*\jumpListCache|*|RECURSE

  5. 3 hours ago, SMalik said:

    Revised entry

    Added:
    %WinDir%\Backup|*|RECURSE
    %WinDir%\AppCompat\pca|*.txt

    [Windows Logs *]

    Revised entry

    I made a mistake in the previous post. This is correct.

    Added:
    %WinDir%\AppCompat\Backup|*.json
    %WinDir%\AppCompat\pca|*.txt

    [Windows Logs *]
    LangSecRef=3025
    Detect=HKLM\Software\Microsoft\Windows
    FileKey1=%LocalAppData%\ConnectedDevicesPlatform|*.log
    FileKey2=%LocalAppData%\Diagnostics|*|RECURSE
    FileKey3=%LocalAppData%\Microsoft\Dialer|*.log.txt
    FileKey4=%LocalAppData%\Microsoft\msipc\Logs|*
    FileKey5=%LocalAppData%\Microsoft\Portable Devices|wpdlog*.sqm
    FileKey6=%LocalAppData%\Microsoft\Windows\Explorer|*.etl
    FileKey7=%ProgramData%\Microsoft\Diagnosis\DownloadedSettings|*.json.bk
    FileKey8=%ProgramData%\Microsoft\Diagnosis\ETLLogs|*|RECURSE
    FileKey9=%ProgramData%\Microsoft\DiagnosticLogCSP|*|RECURSE
    FileKey10=%ProgramData%\Microsoft\Network\Downloader|*|RECURSE
    FileKey11=%ProgramData%\Microsoft\WDF|*|RECURSE
    FileKey12=%ProgramData%\Microsoft\Windows Security Health\Logs|*|RECURSE
    FileKey13=%ProgramData%\Microsoft\Windows\wfp|*.etl
    FileKey14=%ProgramData%\USOShared\Logs|*|RECURSE
    FileKey15=%ProgramFiles%\UNP\*Logs|*
    FileKey16=%SystemDrive%|DumpStack.log
    FileKey17=%SystemDrive%\PerfLogs\System\Diagnostics|*|RECURSE
    FileKey18=%SystemDrive%\PerfLogs\System\Performance|*|RECURSE
    FileKey19=%WinDir%|*.log
    FileKey20=%WinDir%\AppCompat\Backup|*.json
    FileKey21=%WinDir%\AppCompat\pca|*.txt
    FileKey22=%WinDir%\AppCompat\Programs|*.txt;*.xml
    FileKey23=%WinDir%\AppCompat\Programs\Install|*.txt;*.xml
    FileKey24=%WinDir%\debug|*.log|RECURSE
    FileKey25=%WinDir%\INF|*.etl;*.log*
    FileKey26=%WinDir%\Logs|*.etl;*.log|RECURSE
    FileKey27=%WinDir%\Logs\CBS|*.cab
    FileKey28=%WinDir%\Panther|cbs.log;DDACLSys.log;miglog.xml;Migrep.html;*GatherPnPList.log;*.tmp
    FileKey29=%WinDir%\Panther\FastCleanup|*.log
    FileKey30=%WinDir%\Panther\Rollback|*.txt
    FileKey31=%WinDir%\Panther\UnattendGC|diag*.xml;setup*.log
    FileKey32=%WinDir%\repair|setup.log
    FileKey33=%WinDir%\security\logs|*|RECURSE
    FileKey34=%WinDir%\ServiceProfiles\NetworkService\debug|*.log
    FileKey35=%WinDir%\System32\CatRoot|*.tmp
    FileKey36=%WinDir%\System32\CatRoot_bak|*|REMOVESELF
    FileKey37=%WinDir%\System32\catroot2|*.chk;*.log;*.jrs;*.txt
    FileKey38=%WinDir%\System32\LogFiles|*|RECURSE
    FileKey39=%WinDir%\System32\Logs|*.etl
    FileKey40=%WinDir%\System32\NDF|*.etl
    FileKey41=%WinDir%\System32\SleepStudy|*.etl|RECURSE
    FileKey42=%WinDir%\System32\sysprep\Panther\IE|diagerr.xml;diagwrn.xml;*.log
    FileKey43=%WinDir%\System32\WDI\*|*.etl*|REMOVESELF
    FileKey44=%WinDir%\System32\WDI\LogFiles\StartupInfo|*|RECURSE
    FileKey45=%WinDir%\Temp|*.log
    RegKey1=HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications
    RegKey2=HKLM\Software\Microsoft\Tracing
    RegKey3=HKLM\Software\Wow6432Node\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications
    RegKey4=HKLM\Software\Wow6432Node\Microsoft\Tracing

