Re: Registry - this can't be good

[Arlen Holder]

On Sun, 20 Sep 2020 12:04:54 -0400, Neil wrote:

> Where does that show in the registry, and why not just delete it and any
> associated items in the category?

This is for s|b, who has helped me in the past on the Android newsgroup:
o <http://tinyurl.com/comp-mobile-android>

According to my read of s-or-b's picture, it's in HKCU at the root level.
o <https://i.postimg.cc/W3TGJbdK/regedit.png>

Here's a screenshot, just now, of my HKCU root level.
o <https://i.postimg.cc/Z5Rz0fQP/registry.jpg>

Googling for the problem set, I see others with seemingly similar issues:
o Garbled Registry Entries
<https://www.tenforums.com/general-support/101326-garbled-registry-entries.html>

o Strange characters in registry (screenshot)
<https://www.tenforums.com/general-support/105734-strange-characters-registry-screenshot.html>

o I've got very strange HKEY_USER registry key
<https://social.technet.microsoft.com/Forums/windows/en-US/ecf3575c-57e6-4b03-b078-53ca62749c65/ive-got-very-strange-hkeyuser-registry-keys>

o Regedit shows strange chinese characters in my system - should I be worried?
<https://security.stackexchange.com/questions/31750/regedit-shows-strange-chinese-characters-in-my-system-should-i-be-worried>

o japanese/strange characters in registry?
<https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/japanesestrange-characters-in-registry/c79b0fd5-5dd6-4340-bba3-83631d5b59f1>

o strange chinese characters in my Registry - How to Remove?
<https://www.computing.net/answers/windows-8/strange-chinese-characters-in-my-registryhow-to-remove/2466.html>

o Windows 7: why do i have chinese/japanese entries in the registy? help
<https://www.sevenforums.com/general-discussion/310208-why-do-i-have-chinese-japanese-entries-registy-help.html>

o Folders with weird Chinese like characters in my registry
<https://www.eightforums.com/threads/folders-with-weird-chinese-like-characters-in-my-registry.78798/>

o Folders with weird Chinese characters
<https://www.bleepingcomputer.com/forums/t/686164/folders-with-weird-chinese-characters/>
--
Usenet allows intelligent adults to communicate and learn from each other.

[Arlen Holder]

On Sun, 20 Sep 2020 12:18:58 -0500, Char Jackson wrote:

>>>> What could this be? The most recent backup image (Macrium) is dated
>>>> 2018, but I'm inclined to use it to get rid of this crap... unless
>>>> anyone else has a better idea?
>>> I've no idea what caused it, but over-writing the whole dick from a very
>>> old backup sounds a bit extreme.
>>I agree. I never overwrite my whole dick.
> Only because, due to its tremendous size, it would take too long.

This is for s-or-b, who has helped me in the past on the Android ng.
o So I hope this is partial payback for all his help prior. :)

I wouldn't suggest an overwrite unless you don't have a restore point.
o Of course, there's no guarrantee the restore point isn't similar.

I don't know if there is any way to check if a restore point has the same
problem, so I googled for restore point editors, so to speak.

Google as I may, I couldn't find anyone who asked the basic question of how
to see inside a system restore point BEFORE you restore it. Sigh.

Given there may be no tool to "look inside" a restore point before you
restore, I would suggest a procedure something like this:

1. Create a system restore point right now.
2. Then run av scans till you get bored (e.g., Malwarebytes or whatever).
3. Create another system restore point after those scans are done.
4. Then system restore to the earliest point you can find (if any).
5. Check the registry (let's presume it's clean of Chinese funk).
6. Then, progressively restore to successively newer restore point.
7. Stop when you see the registry is filled with the Chinese funk.
8. Back up to the registry restore point prior to the Chinese funk.

