Jump to content
CCleaner Community Forums
Winapp2.ini

Winapp2.ini additions

Recommended Posts

Revised Entry

Changed Detect to DetectFile. Added fsc.db and fsrec.db.

http://forum.piriform.com/index.php?showtopic=32310&p=264709

 

[FastStone Capture More*]
LangSecRef=3024
DetectFile=%AppData%\FastStone\FSC
Default=False
FileKey1=%LocalAppData%\FastStone\FSC|fsc.db;fsrec.db
FileKey2=%AppData%\FastStone\FSC|fsc.db;fsrec.db
RegKey1=HKCU\Software\FastStone|_GrbId
RegKey2=HKCU\Software\FastStone|_LastClipPlayed
RegKey3=HKCU\Software\FastStone|_LastRecordingFileName

Share this post


Link to post
Share on other sites

I think it's FileKey2=%LocalAppData%\Microsoft\Vault\*|*.vcrd

Thanks that did the trick, I split it into two entries and added a warning:

 

 

[Internet Explorer 10/11*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
FileKey1=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey2=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey5=%LocalAppData%\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey6=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey8=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime

[Internet Explorer 10/11 Vault Cache*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
Warning=This will clear the saved passwords in the Windows 10 Mail App
FileKey1=%LocalAppData%\Microsoft\Vault\*|*.vcrd

How should we seperate the Windows 8.1 and Windows 10 Metro Apps. Most of the Windows 10 App paths are different.

Just the detects? I haven't done a fresh install so I'm not sure what's different. If it's just the detects maybe add DetectFile1 & DetectFile2. The FileKeys seem to be the same for me.

Share this post


Link to post
Share on other sites

Revised Entry

Added: HKCU\Software\Microsoft\Office\15.0\Word\Recent Templates

 

[MS Office Word More*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Default=False
RegKey1=HKCU\Software\Microsoft\Office\15.0\Word\Reading Locations
RegKey2=HKCU\Software\Microsoft\Office\15.0\Word\Recent Templates
FileKey1=%AppData%\Microsoft\Word|*.*|RECURSE
FileKey2=%Documents%|~*.doc|RECURSE
ExcludeKey1=FILE|%AppData%\Microsoft\Word\listgal.dat
ExcludeKey2=PATH|%AppData%\Microsoft\Word\STARTUP

Share this post


Link to post
Share on other sites

Revised Entries

Changed the names from [Facebook Metro More*] & [internet Explorer Metro*] as these entries are already under Windows Metro Apps

 

[Facebook More*]
LangSecRef=3031
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Facebook.Facebook_8xx8rvfyw5nnt
DetectFile=%LocalAppData%\Packages\Facebook.Facebook_8xx8rvfyw5nnt
Default=False
FileKey1=%LocalAppData%\Packages\*Facebook_*\LocalState|*.*|RECURSE

 

[internet Explorer*]
LangSecRef=3031
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows_ie_ac_001
DetectFile=%LocalAppData%\Packages\windows_ie_ac_001
Default=False
FileKey1=%LocalAppData%\Packages\windows_ie_ac_*\AC\AppCache|*.*|RECURSE
FileKey2=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetCache|*.*|RECURSE
FileKey3=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetCookies|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetHistory|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CLR_v4.0\UsageLogs|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey7=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey8=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\windows_ie_ac_*\AC\PRICache|*.*
FileKey10=%LocalAppData%\Packages\windows_ie_ac_*\AC\Temp|*.*
FileKey11=%LocalAppData%\Packages\windows_ie_ac_*\LocalState\Cache|*.*|RECURSE
FileKey12=%LocalAppData%\Packages\windows_ie_ac_*\LocalState\navigationHistory|*.*|RECURSE
FileKey13=%LocalAppData%\Packages\windows_ie_ac_*\TempState|*.*|RECURSE
RegKey1=HKCR\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage

Share this post


Link to post
Share on other sites

Revised Entry

Merged [iETldCache*], [internet Explorer 10/11*] and [internet Explorer Icon Cache*] into [internet Explorer More*].