  6. New entry

    [Western Digital Dashboard *]
    LangSecRef=3024
    Detect=HKLM\SOFTWARE\Western Digital\SSD Dashboard
    FileKey1=%LocalAppData%\Western Digital\Dashboard\cache\QtWebEngine\Default\Cache|*|RECURSE
    FileKey2=%LocalAppData%\Western Digital\Dashboard\QtWebEngine\Default|*.old
    FileKey3=%LocalAppData%\Western Digital\Dashboard\QtWebEngine\Default\GPUCache|*|RECURSE
    FileKey4=%ProgramFiles%\Western Digital\SSD Dashboard|dashboard.log

  7. Revised entry

    Added:
    %ProgramData%\Wondershare\dr.fone\ThumbnailCache
    %ProgramData%\Wondershare\dr.fone\iOSTemp|*.*|RECURSE
    %ProgramData%\Wondershare\dr.fone\log|*.log
    %ProgramData%\Wondershare\dr.fone\Sparrow|*.bak;*.log

    [Wondershare Dr.Fone *]
    LangSecRef=3021
    DetectFile=%ProgramFiles%\Wondershare\Wondershare Dr.Fone
    FileKey1=%AppData%\DataEraser_Temp|*.*|RECURSE
    FileKey2=%ProgramData%\Wondershare\dr.fone\ThumbnailCache
    FileKey3=%ProgramData%\Wondershare\dr.fone\Wondershare_DataEraser_Clean|*.*|RECURSE
    FileKey4=%ProgramData%\Wondershare\dr.fone\iOSTemp|*.*|RECURSE
    FileKey5=%ProgramData%\Wondershare\dr.fone\log|*.log
    FileKey6=%ProgramData%\Wondershare\dr.fone\Sparrow|*.bak;*.log
    FileKey7=%ProgramData%\Wondershare\DriverInstall|*.log
    FileKey8=%ProgramData%\Wondershare\WSRoot|*.tmp
    FileKey9=%ProgramData%\WsAppHelper\Dr.Fone|*.log
    FileKey10=%ProgramFiles%\Wondershare\dr.fone\ThumbnailCache|*.*|RECURSE
    FileKey11=%ProgramFiles%\Wondershare\MirrorGo\Log|*.*|RECURSE

