The Winsys.ini contains system references of recently typeds urls, runmru, network usage and several others related items to built-in applications and metadata system. Then CCleaner scans the disk and removes the corresponding logs files :ĭetect=HKLM\SOFTWARE\Microsoft\Windows DefenderĭetectFile=%ProgramFiles%\Microsoft AntiSpyware\GIANTAntiSpywareMain.exeįileKey1=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Quick|*.*įileKey2=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Resource|*.*įileKe圓=%CommonAppData%\Microsoft\Windows Defender\Support|*.logįileKey4=%ProgramFiles%\Microsoft AntiSpyware|errors.log tracksEraser.log cleaner.log An example of one of these entries with Windows Defender where both the executable and the corresponding key are checked out (note: this give a good reference set for DFIR people :). Currently, 476 entries are listed in this configuration file. The utility detects the presence of the software either with the executable file or a specific configuration file or a registry key. The Winapp.ini file contains a list of desktop applications (web browser, data compression software.) with elements that could be deleted.In the last two items, the X represents a number in case of multiple files and/or keys to delete.Įach configuration file corresponds to an item type: Default, a boolean value which seem to indicate items selected by default (True) or cleared (false).DetectFile, a path or a file which detects the existence of the program on the system.Detect, a registry key that detects the existence of the program on the system. LangSecRef, a four-digit number that indicates the item’s category (Applications, Utilities, Windows.etc.)., the name of the reference or the application. This command will generate 3 configurations files under C:\Program Files\CCleaner : Winapp.ini, Winreg.ini and Winsys.ini.Īll these files have attributes with the following structure: After digging into the documentation of the editor's website, Piriform, we found a command to retrieve the configuration files from the command line: CCleaner.exe /EXPORT. INI files embedded inside the binary instead. CCleaner workingĪs mentioned in this SANS blog post, CCleaner used to store the configuration of cleaned items inside the registry hive, but now it is stored in. As CCleaner is more widespread, our research led us to another articlewhere the author used Process Monitor to develop a regripper plugin to retrieve CCleaner installation and settings information. In this article, the author investigates the capabilities of a similar tool CleanAfterMe. Thankfully the subject has already been widely covered. Is it possible identify items that have been cleaned ?.Specifically, we try to answer the following questions: So we decide to dig into its functioning to understand how an attacker can take advantage of such tool. Globally all the non-native built-in applications.Įach element can be selected independently of the others to provide more granularity. Applications class, which includes all metadata associated with the applications installed on the system, including data compression applications, the non-native web browsers, etc.Windows class, which mainly consists of built-in items of the Windows system including Windows event logs, temporary files, DNS cache, registry hives and many other system metadata.Its capabilities are divided into two categories of items: The tool is highly configurable as we can see in the main screen. The utility is able to delete files, registry keys and many others items in order to make the computer more efficient (let’s hope so). CCleaner belongs to a suite of cleaning and optimization tools developed by Piriform.
0 Comments
Leave a Reply. |