 

[internet Explorer More*]
LangSecRef=3022
Detect=HKCU\Software\Microsoft\Internet Explorer
Default=False
FileKey1=%SystemDrive%\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey2=%SystemDrive%\Documents and Settings\LocalService\IETldCache|*.*|RECURSE
FileKey3=%SystemDrive%\Documents and Settings\NetworkService\IETldCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Internet Explorer|frameiconcache.dat;tabiconcache.dat
FileKey5=%LocalAppData%\Microsoft\Internet Explorer|brndlog.txt;brndlog.bak
FileKey6=%LocalAppData%\Microsoft\Internet Explorer\Recovery\Last Active|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey8=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey10=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey11=%LocalAppData%\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey12=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey13=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey14=%LocalLowAppData%\Microsoft\Internet Explorer\iconcache|*.*|RECURSE
FileKey15=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey16=%AppData%\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey17=%AppData%\Microsoft\Internet Explorer\UserData|*.*|RECURSE
FileKey18=%WinDir%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE
FileKey19=%WinDir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE
FileKey20=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey21=%WinDir%\System32\config\SystemProfile\AppData\LocalLow\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey22=%WinDir%\System32\config\SystemProfile\Application Data\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
RegKey1=HKCU\Software\Microsoft\Internet Explorer\International|CNum_CpCache
RegKey2=HKCU\Software\Microsoft\Internet Explorer\International|CpCache
RegKey3=HKCU\Software\Microsoft\Internet Explorer\International\CpMRU
RegKey4=HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore
RegKey5=HKCU\Software\Microsoft\Internet Explorer\PageSetup
RegKey6=HKCU\Software\Microsoft\Internet Explorer\Recovery\PendingDelete
RegKey7=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime
RegKey8=HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Share this post


Link to post
Share on other sites

Thanks that did the trick, I split it into two entries and added a warning:

 

 

[Internet Explorer 10/11*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
FileKey1=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey2=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey5=%LocalAppData%\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey6=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey8=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime

[Internet Explorer 10/11 Vault Cache*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
Warning=This will clear the saved passwords in the Windows 10 Mail App
FileKey1=%LocalAppData%\Microsoft\Vault\*|*.vcrd

Just the detects? I haven't done a fresh install so I'm not sure what's different. If it's just the detects maybe add DetectFile1 & DetectFile2. The FileKeys seem to be the same for me.

I think we shouldn't even include [internet Explorer 10/11 Vault Cache*] since it is causing issues. .vcrd is not a cache, it is actually a password file. If we really want to remove it, then let's do it the way listed below.

 

[internet Explorer Vault*]

LangSecRef=3022

Detect=HKCU\Software\Microsoft\Internet Explorer

Default=False

Warning=This will clear the saved passwords in the Windows Mail App

FileKey1=%LocalAppData%\Microsoft\Vault\*|*.vcrd

Share this post


Link to post
Share on other sites
New:
[OcenAudio (MRU)*]
LangSecRef=3023
Detect=HKCU\Software\OcenAudio
Detect2=HKLM\Software\OcenAudio
Default=False
FileKey1=%LocalAppData%\OcenAudio|ocen.database

 

Share this post


Link to post
Share on other sites

Added FileKey2
 

[PowerShell Cache*]
LangSecRef=3024
Detect=HKLM\Software\Microsoft\PowerShell
Default=False
FileKey1=%LocalAppData%\Microsoft\Windows\PowerShell\CommandAnalysis|*.*|RECURSE
FileKey2=%AppData%\Microsoft\Windows\PowerShell\PSReadline|*.*|RECURSE

Share this post


Link to post
Share on other sites

Modified entry: Added FileKey2 and FileKey4.