  8. Revised entry
    FileKey3, 4, 5, 6, 11 changed from |*|RECURSE to |*.*|RECURSE

    [Adobe *]
    LangSecRef=3023
    Detect=HKCU\Software\Adobe
    FileKey1=%AppData%\Adobe|*.log|RECURSE
    FileKey2=%AppData%\Adobe\Acrobat\Distiller*|*.log
    FileKey3=%AppData%\Adobe\Common\* Cache*|*.*|RECURSE
    FileKey4=%AppData%\Adobe\Common\Peak Files|*.*|RECURSE
    FileKey5=%AppData%\Adobe\CRLogs|*.*|RECURSE
    FileKey6=%AppData%\Adobe\LogTransport2\Logs|*.*|RECURSE
    FileKey7=%CommonProgramFiles%\Adobe\Creative Cloud Libraries|*.log|RECURSE
    FileKey8=%CommonProgramFiles%\Adobe\Installers|*.log*|RECURSE
    FileKey9=%LocalAppData%\Adobe|*.Log|RECURSE
    FileKey10=%LocalAppData%\Adobe\ARM|*.*|RECURSE
    FileKey11=%ProgramData%\Adobe\ARM|*.*|RECURSE
    FileKey12=%ProgramFiles%\Adobe\Adobe Creative Cloud Experience\js\node_modules\table-parser\test\output|*.log
    FileKey13=%UserProfile%\Documents\Adobe|*.log|RECURSE
    RegKey1=HKCU\Software\Adobe\Adobe ARM\1.0\ARM|tLastT_Reader
    RegKey2=HKCU\Software\Adobe\Adobe Customization Wizard 8\Recent File List
    RegKey3=HKCU\Software\Adobe\Adobe Customization Wizard 9\Recent File List
    RegKey4=HKCU\Software\Adobe\Adobe Customization Wizard X\Recent File List
    RegKey5=HKCU\Software\Adobe\Adobe Customization Wizard XI\Recent File List

  9. Revised entry name from [Groove Media Player *] to [Media Player *]

    [Media Player *]
    LangSecRef=3023
    DetectFile=%LocalAppData%\Packages\Microsoft.ZuneMusic_*
    FileKey1=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\AC|*|RECURSE
    FileKey2=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalCache\Image|*|RECURSE
    FileKey3=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalCache\PlayReady|*|RECURSE
    FileKey4=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState|*.tmp;AppState.json*;*.db*
    FileKey5=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\Database\*|*.log
    FileKey6=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\ImageCache|*|RECURSE
    FileKey7=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\ImageRetrievalFailure|*|RECURSE
    FileKey8=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\ImageStore|*|RECURSE
    FileKey9=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\navigationHistory|*|RECURSE
    FileKey10=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\LocalState\PlayReady|*|RECURSE
    FileKey11=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\Settings|*.log*
    FileKey12=%LocalAppData%\Packages\Microsoft.ZuneMusic_*\TempState|*|RECURSE
    RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.ZuneMusic_8wekyb3d8bbwe\SearchHistory

  10. Revised entry

    Removed as it is already included into built-in entry
    %LocalAppData%\Microsoft\OneDrive\Logs|*|RECURSE

    [Microsoft OneDrive *]
    LangSecRef=3021
    Detect=HKCU\Software\Microsoft\OneDrive
    DetectFile=%LocalAppData%\Packages\microsoft.microsoftskydrive_*
    FileKey1=%LocalAppData%\Microsoft\OneDrive\Setup\Logs|*|RECURSE
    FileKey2=%LocalAppData%\Microsoft\Windows\OneDrive\logs|*|RECURSE
    FileKey3=%LocalAppData%\OneDrive\Cache|*|RECURSE
    FileKey4=%LocalAppData%\Packages\microsoft.microsoftskydrive_*\AC|*|RECURSE
    FileKey5=%LocalAppData%\Packages\microsoft.microsoftskydrive_*\LocalCache|*|RECURSE
    FileKey6=%LocalAppData%\Packages\microsoft.microsoftskydrive_*\LocalState\Logs|*.log
    FileKey7=%LocalAppData%\Packages\microsoft.microsoftskydrive_*\Settings|*.log*
    FileKey8=%LocalAppData%\Packages\microsoft.microsoftskydrive_*\TempState|*|RECURSE
    FileKey9=%ProgramFiles%\Microsoft OneDrive\Setup\Logs|*
    FileKey10=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\OneDrive\Logs|*|RECURSE
    FileKey11=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\OneDrive\Setup\Logs|*|RECURSE
    FileKey12=%WinDir%\System32\LogFiles\CloudFiles|*|RECURSE
    FileKey13=%WinDir%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OneDrive\Logs|*|RECURSE
    FileKey14=%WinDir%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OneDrive\Setup\Logs|*|RECURSE
    RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftskydrive_8wekyb3d8bbwe\PersistedPickerData\microsoft.microsoftskydrive_8wekyb3d8bbwe!Microsoft.MicrosoftSkyDrive\DefaultOpenFileMultiple|LastLocation
    RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftskydrive_8wekyb3d8bbwe\SearchHistory