Since you'll be running "regedit" a lot, see this thread which enables you
to create a "regopen" command (Win+R > regopen) that bypasses UAC prompts:
o Expert help requested for removing UAC user account control task scheduler syntax
<https://groups.google.com/forum/#!topic/alt.comp.microsoft.windows/7wpgdNscZNA>

Since you'll be creating restore points, see this thread on managing them:
o How to Create System Restore Points with Command Prompt or PowerShell
<https://www.top-password.com/blog/create-system-restore-points-with-cmd-or-powershell/>

Note: I wasn't able to get wmic to work from the command line to create a
restore point, so if you get it to work, send us the syntax by return mail.
o Win+R batch command to create a system restore point any time I want to create one
<https://groups.google.com/forum/#!topic/alt.comp.microsoft.windows/Br5sAO9yoHU>

Note: This opens the SystemProperties form to the previous tab:
o Win+R > sysdm.cpl
And this opens up the SystemProperties form to the Hardware tab:
o Win+R > SystemPropertiesHardware
And this opens up the SystemProperties form to the System Protection tab:
o Win+R > SystemPropertiesProtection
etc. (It's pretty consistent stuff.)

Note that if you have a command (as shown above), you an make a shortcut,
which means you can put it in the AppPaths key, which means you can create
any number of commands to put in your AppPaths to run those shortcuts,
without the UAC prompt form coming up every time you run them.
--
Note: I use "Win+R" for almost everything nowadays; it's simply efficient.

[Arlen Holder]

On Sun, 20 Sep 2020 17:50:43 -0000 (UTC), Arlen Holder wrote:

> Google as I may, I couldn't find anyone who asked the basic question of how
> to see inside a system restore point BEFORE you restore it. Sigh.

See also:
o Do you know of any freeware that can see INSIDE a Windows System Restore Point
(prior to setting it as your current restore point)?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/ddtI-0jhRoU>

[Arlen Holder]

On Sun, 20 Sep 2020 17:50:43 -0000 (UTC), Arlen Holder wrote:

> 1. Create a system restore point right now.
> 2. Then run av scans till you get bored (e.g., Malwarebytes or whatever).
> 3. Create another system restore point after those scans are done.
> 4. Then system restore to the earliest point you can find (if any).
> 5. Check the registry (let's presume it's clean of Chinese funk).
> 6. Then, progressively restore to successively newer restore point.
> 7. Stop when you see the registry is filled with the Chinese funk.
> 8. Back up to the registry restore point prior to the Chinese funk.

Or... if you're feeling lucky today... you can simplify that process.

In regedit, you could simply export the Chinese funk keys to, oh, say:
o Export > Save to "Key1ChineseFunk.reg"
o Export > Save to "Key2ChineseFunk.reg"
o Export > Save to "Key3ChineseFunk.reg"
etc.

Then delete those Chinese funk keys from the registry.
o Reboot.

See if there are any repercussions.
o If needed, Import them back, one by one.
--
Every Usenet thread should strive to add value so that all always benefit.

[Arlen Holder]

On Sun, 20 Sep 2020 12:57:41 -0700, Mike Easter wrote:

> So, you must have an alternate backup/restore strategy.

I think we're all mixing words, which is fine, as long as we agree we're
using the terms completely differently than each other.

IMHO, "backup" is extremely _different_ from "repair", in _my_ vocabulary.

What s-or-b needs, in my humblest of opinions, is "repair".
o Not "backup".

Two different beasts altogether, IMHO.

The system restore points are _not_ "backups" (in my humblest of opinions).
o They're "repair".

What s|b needs, IMHO, is "repair" (not "backup and restore").
--
Please see my next post which is a copy of what I sent to Mike separately.

[Arlen Holder]

> Please see my next post which is a copy of what I sent to Mike separately.

This is a copy of what I sent to Mike on this separately.

On Sun, 20 Sep 2020 13:19:48 -0700, Mike Easter wrote:

> Except s|b doesn't use restore point/s.

Hi Mike,

Yeah. As always, you're way ahead of me on the facts.

Three reasons that answer doesn't really affect this thread though:
1. The question is still valid, even outside of s|b's purview
2. Less importantly, it's s|b sister's PC - so maybe "she" does them
3. Even less importantly, he posted that after I had posted this.

In summary, even as the concept arose from that thread, the solution won't
work for that thread; but the question is still valid, don't you think?

> This article is one which tries to address backup strategy:
> https://www.groovypost.com/howto/guide-backup-strategy-windows-10-pc/
> Complete Backup Strategy for Your Windows 10 PC

Yes. But. Two key points:
1. Backup means different things to people (extremely different things).
2. All he needs, AFAICT, is a system restore point

Yes. I know, He hates system restore point (which I hadn't known).

o In fact, he hates restore points like I hate going to the dentist.
But all he really needs is a system restore point (IMHO).

