ARPCache (Add Remove Programs Cache) & SlowInfoCache Windows registry freeware
Pat Cheney
found MANY more registry entries to delete after a program was removed than
did CCleaner freeware.
Two keys that kept popping up were ARPCache (ARP stands for Add Remove
Programs Cache, not Address Resolution Protocol) and SlowInfoCache.
I'd like to see what's in those binary values before deleting them and I've
deleted many programs before using RevoUninstaller so there are a lot of
poisoned ARP Caches out there in my registry that CCleaner didn't catch.
I found Windows freeware to view and delete the ARP Cache but not
SlowInfoCache.
Do you know of Windows freeware to view and delete old SlowInfoCache
registry keys left over from crappy uninstallers?
Pat Cheney
> Do you know of Windows freeware to view and delete old SlowInfoCache
> registry keys left over from crappy uninstallers?
Here is some information defining this undocumented Microsoft Registry key.
http://www.pcmag.com/article2/0,1759,1173443,00.asp
The ARP in Windows 2000 and XP provides usage information for some programs
in its list, including the program's installed size, the date it was last
used, and the frequency of use. Most of the data requests involved a
552-byte binary value named SlowInfoCache. An Internet search turned up
nothing useful on the structure of this data, so I dug into it myself. I
wrote a simple program to dump all the SlowInfoCache values into a text
document. I quickly determined that the last 524 bytes were a filename in
Unicode and the first four bytes were a DWORD containing the structure's
size. What about the remaining 24 bytes?
I refined my decoding program to list the display name of the corresponding
Uninstall entry along with the unknown data expressed as six DWORD values.
The Uninstall name allowed me to locate the corresponding item in ARP. I
noticed that the first of the unknowns is always 0 if the program name is
blank and always 1, otherwise. By comparing the list with data from ARP, I
determined that the next eight bytes are an Int64 representing the
installed size.
I couldn't figure out the next two right away, but the last of the mystery
DWORDs contained small integers, mostly under 30, and these proved to be
the frequency data. By observation, ARP reports rarely for values from 0 to
2, occasionally for values 3 to 10, and frequently for values greater than
10.
The last-used date was still not accounted for, with two unknown DWORDs
remaining. I experimented with treating them as various date-related
Windows data types. The correct type turned out to be TFileTime, an 8-byte
structure that corresponds to file date/time stamp values. Putting all
these observations together, I was able to create the following type
declaration, which let me read and use the tracking data:
type
TSlowInfoCache = record
cbSize : DWORD;
HasName : LongBool;
InstallSize : Int64;
LastUsed : TFileTime;
Frequency : Integer;
Name : ARRAY[0..261] OF WideChar;
end;
As you can see, just because a data type isn't documented doesn't mean you
can't use it. If you have a good set of sample data and a way to verify
when you've made a correct deduction, you can often decipher the structure.
Of course, the reason Microsoft doesn't document a particular structure may
be to leave it open for change. Your cleverly divined definition may last
only until the next operating system upgrade. That's just the chance you
have to take.