  11. I think [Adobe Acrobat Distiller *] and [Adobe Acrobat *] entries should be separated

    [Adobe Acrobat Distiller *]
    LangSecRef=3021
    Detect=HKCU\Software\Adobe\Acrobat Distiller
    FileKey1=%AppData%\Adobe\Acrobat\Distiller*\Cache|*
    FileKey2=%LocalAppData%\Adobe\Acrobat\Distiller*\Cache|*
    RegKey1=HKCU\Software\Adobe\Acrobat Distiller\PrinterJobControl

    [Adobe Acrobat *]
    LangSecRef=3021
    Detect=HKCU\Software\Adobe\Adobe Acrobat
    FileKey1=%AppData%\Adobe\Acrobat\DC\Security\CRLCache|*|RECURSE
    FileKey2=%AppData%\Adobe\OOBE|dlcanalytics.db
    FileKey3=%LocalAppData%|oobelibMkey.log
    FileKey4=%LocalAppData%\Adobe\Acrobat|*.idx|RECURSE
    FileKey5=%LocalAppData%\Adobe\Acrobat\*DC\Cache|*.lst
    FileKey6=%LocalAppData%\Adobe\Acrobat\11.0|UserCache.bin
    FileKey7=%LocalAppData%\Adobe\Acrobat\DC|*.lst;Exchange-ProMessages;IconCacheAcro*.dat;SharedDataEvents;UserCache*.bin
    FileKey8=%LocalAppData%\Adobe\Acrobat\DC\ProtectedView|*.lst;UserCache*.bin
    FileKey9=%LocalAppData%\Adobe\Acrobat\DC\ToolsSearchCacheAcro|*|RECURSE
    FileKey10=%LocalAppData%\Adobe\AcroCef\DC\Acrobat\Cache|*|RECURSE
    FileKey11=%LocalAppData%\Adobe\AcroCef\DC\Acrobat\Cookie|*
    FileKey12=%LocalAppData%\Adobe\Color|*.lst
    FileKey13=%LocalAppData%\Adobe\TypeSupport|*.lst
    FileKey14=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC|*-journal;Exchange-ProMessages
    FileKey15=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB|notificationsDB
    FileKey16=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync|*.db-shm;*.db-wal
    FileKey17=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\CreativeCloud\CoreSync|*.log
    FileKey18=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Synchronizer|*-log.txt
    FileKey19=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons|*|RECURSE
    FileKey20=%UserProfile%\AppData\LocalLow\Adobe\Acrobat\DC\Search|*|RECURSE
    FileKey21=%UserProfile%\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache|*|RECURSE
    FileKey22=%UserProfile%\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie|*-journal
    RegKey1=HKCU\Software\Adobe\Adobe Acrobat\11.0\AVGeneral\cRecentFolders
    RegKey2=HKCU\Software\Adobe\Adobe Acrobat\2015\AVGeneral\cRecentFiles
    RegKey3=HKCU\Software\Adobe\Adobe Acrobat\2015\AVGeneral\cRecentFolders
    RegKey4=HKCU\Software\Adobe\Adobe Acrobat\2017\AVGeneral\cRecentFiles
    RegKey5=HKCU\Software\Adobe\Adobe Acrobat\2017\AVGeneral\cRecentFolders
    RegKey6=HKCU\Software\Adobe\Adobe Acrobat\2020\AVGeneral\cRecentFiles
    RegKey7=HKCU\Software\Adobe\Adobe Acrobat\2020\AVGeneral\cRecentFolders
    RegKey8=HKCU\Software\Adobe\Adobe Acrobat\DC\AVConnector\cIconCache
    RegKey9=HKCU\Software\Adobe\Adobe Acrobat\DC\AVConversionFromPDF\cSettings
    RegKey10=HKCU\Software\Adobe\Adobe Acrobat\DC\AVConversionToPDF\cSettings
    RegKey11=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral|iNumAcrobatLaunches
    RegKey12=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral|iNumOfAVDocsOpened
    RegKey13=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral|uLastAppLaunchTimeStamp
    RegKey14=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cDockables
    RegKey15=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles
    RegKey16=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFolders
    RegKey17=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentToolsList
    RegKey18=HKCU\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cToolbars
    RegKey19=HKCU\Software\Adobe\Adobe Acrobat\DC\CompoundDocs\cStoredBinder
    RegKey20=HKCU\Software\Adobe\Adobe Acrobat\DC\RememberedViews\cNoCategoryFiles
    RegKey21=HKCU\Software\Adobe\Adobe Acrobat\DC\SessionManagement|uLastAppExitTimeStamp
    RegKey22=HKCU\Software\Adobe\Adobe Acrobat\DC\ShareIdentity
    RegKey23=HKCU\Software\Adobe\Adobe Synchronizer\DC