His registry is messed up.
o That's what system restore points are for.

> While the article isn't all that great, it turns out to have useful
> comments, which supports my opinion, "Always skim the comments section
> of an article; there might be something useful i there."

Yes. I have my own personal backup strategy which works fine for me.
o Data is all that matters - nothing else.

So I back up data, and I'm done.
o That's it for the active part of the backup strategy.

All the data I care about is in one hierarchy.
o C:\data\{lots of stuff}

If I have a copy of C:\data, I'm good to set up on _any_ Microsoft Windows
PC on the planet.

There's a reason I wrote these tutorials:
o Philosophy on a tutorial for setting up Windows in a well organized
KISS philosopy such that search is never needed & reinstall is trivial
<https://groups.google.com/forum/#!topic/alt.comp.freeware/i9Cz3POZFCo>

Note I keep an EXTERNAL usb drive with all the software (including paid
software such as Microsoft Office and Adobe Acrobat Exchange) & keys.

Also note that EXTERNAL usb drive contains the system log for each PC:
o What solution do you use to figure out what USB drive letter in a Windows
scripted command?
<https://groups.google.com/forum/#!topic/alt.msdos.batch/fjxhOsMvJkY>

The system log is no big deal, but, it's nice to set up a new PC because it
contains, in sequence, the hundred or two hundred 'things' you do to set up
a PC from scratch (much of which is turning off Microsoft bullshit stuff).

I repeat, even the hierarchical menus transfer over perfectly from one
machine to another (even if the one machine is Windows XP and the another
machine is Windows 10 Pro). It doesn't matter what Windows operating
system; the menus work out of the box on _any_ machine I set up.

Of course, I set things up consistently, which is "where they belong".
o And yes, I get to define where they belong.

Not 1,000 different developers each of which has a different concept of
where things belong.

Note that any "data" that isn't in C:\data is garbage.

If the 'data' for any app is 'important' data, then I learn how to set up
the app so that it puts its data where it belongs (which, for each app, is
one of the hundreds of tweaks I make to a Windows operating system).

Which is why the syslog comes in handily:
o Win+R > syslog

> One of them starts w/:
>> My belief is that Microsoft backup facilities provided within Windows
>> should NOT be considered reliable as a backup

In s|b's case, what he _needs_ (IMHO) is a good "registry".
o If he had system restore points he would have _had_ them.

Nonetheless, when I back up a system, I don't back up the registry.
o I only use the registry to "repair" an existing system; not back it up.

> ... but then he goes into overdrive at the end of his comment w/ an
> 'excessive' b/u plan IMO.

The simplest plan is:
a. Plan for your backup the instant you start the machine for the 1st time
b. Decide where YOU want things to belong, and put them there
c. Back up _only_ the data (do not back up the programs or settings)

For the programs, maintain an EXTERNAL drive of installers.
o For teh settings, keep a log file with each software.

You'll note that I've often posted portions of my install logs, where every
step I do with software is logged, if it's related to setup.

For example, for Office 2007...
o SOLVED: How to download an ISO image for Office 2007 Pro in the year 2018
<https://groups.google.com/forum/#!topic/microsoft.public.windowsxp.general/7ru4_AyhPCY>

> I think the b/u plan should be 'customized' to fit/suit the particular
> 'style' of the individual user. For example, some people are very prone
> to 'junk up' their system willy-nilly with programs they are interested
> in 'checking out' -- but in the long or short run they lose interest in
> that program. So their 'restorations' are busy restoring all kinds of
> crap which is completely unnecessary.

Hehhehheh... are you talkin' about me, Mike?
o I must have hundreds and hundreds of programs installed at any given time

What I do, is simple:
o On the new system, I install whatever I feel I need

In the order I need it.
o I get all that from the syslog file maintained for each PC.

