Find Software License Keys In Registry

0 views
Skip to first unread message

Lottie Dedinas

unread,
Aug 3, 2024, 11:20:30 AM8/3/24
to badckingterpduns

I was working on a new Windows 10 deployment where specific settings needed to be disabled. We did not want to use GPO settings because the users needed the ability to change the values. To configure the task sequence, I needed to know the registry keys values that were set were when disabling options in Windows 10 Settings. So, the adventure began. First, I downloaded the newest version of the utility from Then because I had downloaded from the Internet, I opened the file properties and unblocked the file so I could run it.

I opened the application running it as Administrator with elevated privileges. Given that I was only interested in finding registry values, I filtered the view to the registry by de-selecting the icons for file activity, network activity, process and thread activity, and finally profiling events.

To start my capture with a clean slate, I stopped the current capture, Ctrl+E, then cleared the display, Ctrl+X. To minimize the amount of data returned, I opened Settings and proceeded to the page with the setting I needed to capture. I then switched back and forth between settings and Promon. First, I turned on the capture, Ctrl+E, switched to settings and made my change, the back over to Promon to stop the capture, Ctrl +E. Those few minutes of capturing data logged 21,323 registry events. I needed to filter this down to the events that wrote to the registry.

The next part I found the coolest. Instead of having to open RegEdit and drill down to the registry key listed above, I just selected the entry I was interested in, right-clicked and selected Jump To. This opened RegEdit to the exact key I needed. As shown in the screen print below, I also could have just pressed Ctrl+J.

Once the registry was open to the correct key, it was just a matter of exporting the registry key. I exported the 3 keys I was interested in. Then to verify I had the correct entries, I performed the following steps:

To my amazement, it really was this easy to find the registry keys I needed to make modifications. Then it was just a matter of including these changes into the Microsoft Deployment Toolkit task sequence, but that is a different story.

Looks like that Obsolete Software Key 'ChangeTracker' notification is probably going to be one of those ongoing registry detections in CCleaner like the 'ToastNotifier' one which has now been there for months & months.

I'm having the same problem, and as for the idea that I shouldn't clean my registry because Microsoft changes the registry a lot, I'd prefer NOT to have Microsoft or anyone else messing with my computer unless I specifically want them to, and I don't see why I should let my registry pile up a bunch of garbage entries, slowing down my computer, just because some intrusive mega-corporation wants to control it. And when my computer is running slower than usual, that IS something that's already broken.

Dude, you're the one telling us not to use CCleaner to remove files CCleaner thinks are unnecessary, but which you're assuring us are actually necessary. So - by your own admission, this IS a CCleaner problem. If the file is necessary, then maybe the CCleaner software should be amended so it knows not to delete that registry entry.

When MS add new registry entries that the current CCleaner reg cleaner doesn't recognise then it takes time for CCleaner to be changed to ignore them - if it is decided to ignore them.
The developers may decide that clearing the new entry is required anyway, even though Windows will create it again.

Have a read of the link in my signature;
There's an explanation of why CCleaner will remove certain files even though it's known that Windows will put new ones straight back to replace them.
That isn't an error, CCleaner does it deliberately to 'refresh' the files.
(Whilst not quite the same thing for a registry entry as a file, doing that can still be relevant to reset some entries that may have been modified).

I 100% agree with Ian Cooper and his April 10 comment. If this is a CCleaner issue - then CCleaner needs to fix it. As a licensed and paid user of these tools, Moderators, like nukecad, need to understand the customer's perspective and use their Moderator position to drive the company we pay to be better and not slide down the slope of "it is ok" - recognize a problem and drive a fix. This goes back to April - 6 months later the registry item is still showing as an issue. Drive the solution versus perpetuating the problem. I don't need to read an excuse, the software needs to work after 1/2 a year.

...When MS add new registry entries that the current CCleaner reg cleaner doesn't recognise then it takes time for CCleaner to be changed to ignore them - if it is decided to ignore them.
The developers may decide that clearing the new entry is required anyway, even though Windows will create it again.