  12. Revised Entry

    [Windows Shell - Folder View Settings *]
    LangSecRef=3025
    Detect=HKCU\Software\Microsoft\Windows
    RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
    RegKey3=HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    RegKey4=HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags

    On XP:
    HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags

    Windows after XP:
    HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

    Removed unnecessary:
    HKCU\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    HKCU\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags

    https://www.jeroentielen.nl/explaining-the-bagsbagmru-registry-tree-trying/


    New Entries

    [Windows Shell - Desktop View Settings *]
    LangSecRef=3025
    Detect=HKCU\Software\Microsoft\Windows
    Warning=This will reset Desktop view settings to default.
    RegKey1=HKCU\Software\Microsoft\Windows\Shell\BagMRU
    RegKey2=HKCU\Software\Microsoft\Windows\Shell\Bags

    This resets Desktop view settings to default. Also removes history of previously removed Desktop shortcuts.


    [Notification Area Icons Cache *]
    LangSecRef=3025
    Detect=HKCU\Software\Microsoft\Windows
    RegKey1=HKEY_CURRENT_USER\Control Panel\NotifyIconSettings
    RegKey2=HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

     

  13. Revised entry

    Added: %CommonAppData%\Wondershare\dr.fone\ThumbnailCache|*.*|RECURSE

    [Wondershare Dr.Fone *]
    LangSecRef=3021
    DetectFile=%ProgramFiles%\Wondershare\Wondershare Dr.Fone
    FileKey1=%AppData%\DataEraser_Temp|*.*|RECURSE
    FileKey2=%CommonAppData%\Wondershare\dr.fone\ThumbnailCache|*.*|RECURSE
    FileKey3=%CommonAppData%\Wondershare\dr.fone\Wondershare_DataEraser_Clean|*.*|RECURSE
    FileKey4=%CommonAppData%\Wondershare\DriverInstall|*.log
    FileKey5=%CommonAppData%\Wondershare\WSRoot|*.tmp
    FileKey6=%CommonAppData%\WsAppHelper\Dr.Fone|*.log
    FileKey7=%ProgramFiles%\Wondershare\MirrorGo\Log|*.*|RECURSE

  14. On 20/03/2023 at 23:35, SMalik said:

    I think we should have a separate entry for Intel Driver and Support Assistant

    [Intel Driver and Support Assistant *]
    LangSecRef=3024
    Detect=HKCU\Software\Intel\Driver and Support Assistant
    FileKey1=%CommonAppData%\Intel\DSA\Logs|*.bak;*.log;*.txt
    FileKey2=%CommonAppData%\Intel\GCC|*.txt
    FileKey3=%CommonAppData%\Intel\Intel Extreme Tuning Utility\Logs|*.*|RECURSE
    FileKey4=%CommonAppData%\Intel\Logs|*.*|RECURSE
    FileKey5=%WinDir%\System32\config\systemprofile\AppData\Local\Intel\GCC|*.txt