[Maintenance Service*]
LangSecRef=3026
SpecialDetect=DET_MOZILLA
Default=False
FileKey1=%CommonAppData%\Mozilla*\logs|*.*
FileKey2=%ProgramFiles%\Mozilla Maintenance Service\logs|*.log
FileKey3=%LocalAppData%\VirtualStore\ProgramData\Mozilla*\logs|*.*
FileKey4=%LocalAppData%\VirtualStore\ProgramFiles*\Mozilla Maintenance Service\logs|*.log

Share this post


Link to post
Share on other sites

Modified entry requested:  [internet Explorer 10/11*] (Referencing the previously entered modification above.)

[Internet Explorer 10/11*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
FileKey1=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey2=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey5=%LocalAppData%\Microsoft\Windows\INetCache\Low\|*.*|RECURSE
FileKey6=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey8=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime

Modified FileKey5 from FileKey5=%LocalAppData%\Microsoft\Windows\INetCache|*.*|RECURSE to FileKey5=%LocalAppData%\Microsoft\Windows\INetCache\Low\|*.*|RECURSE

 

Reason:  Clearing the entire INetCache folder kills the Album Art "folder cover" switching on certain music player gadgets.  The gadgets can no longer display the album cover of the currently playing .mp3.  These players use the WMP plugin instead of using the full blown WMPlayer.exe.  This is on systems where third party software has been added to re-incorporate Windows Sidebar into Windows 8 and Windows 10. 

Share this post


Link to post
Share on other sites

Does anyone know whether deleting the numerous .etl files in %CommonData%\USOShared\Logs will have any negative impact on Windows 10?  It appears to be related to Windows Update checking.  I think it is just a log file area for Windows Update to log results of running a Windows Update check.  However I cannot find much about it on the web.  The Log folder looks like it will grow quite large if not cleaned out. 

Share this post


Link to post
Share on other sites

Does anyone know whether deleting the numerous .etl files in %CommonData%\USOShared\Logs will have any negative impact on Windows 10?  It appears to be related to Windows Update checking.  I think it is just a log file area for Windows Update to log results of running a Windows Update check.  However I cannot find much about it on the web.  The Log folder looks like it will grow quite large if not cleaned out. 

 

In that folder I have:

NotificationUx.001.etl - NotificationUx.010.etl

NotificationUxBroker.001.etl - NotificationUxBroker.100.etl

UpdateSessionOrchestration.001.etl - UpdateSessionOrchestration.080.etl

UpdateUx.001.etl - UpdateUx.032.etl

If they don't go any higher then those they might just write over themselves.

Share this post


Link to post
Share on other sites

just a heads up, the ccleaner update may fall on the day I'll be moving back for school, so the winapp2 update may be late this month

Share this post


Link to post
Share on other sites

Revised Entry

Added RegKey1

 

[Notification Cache*]
DetectOS=6.2|
LangSecRef=3025
Default=False
FileKey1=%LocalAppData%\Microsoft\Windows\Notifications|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications

Share this post


Link to post
Share on other sites

RE-Modified Entry:  [internet Explorer 10/11*]

 

Instead of changing FileKey5 for INetCache as recommended by me in the post above, add the following ExcludeKey1:

 

ExcludeKey1=FILE|%LocalAppData%\Microsoft\Windows\INetCache\IE\|container.dat

 

This appears to resolve the issue affecting gadgets in Windows Sidebar as described in my post above.

 

 

 

 

[internet Explorer 10/11**]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
FileKey1=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey2=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey5=%LocalAppData%\Microsoft\Windows\INetCache\|*.*|RECURSE
FileKey6=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey8=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
ExcludeKey1=FILE|%LocalAppData%\Microsoft\Windows\INetCache\IE\|container.dat
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime

Share this post


Link to post
Share on other sites

updated

 

 

 

What's new in winapp2.ini 5.09.150825

General:

04 New Entries
14 Modified Entries
03 Removed Entries

Note:

Change log excludes minor changes (mild pathing changes, key reordering, non-major key tweaks, etc)

Verbose:

------------------------------------------------------------------------------

New Entries:

[AvaFind - Search Cache*]
LangSecRef=3023
Detect=HKLM\Software\Think Less Do More Services\AVA Find
Default=False
FileKey1=%AppData%\AvaFind Data|*00.db

