Editing User.dat ?

[ohheck]

does anyone know how to find text in the registry that isnt in text form? - there is information in the user.dat file im looking for;
i know it's there because if i open user.dat as a text file and do a search it shows up- e.g. : Search "rabbit"-
but when i open regedit, "rabbit" is nowhere to be found. ??
user.dat as a text file is mostly gibberish so i try to find land marks- a few lines before rabbit is RecentDocs; ok, i find RecentDocs in regedit but still dont find the word rabbit.
i think i may be in binary form, yes? anybody have any tips where that rabbit is hiding?

 

[fpmm25]

can you please explain a bit more what you are looking for. The "rabbit" that you are searching for is that a text file? or what kind of file is it and what operating system you are using and why are you searching for "rabbit" in the user.dat file?

 

[ohheck]

win98se-
open your user.dat in wordpad and you'll see-
here's an example: i downloaded a zip named spider116.zip last night, this is copied from user.dat using wordpad------

ê:i ¢Ø +00 #C:\ î 1 ¹,s¯ Mame MAME 1 ¹, ° ctrlr CTRLR ÿÿÿÿ y 89 àOÐ ê:i ¢Ø +00 #C:\ î% 1 ¸,a¿ Program Files PROGRA~1 % 1 º,ŝ Sonic Foundry SONICF~1 è–4ƒ n 90 àOÐ ê:i ¢Ø +00 #C:\ RGDB ð ~A ‚® « r q
RecentDocs ÿÿÿÿ MRUListfcedba ÿÿÿÿ / aSIREGIST.TXT 0 Siregist.txt.lnk xt.l % b111.reg 0 111.reg.lnk ÿÿÿ ! c1.reg 0 1.reg.lnk pg.l 1 dspider116.zip ! 0 spider116.zip.lnk k ! e1.txt 0 1.txt.lnk ÿÿÿÿ % fftp.txt 0 ftp.txt.l

when i open regedit and do a search for 'spider' it's not found !

 

[TheShadow395]

Welcome to TSG
First time I've said that - well, I did only join about three hrs ago!

 

[Bryan]

Shadow, User.dat is part of the registry along with System.dat

So when your in Regedit, I assume your using the Edit>Find option.

If so, just to be sure, are you highlighting MyComputer before the search so it searches the entire registry?

Did you Select All of the boxes so it searches "Keys, Values and Data"?

Did you Unselected "Match Whole String Only"?

Are you pressing F3 to continue searching after it finds one instance of what your searching for?

 

[ohheck]

Bryan- yes, yes, and yes but thanks for trying-
i did a search of every file on my computer containing the word spider116 and it is only in user.dat - these all seem to be recently viewed files- ( "spider116.zip.lnk" )- i located and deleted every reference to recently viewed files in the registry, recently docs is empty on the start menu, but still the links are there (in text form) in the user.dat file- does windows have some super hidden registry keys or something?...

 

[Bryan]

I've really never gotten into trying to read the user.dat file in a text editor since it's really nothing you can get done doing it that way.

Anyway, just a guess but if the registry was compacted, those items your seeing may disappear but that's just a guess. Maybe someone else knows otherwise.

Are you running W95, W98 or ME?

 

[TonyKlein]

You can't edit User.dat or System.dat directly. Period.

You must use Regedit to search and edit the Registry.

There are a number of places where MRU lists are stored, and sometimes the data are coded as well.

Good MRU cleaners like MRU Blaster or SpyBot will clean these.

 

[ohheck]

yes, i know i cant edit user.dat as a txt file that's why i want to know how to find it in regedit- just downloaded mru blaster, ran it, the information is still there!
more bits: they are files ive deleted, the recycled in shows as empty, except if i hit 'select all' , 'empty recycled bin'
a message pops up: "Are you sure you want to delete these 19 items?" - yes, ---> "system error"
ok, the information in user.dat is recently deleted files that have been deleted from the recycle bin, but the delete information wont go away..............



the messes i get myself into............. :\

 

[TonyKlein]

Your Recycle Bin is probably corrupted.

Go to Start > Shutdown > Reboot into MS-DOS

If you're running Win ME, start up with a boot disk.

Now type the following lines to delete your recycle bin, clicking 'enter' after each line:


cd\
deltree recycled
exit or win (to return to Windows).

A brand new Recycle bin will be recreated, and your problem should be over.

About the lingering stuff in your Registry, personally I wouldn't lose sleep over it, frankly.

 

[TheShadow395]

Oh, OK. Sorry

 

[TonyKlein]

No prob!

 

[pgriffet]

Hi all. I had noticed the same "problem" on my Win98 box. Some uninstalled programs were still visible in the registry with a viewer but a search with regedit gave no result.
Actually, a lot of values are stored in hexa or binary and you can't see them within regedit. But with a standard viewer (I use Total Commander - former Windows Commander - which has a powerful viewer, opening huge files within a second), you can see the hexa and the text part of a value. I had noticed it under

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Ohheck, as for your question, check this key :

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs]

Take a look at the values in the right panel. You have to right-click on a value and then, choose modify. You will now see the binary value converted in hexa but also the text value of your downloaded file. Even if you clean your "RecentDocs" folder, the last 15 values (under 9x) are still stored in the registry.

Another way to find out the string :

1) export the full registry with regedit in a .reg file
2) convert the name of the file (or the string) you are looking for in hexa : rabbit is 726162626974
3) don't search with this hexa value in the .reg file because the value is binary.
.reg files show binary values separated with commas. So you have to search for the following string : 72,61,62,62,69,74

HTH

Pierre.

 

[ohheck]

Pierre - Thanks- I think that's it!
-Though i gave up yesterday and replaced user.dat with a 4 day old backup through DOS.
Long story short: i recently installed notron utilities and was surprised at all the "deleted" stuff that was still on the hd and in the registry. It turned in to an obsession to "beat the machine";
I win! :^)
thanks for all the responses

 

[WhitPhil]

Many times the "deleted" stuff, is exactly that. Deleted.
Unfortunately, it is "logically" deleted, not "physically" deleted.

That is why you can see old urls in the index.dat files, and possibly the reason why you are seeing old uninstalled items in the registry.

These files are databases and if Windows had to recreate the file, everytime something was deleted (just to get rid of that item), it would not be very productive.

As a result, many database schemes to nothing more than "mark/flag" records as being deleted, and any programs that want to access these files sequentially (as opposed to going through an index), have to check these flags to see if the record is a valid one, or whether it has been deleted.

For example, Spider just reads index.dat files sequentially and ignores the fact that some records have been marked as deleted. Whereas Explorer, when you browse the cache, only shows the valid records.

The registry is a similar concept. Regedit only shows legitimate (not deleted) records, whereas programs like WordPad will show everything.

You commented on Norton. Do you mean the Registry utility that shows entries that are no longer valid? If so, this is showing registry entries that point to files, and the files no longer exist. This is due to shoddy, poorly designed uninstall programs. AND, they are everywhere.
(the worst I have seen to date is Incredimail. I have never seen so much "crap" left in the registry after doing an uninstall. It's criminal!!)