    [Intel Driver & Support Assistant *]
    LangSecRef=3024
    Detect=HKCU\Software\Intel\Driver and Support Assistant
    FileKey1=%CommonAppData%\Intel\DSA\Logs|*.bak;*.log;*.txt
    FileKey2=%CommonAppData%\Intel\GCC|*.txt
    FileKey3=%CommonAppData%\Intel\Intel Extreme Tuning Utility\Logs|*.*|RECURSE
    FileKey4=%CommonAppData%\Intel\Logs|*.*|RECURSE
    FileKey5=%WinDir%\System32\config\systemprofile\AppData\Local\Intel\GCC|*.txt

  15. I think we should have a separate entry for Intel Driver and Support Assistant

    [Intel Driver and Support Assistant *]
    LangSecRef=3024
    Detect=HKCU\Software\Intel\Driver and Support Assistant
    FileKey1=%CommonAppData%\Intel\DSA\Logs|*.bak;*.log;*.txt
    FileKey2=%CommonAppData%\Intel\GCC|*.txt
    FileKey3=%CommonAppData%\Intel\Intel Extreme Tuning Utility\Logs|*.*|RECURSE
    FileKey4=%CommonAppData%\Intel\Logs|*.*|RECURSE
    FileKey5=%WinDir%\System32\config\systemprofile\AppData\Local\Intel\GCC|*.txt

  16. Revised entry

    Added: FileKey6

    [Windows Installer *]
    LangSecRef=3025
    Detect=HKLM\Software\Microsoft\Windows\CurrentVersion\Installer
    FileKey1=%SystemDrive%\Config.msi|*|REMOVESELF
    FileKey2=%WinDir%\Installer|*.tmp|RECURSE
    FileKey3=%WinDir%\Installer|SourceHash{*};wix{*}.SchedServiceConfig.rmi
    FileKey4=%WinDir%\Installer\Config.Msi|*|REMOVESELF
    FileKey5=%WinDir%\Installer\MSI*.tmp-|*|REMOVESELF
    FileKey6=%WinDir%\System32\config\systemprofile\AppData\Local|*.tmp|RECURSE

  17. Revised entry

    Changed FileKey4 to |*.*|RECURSE

    [Wondershare UniConverter *]
    LangSecRef=3023
    Detect1=HKLM\Software\Wondershare\Wondershare UniConverter
    Detect2=HKLM\Software\Wondershare\Wondershare UniConverter 13
    FileKey1=%CommonAppData%\Wondershare\ProductFeatures\*Logs|*.*|RECURSE
    FileKey2=%CommonAppData%\Wondershare\UniConverter*\DataTrack|tmp;*.bak;*.log
    FileKey3=%CommonAppData%\Wondershare\UniConverter*\TempThumbDir|*.*|RECURSE
    FileKey4=%CommonAppData%\Wondershare\UniConverter*\UpdatePackge|*.*|RECURSE
    FileKey5=%CommonAppData%\Wondershare\WAF\ProductFeatures\*Logs|*.*|RECURSE
    FileKey6=%ProgramFiles%\Wondershare\*UniConverter*\Log|*.*|RECURSE
    FileKey7=%Public%\Documents\Wondershare|*.*|REMOVESELF
    FileKey8=%SystemDrive%|logWSVCUUpdateHelper.log
    FileKey9=%SystemDrive%\Wondershare UniConverter\Downloaded\temp|*.*|REMOVESELF
    FileKey10=%UserProfile%\.cache|*.*|REMOVESELF

  18. Revised entry

    This should be removed: %AppData%\Techsmith\Snagit\Preferences\Output\*|*.*|REMOVESELF