[Devolutions Remote Desktop Manager*]
LangSecRef=3021
DetectFile=%AppData%\Devolutions\RemoteDesktopManager
Default=False
FileKey1=%AppData%\Devolutions\RemoteDesktopManager|*.log;*.log.db
FileKey2=%LocalAppData%\Devolutions\RemoteDesktopManager|*.log;*.log.db

[internet Explorer Vault*]
LangSecRef=3022
Detect=HKCU\Software\Microsoft\Internet Explorer
Default=False
Warning=This will clear the saved passwords in the Windows Mail App
FileKey1=%LocalAppData%\Microsoft\Vault\*|*.vcrd

[OcenAudio (MRU)*]
LangSecRef=3023
Detect=HKCU\Software\OcenAudio
Detect2=HKLM\Software\OcenAudio
Default=False
FileKey1=%LocalAppData%\OcenAudio|ocen.database


------------------------------------------------------------------------------

Modified Entries:

[Facebook More*]
LangSecRef=3031
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Facebook.Facebook_8xx8rvfyw5nnt
DetectFile=%LocalAppData%\Packages\Facebook.Facebook_8xx8rvfyw5nnt
Default=False
FileKey1=%LocalAppData%\Packages\*Facebook_*\LocalState|*.*|RECURSE

- Renamed

[Hauppauge WinTV*]
LangSecRef=3024
Detect=HKLM\SOFTWARE\Hauppauge
Default=False
FileKey1=%SystemDrive%\|hcwDriverInstall.txt
FileKey2=%Public%\Videos\Pause Buffer|*.*|RECURSE
FileKey3=%Public%\WinTV\Logs\minidump|*.*|RECURSE

- Renamed
- Removed FileKeys2, 4
 
[internet Explorer*]
LangSecRef=3031
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows_ie_ac_001
DetectFile=%LocalAppData%\Packages\windows_ie_ac_001
Default=False
FileKey1=%LocalAppData%\Packages\windows_ie_ac_*\AC\AppCache|*.*|RECURSE
FileKey2=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetCache|*.*|RECURSE
FileKey3=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetCookies|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\windows_ie_ac_*\AC\INetHistory|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CLR_v4.0\UsageLogs|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey7=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey8=%LocalAppData%\Packages\windows_ie_ac_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\windows_ie_ac_*\AC\PRICache|*.*
FileKey10=%LocalAppData%\Packages\windows_ie_ac_*\AC\Temp|*.*
FileKey11=%LocalAppData%\Packages\windows_ie_ac_*\LocalState\Cache|*.*|RECURSE
FileKey12=%LocalAppData%\Packages\windows_ie_ac_*\LocalState\navigationHistory|*.*|RECURSE
FileKey13=%LocalAppData%\Packages\windows_ie_ac_*\TempState|*.*|RECURSE
RegKey1=HKCR\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage

- Renamed

[internet Explorer More*]
LangSecRef=3022
Detect=HKCU\Software\Microsoft\Internet Explorer
Default=False
FileKey1=%SystemDrive%\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey2=%SystemDrive%\Documents and Settings\LocalService\IETldCache|*.*|RECURSE
FileKey3=%SystemDrive%\Documents and Settings\NetworkService\IETldCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Internet Explorer|frameiconcache.dat;tabiconcache.dat
FileKey5=%LocalAppData%\Microsoft\Internet Explorer|brndlog.txt;brndlog.bak
FileKey6=%LocalAppData%\Microsoft\Internet Explorer\Recovery\Last Active|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey8=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey10=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey11=%LocalAppData%\Microsoft\Windows\INetCache\Low\|*.*|RECURSE
FileKey12=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey13=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey14=%LocalLowAppData%\Microsoft\Internet Explorer\iconcache|*.*|RECURSE
FileKey15=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey16=%AppData%\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey17=%AppData%\Microsoft\Internet Explorer\UserData|*.*|RECURSE
FileKey18=%WinDir%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE
FileKey19=%WinDir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE
FileKey20=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey21=%WinDir%\System32\config\SystemProfile\AppData\LocalLow\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
FileKey22=%WinDir%\System32\config\SystemProfile\Application Data\Microsoft\Internet Explorer|brndlog.bak;brndlog.txt
RegKey1=HKCU\Software\Microsoft\Internet Explorer\International|CNum_CpCache
RegKey2=HKCU\Software\Microsoft\Internet Explorer\International|CpCache
RegKey3=HKCU\Software\Microsoft\Internet Explorer\International\CpMRU
RegKey4=HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore
RegKey5=HKCU\Software\Microsoft\Internet Explorer\PageSetup
RegKey6=HKCU\Software\Microsoft\Internet Explorer\Recovery\PendingDelete
RegKey7=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime
RegKey8=HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