Things like:
o Disable autostart after updates:
Win+R > %windir%\system32\taskschd.msc /s {ctrl+shft+enter}
Win+R > cmd {ctrl+shift+enter} > %windir%\system32\taskschd.msc /s
Task Scheduler Library > Microsoft > Windows > UpdateOrchestrator
Right click on the task named "Reboot_AC" & click "Disable" to disable.

o Disable autostart after crashes:
Win+R > control.exe {ctrl+shift+enter}
View by: Category
System and Security > System > Advanced System Settings
Bring up Startup & Recovery settings:
Startup and Recovery > Settings
Uncheck the system failure automatically-restart option:
System failure
[x]Write an event to the system log
[_]Automatically restart
OK > OK

o Eliminate the lock screen upon startup & go right to the login prompt:
1. Regedit [HKLM\SOFTWARE\Policies\Microsoft\Windows]
2. Add a New Key => Personalization
3. Add to it a New 32-bit DWORD -> NoLockScreen
4. Set the Value = 1
etc.
--
(There are miles and miles and miles of these tweaks in my syslogs.)

[Arlen Holder]

On Sun, 20 Sep 2020 16:48:43 -0400, Paul wrote:

> It keeps track of personal preferences for the programs used.
> You could install a program for "all users", and each user
> keeps their own preferences for when they use the software.

Hey Paul!

Can you clarify that use model please?

I am the only user of my desktop, so I log in as, oh, say "user1",
who has administrator privileges. But I'm the only user.

Whenever a program asks me that question, I don't have a flying clue
what to say. Why should I care if I'm the _only_ user?

Can you clarify, under that circumstance, how I would best make a decision
as to "install for all users" or just "install for this one user"?

Likewise, while we're on the subject, I often have a choice of a msi or an
exe installer, or, even a zip (and sometimes a portable).

How the heck do I decide which since they all work just fine?

I get it that a "portable" doesn't mess with the registry so it can be run
from a USB stick or even from the sdcard of my Android phone, but other
than that, how do I decide whether to install from the msi, the exe, or the
zip (where, for the zip, the registry changes happen upon first invocation
of the contained EXE which is not an installer EXE but the actual program)?

> http://www.memtest.org/

Thanks to you and others, I recently ran memtest86 where s|b may benefit:
o Tutorial creating & using Hirens Boot CD & MemTest86 diagnostic stress testing
tools for USB boot to Windows 10 PE & WinXPmini on BIOS & UEFI
<https://groups.google.com/forum/#!topic/alt.comp.microsoft.windows/OlpQK3Uy7K8>

Also, there are some good stress-testing tools listed here:
o What PC hardware diagnostic stress-testing freeware can you recommend?
<https://groups.google.com/forum/#!topic/alt.comp.microsoft.windows/a6aAvxnDRB8>
--
Bear in mind everyone has a different (overlapping) definition of testing,
debugging, reporting, stress testing, troubleshooting, benchmarking, etc.

[Arlen Holder]

On Sun, 20 Sep 2020 14:03:31 -0700, Mike Easter wrote:

> I jump around between systems and machines a lot.

Yup.
o I think it's sheer folly to try to do a "dd" type "backup".

Same on Android.
o Back up the data; everything else is easily replaced.

The trick, on both Android & Windows, is knowing how to tell a program to
put the important data where it belongs, but, in practice, it's not all
that hard as most well-written software has an option for that.

For an example on Android, a good camera app allows you to set the location
of the DCIM directory, and a good message app automatically stores all
incoming MMS graphics/videos/audios into that same data location on the
external sdcard.

Likewise with good Windows software, where, for example, browsers allow you
to specificy where to put bookmarks (although I don't use 'em), and editing
tools allow you to specify the default directory.

One thing I never use is the "downloads" directory, as that is simply
polluted with all kinds of unnecessary crap (e.g., Opera automatic updates
and the like).

Basically, I create a "data" hierarchy completely _outside_ the default
Windows folders, and two _magical_ things happen as a result:
1. Any program that pollutes, pollutes the default Windows hierarchy
2. Anything in the default Windows hierarchy, is garbage
--
Works for me, and yes, I only set up, oh, maybe ten systems a year (or so).

[Paul]

Arlen Holder wrote:
> On Sun, 20 Sep 2020 16:48:43 -0400, Paul wrote:
>
>> It keeps track of personal preferences for the programs used.
>> You could install a program for "all users", and each user
>> keeps their own preferences for when they use the software.
>
> Hey Paul!
>
> Can you clarify that use model please?
>
> I am the only user of my desktop, so I log in as, oh, say "user1",
> who has administrator privileges. But I'm the only user.
>
> Whenever a program asks me that question, I don't have a flying clue
> what to say. Why should I care if I'm the _only_ user?
>
> Can you clarify, under that circumstance, how I would best make a decision
> as to "install for all users" or just "install for this one user"?