    [Snagit *]
    LangSecRef=3021
    Detect=HKCU\Software\TechSmith\Snagit
    FileKey1=%CommonAppData%\TechSmith\Uploader|*.log
    FileKey2=%Documents%|SnagitDebug.log
    FileKey3=%Documents%\Snagit|*.snagx
    FileKey4=%Documents%\Snagit\.metadata|*.*|RECURSE
    FileKey5=%LocalAppData%\TechSmith\Logs|*.log
    FileKey6=%LocalAppData%\TechSmith\Snagit|Tray.bin
    FileKey7=%LocalAppData%\TechSmith\Snagit\*\NativeCrashReporting\Reports|*.dmp|RECURSE
    FileKey8=%LocalAppData%\TechSmith\Snagit\*\WebView2Cache\EBWebView\*\GPUCache|*.*|REMOVESELF
    FileKey9=%LocalAppData%\TechSmith\Snagit\CrashDumps|*.*|RECURSE
    FileKey10=%LocalAppData%\TechSmith\Snagit\DataStore\AppIcons|*.ico
    FileKey11=%LocalAppData%\TechSmith\Snagit\DataStore\WebSiteIcons|*.ico
    FileKey12=%LocalAppData%\TechSmith\Snagit\Thumbnails|*.*|RECURSE
    FileKey13=%LocalAppData%\TechSmith\Snagit\TrackerbirdFiles|*.log;*.logtmp
    FileKey14=%Public%\TechSmith\Snagit\License|*.cache;*.log
    RegKey1=HKCU\Software\TechSmith\Snagit\9|StampCustomFolder
    RegKey2=HKCU\Software\TechSmith\Snagit\10|StampCustomFolder
    RegKey3=HKCU\Software\TechSmith\Snagit\11|CaptureCount
    RegKey4=HKCU\Software\TechSmith\Snagit\11|CaptureOpenCount
    RegKey5=HKCU\Software\TechSmith\Snagit\11|OutputDirLastUsed
    RegKey6=HKCU\Software\TechSmith\Snagit\11|VidOutputDirLastUsed
    RegKey7=HKCU\Software\TechSmith\Snagit\11\SnagItEditor\Tray|Thumbnailsize
    RegKey8=HKCU\Software\TechSmith\Snagit\12|CaptureCount
    RegKey9=HKCU\Software\TechSmith\Snagit\12|CaptureOpenCount
    RegKey10=HKCU\Software\TechSmith\Snagit\12|OutputDirLastUsed
    RegKey11=HKCU\Software\TechSmith\Snagit\12|VidOutputDirLastUsed
    RegKey12=HKCU\Software\TechSmith\Snagit\12\SnagItEditor\Tray|Thumbnailsize
    RegKey13=HKCU\Software\TechSmith\Snagit\13|CaptureCount
    RegKey14=HKCU\Software\TechSmith\Snagit\13|CaptureOpenCount
    RegKey15=HKCU\Software\TechSmith\Snagit\13|OutputDirLastUsed
    RegKey16=HKCU\Software\TechSmith\Snagit\13|VidOutputDirLastUsed
    RegKey17=HKCU\Software\TechSmith\Snagit\13\Recent Captures
    RegKey18=HKCU\Software\TechSmith\Snagit\13\SnagitEditor\Recent File List
    RegKey19=HKCU\Software\TechSmith\Snagit\13\SnagItEditor\Tray|Thumbnailsize
    RegKey20=HKCU\Software\TechSmith\Snagit\18|CaptureCount
    RegKey21=HKCU\Software\TechSmith\Snagit\18|CaptureOpenCount
    RegKey22=HKCU\Software\TechSmith\Snagit\18|OutputDirLastUsed
    RegKey23=HKCU\Software\TechSmith\Snagit\18|VidOutputDirLastUsed
    RegKey24=HKCU\Software\TechSmith\Snagit\18\Recent Captures
    RegKey25=HKCU\Software\TechSmith\Snagit\18\SnagitEditor\Recent File List
    RegKey26=HKCU\Software\TechSmith\Snagit\18\SnagItEditor\Tray|Thumbnailsize
    RegKey27=HKCU\Software\TechSmith\Snagit\19|CaptureCount
    RegKey28=HKCU\Software\TechSmith\Snagit\19|CaptureOpenCount
    RegKey29=HKCU\Software\TechSmith\Snagit\19|OutputDirLastUsed
    RegKey30=HKCU\Software\TechSmith\Snagit\19|VidOutputDirLastUsed
    RegKey31=HKCU\Software\TechSmith\Snagit\19\Recent Captures
    RegKey32=HKCU\Software\TechSmith\Snagit\19\SnagitEditor\Recent File List
    RegKey33=HKCU\Software\TechSmith\Snagit\19\SnagItEditor\Tray|Thumbnailsize
    RegKey34=HKCU\Software\TechSmith\Snagit\20|CaptureCount
    RegKey35=HKCU\Software\TechSmith\Snagit\20|CaptureOpenCount
    RegKey36=HKCU\Software\TechSmith\Snagit\20|OutputDirLastUsed
    RegKey37=HKCU\Software\TechSmith\Snagit\20|VidOutputDirLastUsed
    RegKey38=HKCU\Software\TechSmith\Snagit\20\Recent Captures
    RegKey39=HKCU\Software\TechSmith\Snagit\20\SnagitEditor\Recent File List
    RegKey40=HKCU\Software\TechSmith\Snagit\20\SnagItEditor\Tray|Thumbnailsize
    RegKey41=HKCU\Software\TechSmith\Snagit\21|CaptureCount
    RegKey42=HKCU\Software\TechSmith\Snagit\21|CaptureOpenCount
    RegKey43=HKCU\Software\TechSmith\Snagit\21|OutputDirLastUsed
    RegKey44=HKCU\Software\TechSmith\Snagit\21|VidOutputDirLastUsed
    RegKey45=HKCU\Software\TechSmith\Snagit\21\Recent Captures
    RegKey46=HKCU\Software\TechSmith\Snagit\21\SnagitEditor\Recent File List
    RegKey47=HKCU\Software\TechSmith\Snagit\21\SnagItEditor\Tray|Thumbnailsize
    RegKey48=HKCU\Software\TechSmith\Snagit\22|CaptureCount
    RegKey49=HKCU\Software\TechSmith\Snagit\22|CaptureOpenCount
    RegKey50=HKCU\Software\TechSmith\Snagit\22|OutputDirLastUsed
    RegKey51=HKCU\Software\TechSmith\Snagit\22|VidOutputDirLastUsed
    RegKey52=HKCU\Software\TechSmith\Snagit\22\Recent Captures
    RegKey53=HKCU\Software\TechSmith\Snagit\22\SnagitEditor\Recent File List
    RegKey54=HKCU\Software\TechSmith\Snagit\22\SnagItEditor\Tray|Thumbnailsize