- Merged [iETldCache*], [internet Explorer 10/11*] and [internet Explorer Icon Cache*] into [internet Explorer More*].

[Maintenance Service*]
LangSecRef=3026
SpecialDetect=DET_MOZILLA
Default=False
FileKey1=%CommonAppData%\Mozilla*\logs|*.*
FileKey2=%ProgramFiles%\Mozilla Maintenance Service\logs|*.log
FileKey3=%LocalAppData%\VirtualStore\ProgramData\Mozilla*\logs|*.*
FileKey4=%LocalAppData%\VirtualStore\ProgramFiles*\Mozilla Maintenance Service\logs|*.log

- Added FileKey2 and 4

[MS Office Word More*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Default=False
RegKey1=HKCU\Software\Microsoft\Office\15.0\Word\Reading Locations
RegKey2=HKCU\Software\Microsoft\Office\15.0\Word\Recent Templates
FileKey1=%AppData%\Microsoft\Word|*.*|RECURSE
FileKey2=%Documents%|~*.doc|RECURSE
ExcludeKey1=FILE|%AppData%\Microsoft\Word\listgal.dat
ExcludeKey2=PATH|%AppData%\Microsoft\Word\STARTUP

- Added RegKey2

[Notification Cache*]
DetectOS=6.2|
LangSecRef=3025
Default=False
FileKey1=%LocalAppData%\Microsoft\Windows\Notifications|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications

- Added RegKey1

[Paint.NET More*]
LangSecRef=3021
Detect=HKCU\Software\Paint.NET
Default=False
FileKey1=%LocalAppData%\Paint.NET|*.*|RECURSE
RegKey1=HKCU\Software\Paint.NET|LastFileDialogDirectory

- Removed RegKeys2-17

[PowerShell Cache*]
LangSecRef=3024
Detect=HKLM\Software\Microsoft\PowerShell
Default=False
FileKey1=%LocalAppData%\Microsoft\Windows\PowerShell\CommandAnalysis|*.*|RECURSE
FileKey2=%AppData%\Microsoft\Windows\PowerShell\PSReadline|*.*|RECURSE

- Added FileKey2

[search History*]
DetectOS=6.2|
LangSecRef=3025
Detect=HKCU\Software\Microsoft\Windows
Default=False
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory

- Removed FileKey1

------------------------------------------------------------------------------
Removed Entries:

[iETldCache*]
LangSecRef=3022
Detect=HKCU\Software\Microsoft\Windows
Default=False
FileKey1=%SystemDrive%\Documents and Settings\LocalService\IETldCache|*.*|RECURSE
FileKey2=%SystemDrive%\Documents and Settings\LocalService.NT*\IETldCache|*.*|RECURSE
FileKey3=%SystemDrive%\Documents and Settings\NetworkService\IETldCache|*.*|RECURSE
FileKey4=%SystemDrive%\Documents and Settings\NetworkService.NT*\IETldCache|*.*|RECURSE
FileKey5=%WinDir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE

