Author Topic: Question on deleted strings in zulog file and perflib files  (Read 3808 times)

Offline Brown Sugar

  • Jr. Member
  • **
  • Posts: 28
    • View Profile
1) From what I've been told here before, the deleted registry strings are added back when the uninstall procedure is selected.
When I check my zulog file using notepad, I usually notice many mru streams and zone alarm references.
In addition, if a program requires a restart to finish the analysis, there's a good chance that an autostart program like Ccleaner or MRU blaster will remove temp files and registry strings.  Uninstall will then complete the analysis and reflect that these files and strings have been deleted.

The files won't be added back because they're gone, but won't the registry strings be recreated?  Regardless, will Zsoft issue a message that the uninstall wasn't totally completed if this is the case?

What I usually do is edit the zulog file and remove the strings referring to deleted mru streams.


2) Other deleted registry strings I find:

REG DELETED!   HKLM   SOFTWARE\Zone Labs\ZoneAlarm   ProgramSecuredCount   int:325

REG DELETED!   HKLM   SOFTWARE\Microsoft\Cryptography\RNG   Seed  (with a huge string following this key)

Do these really need to be added back?

3) Perflib files

Files such as these are created and show up in the zulog files:

FILE ADDED!   E:\WINNT\system32\Perflib_Perfdata_510.dat

According to:

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3343

Quote
The %SystemRoot%\System32\Perflib_Perfdataxxx.dat files are created by the System Monitor. When you shutdown normally, the file should be deleted.

If you have an abormal shutdown, these files can become orphaned, and accumulate on your computer.
Under some yet to be determined circumstances, these files can become orphaned during normal operation.
The best way to remove these files is to add a command in a logon script:
del /q %SystemRoot%\System32\Perflib_Perfdata*.dat

Since these are usually deleted upon shutdown, they will never be found by Zsoft Uninstaller, thus resulting in a program alert that all files could not be deleted.  Correct?

Some more info:

Quote
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Perflib

Description
The Perflib subkey stores configuration data for the Windows Performance
Library, which collects and organizes data for performance tools, such as
System Monitor.

In addition to entries, the Perflib subkey contains a Language-code subkey
for each spoken language you configure for Windows 2000. The Language-code
subkey stores performance counter names and their descriptions in the
specified language. The Language-code subkey is named for the language code
for that language. For example, the counters and descriptions for the
English language are stored in a subkey named 009, the language code for
English (United States).
« Last Edit: March 08, 2007, 06:10:47 pm by Brown Sugar »

Offline Admin

  • Administrator
  • Hero Member
  • *****
  • Posts: 522
    • View Profile
    • ZSoft Software
Re: Question on deleted strings in zulog file and perflib files
« Reply #1 on: March 08, 2007, 07:13:08 pm »
Yes, removed registry entries is added again upon uninstallation, and if e.g. CCleaner removes some registry entries upon restart, and this is recorded by ZSoft Uninstaller, these entries will be recreated upon uninstallation. This is why the "ignore filter" is handy :) Just add this stuff and it's no longer a problem :D (Mark 'Registry' and type for instance "HKLM\SOFTWARE\Microsoft\Cryptography\RNG" (no trailing "\") and click "Add It!").
Files wont be recreated.

If files that was recorded as created is gone upon uninstallation ZSoft Uninstaller shouldn't say that the uninstallation was incomplete. It checks if the file exists before it tries to delete it. If it doesn't it just moves on. If it does exist it tries to delete it - if it fails to delete it it will say that the uninstallation is incomplete. If you are told that the installation is incomplete you can open the file "TryDelete.dat" with Notepad and see what couldn't be uninstalled.

I might have missed something in you very long post -- if that's the case, please ask again :)