    snagit.png

  19. Revised entry

    changed DetectFile
    added FileKeys 1, 3, 4, 9, 10

    [Wondershare Dr.Fone *]
    LangSecRef=3021
    DetectFile=%ProgramFiles%\Wondershare\Wondershare Dr.Fone
    FileKey1=%AppData%\DataEraser_Temp|*.*|RECURSE
    FileKey2=%CommonAppData%\Wondershare\dr.fone\log|*.*|RECURSE
    FileKey3=%CommonAppData%\Wondershare\dr.fone\Wondershare_DataEraser_Clean|*.*|RECURSE
    FileKey4=%CommonAppData%\Wondershare\DriverInstall|*.log
    FileKey5=%CommonAppData%\Wondershare\WAF\Log|*.*|RECURSE
    FileKey6=%CommonAppData%\Wondershare\WAF\ProductFeatures\*Logs|*.*|RECURSE
    FileKey7=%CommonAppData%\Wondershare\WSRoot|*.tmp
    FileKey8=%CommonAppData%\Wondershare\WSRoot\Logs|*.*|RECURSE
    FileKey9=%CommonAppData%\WsAppHelper\Dr.Fone|*.log
    FileKey10=%ProgramFiles%\Wondershare\MirrorGo\Log|*.*|RECURSE

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.