- Merged into Internet Explorer More

[internet Explorer 10/11*]
LangSecRef=3022
DetectFile=%LocalAppData%\Microsoft\Windows\WebCache
Default=False
FileKey1=%LocalAppData%\Microsoft\SmartScreen|*.tmp
FileKey2=%LocalAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Windows\IECompatCache|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Windows\IECompatUACache|*.*|RECURSE
FileKey5=%LocalAppData%\Microsoft\Windows\INetCache|*.*|RECURSE
FileKey6=%LocalAppData%\Microsoft\Windows\WebCache|*.*|RECURSE
FileKey7=%LocalAppData%\Microsoft\Windows\WebCache.old|*.*|REMOVESELF
FileKey8=%LocalLowAppData%\Microsoft\Windows\AppCache|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLSTime

- Merged into Internet Explorer More

[internet Explorer Icon Cache*]
LangSecRef=3022
Detect=HKCU\Software\Microsoft\Internet Explorer
Default=False
FileKey1=%LocalAppData%\Microsoft\Internet Explorer|frameiconcache.dat;tabiconcache.dat
FileKey2=%LocalLowAppData%\Microsoft\Internet Explorer\iconcache|*.*|RECURSE

- Merged into Internet Explorer More

------------------------------------------------------------------------------

 

 

Share this post


Link to post
Share on other sites

Revised Entry

Added FileKey1 & FileKey2

 

[FastStone Capture More*]
LangSecRef=3024
DetectFile=%AppData%\FastStone\FSC
Default=False
FileKey1=%LocalAppData%\FastStone\FSC|fsc.db
FileKey2=%AppData%\FastStone\FSC|fsc.db
RegKey1=HKCU\Software\FastStone|_GrbId
RegKey2=HKCU\Software\FastStone|_LastClipPlayed
RegKey3=HKCU\Software\FastStone|_LastRecordingFileName

Share this post


Link to post
Share on other sites

New Entry

 

[Microsoft Edge More*]
LangSecRef=3022
Detect=HKCU\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
DetectFile=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Default=False
FileKey1=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache|*.*|RECURSE
FileKey2=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache|*.*|RECURSE
FileKey3=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Indexed\Data|*.*|RECURSE

Share this post


Link to post
Share on other sites

Revised Entries

Merged [Windows XP System Profile*] into the entries listed below. So please remove [Windows XP System Profile*].

 

[LocalSystem Cached Certification Files*]
LangSecRef=3025
Detect=HKLM\Software\Microsoft\Windows
Default=False
FileKey1=%WinDir%\System32\config\SystemProfile\Application Data\Microsoft\CryptnetUrlCache\Content|*.*|RECURSE
FileKey2=%WinDir%\System32\config\SystemProfile\Application Data\Microsoft\CryptnetUrlCache\MetaData|*.*|RECURSE
FileKey3=%WinDir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content|*.*|RECURSE
FileKey4=%WinDir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData|*.*|RECURSE
FileKey5=%WinDir%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content|*.*|RECURSE
FileKey6=%WinDir%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData|*.*|RECURSE

[Windows System Profile*]
LangSecRef=3025
Detect=HKCU\Software\Microsoft\Windows
Default=False
FileKey1=%WinDir%\System32\config\SystemProfile\Cookies|*.*|RECURSE
FileKey2=%WinDir%\System32\config\SystemProfile\IETldCache|*.*|RECURSE
FileKey3=%WinDir%\System32\config\SystemProfile\Local Settings\History|*.*|RECURSE
FileKey4=%WinDir%\System32\config\SystemProfile\Local Settings\Temp|*.*|RECURSE
FileKey5=%WinDir%\System32\config\SystemProfile\Local Settings\Temporary Internet Files|*.*|RECURSE
FileKey6=%WinDir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files|*.*|RECURSE
FileKey7=%WinDir%\System32\config\systemprofile\AppData\Local\Temp|*.*|RECURSE
FileKey8=%WinDir%\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies|*.*|RECURSE
FileKey9=%WinDir%\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE
FileKey10=%WinDir%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files|*.*|RECURSE
FileKey11=%WinDir%\SysWOW64\config\systemprofile\AppData\Local\Temp|*.*|RECURSE
FileKey12=%WinDir%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies|*.*|RECURSE
FileKey13=%WinDir%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache|*.*|RECURSE