I don't know what the practice is of others here, but I always install
for "all users". Take the scenario where my profile is corrupted,
and I want to create a second account "Bob". When "Bob" comes up, it
sees all the programs I installed. If it turns out I didn't need "Bob"
after all, I just disable the "Bob" user and trash that section of
C:\users .

I need to be able to do everything on the "Bob" account, as if I
was "Paul", and that's why if there is a choice in the installer,
I select the "all users" choice.

Paul

[Arlen Holder]

On Sun, 20 Sep 2020 21:53:29 -0400, Paul wrote:

> I don't know what the practice is of others here, but I always install
> for "all users". Take the scenario where my profile is corrupted,
> and I want to create a second account "Bob". When "Bob" comes up, it
> sees all the programs I installed. If it turns out I didn't need "Bob"
> after all, I just disable the "Bob" user and trash that section of
> C:\users .
>
> I need to be able to do everything on the "Bob" account, as if I
> was "Paul", and that's why if there is a choice in the installer,
> I select the "all users" choice.

Hi Paul,
OK. At least you follow some logical thought tree.

Me? Half the time I install for all and half the time for one, and there's
no rhyme nor reason to it.

As for the msi, exe, or zip, do you have a preference?
(I download them all, but they're all essentially the same, to me.)

How about for you?
--
Microsoft Windows group added purely for the deja archive re-use.

[Paul]

The OS recognizes the .msi as requiring the Windows Installer service.
Mayayana knows more about that, how it works inside.

An EXE could have anything in it. In the case of an INNO installer,
the first stage is probably an unpacker into %temp%. It is there to
help prevent casual inspection, with a secondary purpose to
compress the data and reduce download costs.

The ZIP is usually an attempt to compress the data, where the
obfuscation stage is saved for the next layer inside. For example,
someone might discover that the ZIP layer saves two bytes, then the
EXE inside the ZIP prevents casual inspection.

The MSI was probably intended to prevent casual inspection too,
to a point. Sometimes these things are given anonymous names
inside, and there's some sort of map file inside which maps
them to real names for later.

I would say the MSI offers the greatest promise of inspect-ability,
whereas the others are just as likely to be hiding the inevitable.

Some installers can "sniff" their environment, and avoid completing
the installation process as a result. For example, one installer could
tell you were using Linux and WINE on it. It could sense it was
inside a VM. It would only complete all operations at Host level
in a pure Windows environment. Now, if you didn't have an unpacker
for that one, you might not be able to inspect it. What was weird
about that product (commercial), is the thing the guy was protecting
was broken, and hardly worth the effort he put into it. AKA, a
mental case. It's like having a bank vault filled with Fools Gold.

In some cases, the "tools" on Virustotal can't inspect them either.
But usually it's the lesser-lights items on Virustotal that
are the clueless ones. The mainstream ones are generally pretty
good at disassembly. The only exception is virus scanners that
crash on large enough tarballs. The free Kaspersky scanner
crashes on a Firefox tarball for example. I try to sort
tarballs and put them some place not normally receiving
on-demand scans, so that won't happen.

Paul

[s|b]

On Sun, 20 Sep 2020 21:06:50 -0000 (UTC), Arlen Holder wrote:

> What s|b needs, IMHO, is "repair" (not "backup and restore").

I consider the restore of the 2018 image a repair. That is, if the same
entries aren't found in that registry as well. If that is the case, then
I have the backup image that I created Sunday. I would copy individual
user folders (Firefox, Thunderbird), so I wouldn't loose that data.

As mentioned, there /is/ the possibility that she installed some
(harmless?) Chinese software. That would explain why Defender,
Malwarebytes, CCleaner, SUPERAntiSpyware and Avast don't find anything.

--
s|b

[Paul]

OK, drop the "Chinese" into translate.google.com and see what it says.

Paul

[s|b]

On Tue, 22 Sep 2020 18:06:11 -0400, Paul wrote:

> OK, drop the "Chinese" into translate.google.com and see what it says.

Tnx, I'll try that first.

--
s|b