...There's an explanation of why CCleaner will remove certain files even though it's known that Windows will put new ones straight back to replace them.
That isn't an error, CCleaner does it deliberately to 'refresh' the files.

I get that sometimes it takes time to update the program, but so what? It's been months, and you're still saying "may decide". If the program thinks the files should be deleted, then when people complain, simply tell them that this is the case, instead of waffling on about it being a Windows problem and telling them not to use ccleaner's registry cleaner (let's not forget, you said " it's unwise to use a Registry Cleaner unless you are trying to fix a specific problem." - I view any junk in my registry to be "a specific problem" because ccleaner TELLS ME IT IS!). The fact that you haven't given us any definitive answer on this issue, and you're still using words like "may" indicates that this issue STILL hasn't been addressed either way, and you're just making excuses.

Whilst we might get a few extra insights into what is happening at the company we can only know what we are told by the company.
We have no influence over what the company is doing, other than complaining if we think what they are doing is wrong (and believe me, we do).
Just like you are complaining here.

Of course we could keep silent, just delete all the posted daily spam content so that you don't see it, and not share any of what little extra we do find out if/when it is relevent to a topic
But that wouldn't be of help to anyone.

Hello All & especially Mart89, Nice to meet you. Sorry my reply is a year late I suffer from ADHD which also explains why i only just upgraded to W11 after being MacAFied , not verified but thought MacOSX was better than windows..Regret that decision now i need computing on the cheap mate. Another ADHD trait ...I talk too much ...So to cut a long story short dear friend , obsolete is exact in that its used for core Microsoft code and you will never get rid of it , its probably a windows logging option enabled for developers. Empty is good as no sub folders or relevant value hence obsolete.

Talking of ADHD I completley understand your question, its almost genius ..Like you I like to see a clean registry and that each entry is not going to slow me down in the future ...So I exclude a lot of things of no value hence the lovely photo below that you configure / customize this wonderful software. Hope this helps buddy , All the best NOVA

Hi, I just started Splunk yesterday and was looking for proper syntax for trying to search for the creation of registry keys on all machines and if possible, how to get alerts for deleted reg keys. I havent touched every dashboard in Splunk but I imagine a simple table that includes all machines in the network with reg key counts would be the way to go. Im not sure about the alerts part for deleted keys

I did see that event code on listed as response to someone asking a previous question and after attempting to pipe it to our index it said "unknown search cmd '4657'". What is the proper syntax for searching eventcodes?

Ok so after trying that string with my index and switching the time search to 'All time', (and got a ton of irrelevant hits, I opened one of the hits and found "EventID" had its own field. Just as a reference for anyone else looking at this issue later:

OK, so now you have learned that your data has fields which you can use to refine your search, as you have done. This is the sort of thing you need to understand about your data. Don't forget that, we can only provide answers based on the information you give us, although we can make educated guesses based on experience, but they may not always be correct.

Because registry keys are items on PowerShell drives, working with them is very similar to workingwith files and folders. One critical difference is that every item on a registry-based PowerShelldrive is a container, just like a folder on a file system drive. However, registry entries and theirassociated values are properties of the items, not distinct items.

You can show all items directly within a registry key using Get-ChildItem. Add the optionalForce parameter to display hidden or system items. For example, this command displays the itemsdirectly within PowerShell drive HKCU:, which corresponds to the HKEY_CURRENT_USER registryhive:

You can also specify this registry path by specifying the registry provider's name, followed by::. The registry provider's full name is Microsoft.PowerShell.Core\Registry, but this can beshortened to just Registry. Any of the following commands will list the contents directly underHKCU:.

These commands list only the directly contained items, much like using DIR in cmd.exe or lsin a UNIX shell. To show contained items, you need to specify the Recurse parameter. To list allregistry keys in HKCU:, use the following command.

Get-ChildItem can perform complex filtering capabilities through its Path, Filter,Include, and Exclude parameters, but those parameters are typically based only on name. Youcan perform complex filtering based on other properties of items using the Where-Object cmdlet.The following command finds all keys within HKCU:\Software that have no more than one subkey andalso have exactly four values:

c80f0f1006
Reply all
Reply to author
Forward
0 new messages