Share this post


Link to post
Share on other sites

New Entries

 

[Google Cloud Messaging*]
LangSecRef=3029
SpecialDetect=DET_CHROME
Default=False
FileKey1=%LocalAppData%\Google\Chrome\User Data\*\GCM Store|*.*|RECURSE

 

[Web Applications*]
LangSecRef=3029
SpecialDetect=DET_CHROME
Default=False
FileKey1=%LocalAppData%\Google\Chrome\User Data\*\File System\000\p\Paths|CURRENT;LOCK
FileKey2=%LocalAppData%\Google\Chrome\User Data\*\File System\Origins|CURRENT;LOCK

Share this post


Link to post
Share on other sites

New Entry

Please remove [Jing DataStore*] & [Jing Temp*] entries.

 

[Jing*]
LangSecRef=3024
Detect=HKLM\SOFTWARE\TechSmith\Jing
Default=False
FileKey1=%LocalAppData%\TechSmith\Jing\DataStore|*.*|RECURSE
FileKey2=%LocalAppData%\TechSmith\Jing\Temp|*.*|RECURSE

Share this post


Link to post
Share on other sites

Revised Entries

 

[Registry First Aid (Backups)*]
LangSecRef=3024
Detect=HKCU\Software\KsL Software\RFA
Default=False
FileKey1=%CommonAppData%\RFA_Backups|*.*|RECURSE
FileKey2=%UserProfile%\|NTUSER.tmp;UsrClass.tmp
FileKey3=%LocalAppData%\Microsoft\Windows|NTUSER.tmp;UsrClass.tmp
FileKey4=%LocalAppData%\VirtualStore\ProgramData\RFA_Backups|*.*|RECURSE
FileKey5=%WinDir%\ServiceProfiles\LocalService|*.tmp;*.tmp.LOG1;*.tmp.LOG2
FileKey6=%WinDir%\ServiceProfiles\NetworkService|*.tmp;*.tmp.LOG1;*.tmp.LOG2
FileKey7=%WinDir%\System32\config\systemprofile|*.tmp;*.tmp.LOG1;*.tmp.LOG2
FileKey8=%WinDir%\SysWOW64\config\systemprofile|*.tmp;*.tmp.LOG1;*.tmp.LOG2
FileKey9=%WinDir%\System32\config|*.tmp;*.tmp.LOG1;*.tmp.LOG2

 

Removed: Detect2=HKCU\Software\KsL Software\RFA\10.1

 

[Registry First Aid 10*]
LangSecRef=3024
Detect1=HKCU\Software\KsL Software\RFA\10.0
Detect2=HKCU\Software\KsL Software\RFA\10.1
Default=False
FileKey1=%ProgramFiles%\RFA 10|*.diz;*.url
FileKey2=%LocalAppData%\VirtualStore\Program Files*\RFA 10|*.diz;*.url

 

Added: Detect2=HKCU\Software\KsL Software\RFA\10.1

Share this post


Link to post
Share on other sites

Revised Entry

 

[Windows Defender More*]
LangSecRef=3025
Detect=HKLM\Software\Microsoft\Windows Defender
Default=False
FileKey1=%CommonAppData%\Microsoft\Windows Defender\Definition Updates\Backup|*.*|RECURSE
FileKey2=%CommonAppData%\Microsoft\Windows Defender\Network Inspection System\Support|*.txt
FileKey3=%CommonAppData%\Microsoft\Windows Defender\Scans|*.bin;*.bin*
FileKey4=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Service|*.log
FileKey5=%CommonAppData%\Microsoft\Windows Defender\Scans\Scans\History\CacheManager|*.*|RECURSE
FileKey6=%CommonAppData%\Microsoft\Windows Defender\Support|*.*|RECURSE

 

Added: FileKey2=%CommonAppData%\Microsoft\Windows Defender\Network Inspection System\Support|*.txt

