Registry Cleanup Software Comparison

I would like to thank the people who developed the following projects – they made the implementation of this project easier:

I want to say a personal thank you to Silviu Simen for his article “INI file reader using the Spirit library”.

There was a project in which I took part and we needed to test the working of a parser for Windows hive Registry files. These files are stored in binary representation and the structure of such a file is not documented by Microsoft. But, by means of research, my colleagues managed to clear out this structure, and after that, the question of verifying the parser work appeared.

To perform testing, I decided to use the functionality of exporting of Registry in two formats: hive and reg. Thus, I could obtain two different files for the same Registry key and after that check the working of the Windows hive Registry file parser.

The structure of the Registry file – I’ll give an example below – is very similar to the structure of the ini file, so you can use standard Windows functions for reading values in this file. But the problem is that, functions work very slow for big files, and that is why this parser was developed – a parser for reg files where I use the Boost Spirit Parser Framework. The reasons why standard Windows functions are slow will be considered below in this article.

Let’s consider the general view of a reg file structure first, and some special complicated cases will be considered as necessary.

I’ve taken the following material from here http://en.wikipedia.org/wiki/Windows_Registry.

.REG files (also known as Registration entries) are text-based human-readable files for storing portions of the Registry. On Windows 2000 and later NT-based Operating Systems, they contain the string Windows Registry Editor Version 5.00 at the beginning and are Unicode-based. On Windows 9x and NT 4.0 systems, they contain the string REGEDIT4 and are ANSI-based. Windows 9x format .REG files are compatible with Windows 2000 and later NT-based systems. The Registry Editor on Windows on these systems also supports exporting .REG files in Windows 9x/NT format. Data is stored in .REG files in the following syntax:

Example 1 (different types):

Example 2 (real):

Making a little digression, I want to stress that the number in the line ” hex(1000800c) ” is the type identifier and it can be anything. It’s often used as the data in the security branch [HKEY_LOCAL_MACHINESAM].

And now, let’s try to extend the information about the possible contents of the reg file. Here, I represent some facts obtained during our research process:

As it was mentioned, the structures of reg files and ini files are quite the same, so I started to search for methods for working with ini files. I found the standard Windows functions.

Windows gives a lot of functions to work with INI files; we are interested in two of them for our task:

So, we should call GetPrivateProfileSectionNames one time to obtain the list of keys and then call GetPrivateProfileSection to obtain the values inside the keys.

The problem is that if the file is quite big, i.e., there are a lot of keys in it, then we should call GetPrivateProfileSection several times to read from the file. Here is some row test data: file size: 30 MB, file includes about 30,000 keys, the parsing of this file takes about 20 minutes. And, I should say that reg files are often bigger than 100 MB.

Unjustified number of readings from the file.

It’s necessary to load the file to the memory at one time or in some parts and then parse its content using your own tools.

When parsing a reg file content using your our own tools, it’s good idea to use already developed work. Thus, I came across the article about the ini file reader using the Spirit library. Using the example of the ini file parser, I developed my reg file parser.

The Spirit Parser Framework is an object oriented recursive descent parser generator framework implemented using template metaprogramming techniques. Expression templates allow users to approximate the syntax of Extended Backus Naur Form (EBNF) completely in C++.

I was also attracted by these factors:

Useful links:

The main idea of using boost::spirit is in using the rules. Usually, several basic rules are defined, and then other rules are defined by means of overridden operators as a combinations of basic rules. The following example shows the creation of rules using “AND” and “NOT” operators:

This rule works for any symbol except for ‘A’ and ‘B’.

Below in this article, each rule will be described in detail, but now, I want to give some quick information about possible operators – to let you imagine what the possible operations with the rules are.