Share this post


Link to post
Share on other sites

Added and modified entries for Microsoft Office 2016 which is to be released on 22-Sept-2015

[Office 2016*]
LangSecRef=3021
Detect=HKCU\Software\Microsoft\Office\16.0\Common
Default=False
FileKey1=%AppData%\Microsoft\Office\Recent|*.*
FileKey2=%LocalAppData%\Microsoft\MSOIdentityCRL\production\temp|*.*_sync
FileKey3=%AppData%\Microsoft\PowerPoint\Sync\Temp|*.*
RegKey1=HKCU\Software\Microsoft\Office\16.0\Access\File MRU
RegKey2=HKCU\Software\Microsoft\Office\16.0\Word\File MRU
RegKey3=HKCU\Software\Microsoft\Office\16.0\Word\Place MRU
RegKey4=HKCU\Software\Microsoft\Office\16.0\Excel\File MRU
RegKey5=HKCU\Software\Microsoft\Office\16.0\Excel\Place MRU
RegKey6=HKCU\Software\Microsoft\Office\16.0\Publisher\File MRU
RegKey7=HKCU\Software\Microsoft\Office\16.0\PowerPoint\File MRU
RegKey8=HKCU\Software\Microsoft\Office\16.0\PowerPoint\Place MRU
RegKey9=HKCU\Software\Microsoft\Office\16.0\OneNote\RecentNotebooks
RegKey10=HKCU\Software\Microsoft\Office\16.0\Word\User MRU
RegKey11=HKCU\Software\Microsoft\Office\16.0\Excel\User MRU
RegKey12=HKCU\Software\Microsoft\Office\16.0\Access\User MRU
RegKey13=HKCU\Software\Microsoft\Office\16.0\Publisher\User MRU
RegKey14=HKCU\Software\Microsoft\Office\16.0\PowerPoint\User MRU
ExcludeKey1=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to Word.LNK
ExcludeKey2=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to Publisher.LNK
ExcludeKey3=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to OneNote.LNK

[MS Office Word More*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Detect4=HKCU\Software\Microsoft\Office\16.0
Default=False
RegKey1=HKCU\Software\Microsoft\Office\15.0\Word\Reading Locations
RegKey2=HKCU\Software\Microsoft\Office\16.0\Word\Reading Locations
FileKey1=%AppData%\Microsoft\Word|*.*|RECURSE
FileKey2=%Documents%|~*.doc|RECURSE
ExcludeKey1=FILE|%AppData%\Microsoft\Word\listgal.dat
ExcludeKey2=PATH|%AppData%\Microsoft\Word\STARTUP

[MS Office Saved CEIP Data*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Detect4=HKCU\Software\Microsoft\Office\16.0
Default=False
FileKey1=%AppData%\Microsoft\UProof|*.bin;*.XML

[MS Office Unsaved Files*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Detect4=HKCU\Software\Microsoft\Office\16.0
Default=False
FileKey1=%LocalAppData%\Microsoft\Office\UnsavedFiles|*.*

[MS Office PowerPoint More*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Detect4=HKCU\Software\Microsoft\Office\16.0
Default=False
RegKey1=HKCU\Software\Microsoft\Office\12.0\Common\Internet|UseRWHlinkNavigation
RegKey2=HKCU\Software\Microsoft\Office\14.0\Common\Internet|UseRWHlinkNavigation
RegKey3=HKCU\Software\Microsoft\Office\15.0\Common\Internet|UseRWHlinkNavigation
RegKey4=HKCU\Software\Microsoft\Office\16.0\Common\Internet|UseRWHlinkNavigation

[MS Office Help Cache*]
LangSecRef=3021
Detect1=HKCU\Software\Microsoft\Office\12.0
Detect2=HKCU\Software\Microsoft\Office\14.0
Detect3=HKCU\Software\Microsoft\Office\15.0
Detect4=HKCU\Software\Microsoft\Office\16.0
Default=False
FileKey1=%LocalAppData%\Microsoft Help|*.*

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×