Sandboxie Forum - another registry viewer (6128)

rcbblgy:

Thu Nov 11, 2010 2:34 pm

hi, Alucard, good job, but I am sorry to say that the tool can't work with sandboxie v3.50, would you update it ?

Kind:

Fri Dec 11, 2009 10:47 pm

I feel sorry for this tool aren't available anymore. It had a different but an interesting approach when compared with SandboxDiff (that I use).

Buster:

Sun Dec 06, 2009 7:00 pm

Shafayat: Buster Sandbox Analyzer also shows registry and files changes. Did you try it already?

Shafayat: The download is not working

Sun Dec 06, 2009 6:50 pm

The download is not working can you post another link? If you have hosting problems, I can help hosting some of your file(s) regarding this software. (pm)

Alucard:

Wed Aug 26, 2009 2:59 pm

Good to hear. I updated the above link with final changes.

:

Wed Aug 26, 2009 2:44 pm

Thanks Alucard, seems to have done the trick :D Now it works fine. Thank you very much.

Alucard:

Wed Aug 26, 2009 1:46 pm

Key was useless (my mistake). Probably this key is huge and it just takes long to process. I added memory comparision and limits, this should help: [url]http://www.datafilehost.com/download-352b9442.html[/url]

:

Tue Aug 25, 2009 11:30 pm

[url]http://www.datafilehost.com/download-37ec7101.html[/url] Errorkeys

Alucard:

Tue Aug 25, 2009 3:58 pm

So it is reg_binary conversion loop. This is weird... I modified it a little. *deleted link* If this doesn't fix the problem then the loop will abort if it takes longer than 100ms, and you will get an error in log. Plus the problem keys will be saved in errorkeys subfolder. (they are in raw format so if you want to view them you have to use MiteC tool) Please upload those and error log info to somewhere (for example [url]www.datafilehost.com[/url]). If that's not it then try: *deleted link*

:

Tue Aug 25, 2009 9:17 am

[img:d7af0e6f14]http://www.ld-host.de/uploads/images/67cd9d223532dfdb6953203b3859680b.png[/img:d7af0e6f14] Here is another error code.

Alucard:

Tue Aug 25, 2009 7:49 am

That was really helpful. Should be fixed: *deleted link* If not you will get another code :wink:

:

Tue Aug 25, 2009 4:25 am

[img:5a7e4a6d1e]http://www.ld-host.de/uploads/images/3e8c0aa399883ff9e3408bec92c3fccf.png[/img:5a7e4a6d1e] Thanks Alucard ,here is the error code.

Alucard:

Tue Aug 25, 2009 4:00 am

Error code will show after the "seems like hang..." message. It will point me to a bug location. *deleted link*

Brummelchen:

Tue Aug 25, 2009 3:49 am

nice piece of work - but not really usable. why? sandboxie needs to be running - i dont need keys and files when the box is ON. anything important is AFTER sandboxie processes have ended. Files i can see directly - and the registry changes in you war are not usable for further action. and last but not least - you should use the forum search - dumping the hive is not new. read please: http://sandboxie.com/phpbb/viewtopic.php?t=1549 page 3 ]]>Quoting SnDPhoenix: ]]>You could try using this program instead: http://www.mitec.cz/wrr.html And just use that program to save the registry keys out of the hive and into a .reg file. :roll: ]]> Another nice way is/was "dumphive" from "Markus Stephany" unfortuantely i cannot find any official source - it disappeared somehow. google told me that it was sorted als malware due its primal function and some similarity to a malware same name :roll: after dump any text processing is possible (like after WRR).

:

Tue Aug 25, 2009 3:16 am

After abort theres no errors in the log. Sandboxdiff works fine for me. This problem shows only when i run IE7,I've try runing some program usng this viewer to trace registry ,it works fine.

Alucard:

Tue Aug 25, 2009 1:45 am

This is bad news. :? Looking at the numbers it seems random. After you abort are there any errors in the log? XP Home has all the registry functions Pro has. I will look tomorrow at the code and maybe figure something out. Did you try Sandboxdiff ?

:

Tue Aug 25, 2009 12:58 am

[img:11ce66ae96]http://www.ld-host.de/uploads/images/ccfea312e1e97cc7c0fdda64a9b73188.png[/img:11ce66ae96] Still no luck I'm using xp home ,does it makes difference between xp pro and xp home :?:

:

Tue Aug 25, 2009 12:51 am

Thanks Alucard for the reply! I'll give it a try and let you know the results :D

Alucard:

Mon Aug 24, 2009 11:31 pm

*deleted link* Added a lot of error checking and some fixes. Works?

Alucard:

Mon Aug 24, 2009 12:48 pm

I think i found some weird bug(s) in registry procedure, i will later rewrite it. I deleted the download links.

:

Mon Aug 24, 2009 7:59 am

[img:c195fa2824]http://www.ld-host.de/uploads/images/868471c8535b2fda0161bf5ee18897d2.png[/img:c195fa2824] Still the same :cry:

Alucard:

Mon Aug 24, 2009 1:36 am

It hangs or works but hogs cpu? If second try threaded version: http://www.datafilehost.com/download-3b7071bd.html

:

Sun Aug 23, 2009 12:32 pm

Problem using viewer to shows registry changes,cause cpu too hight :(

Alucard:

Fri Aug 21, 2009 10:38 am

Sure. Run a program you want to trace in an empty sandbox. Exit that program, wait for sandboxed processess to end, and then run this viewer, select the sandbox and press ok. It will also work on active sandboxes, but in most cases you want to end it (the program can modify things on exit). Registry types i don't have to explain. For modified files: If a real file have a sandboxed copy and "filecompare" is set then content - crc32 doesn't match moddate - crc32 match but modification date doesn't attribs - changed attributes other - none of the above are true, most of the time it's just a duplicated file Ini settings: Sbiedir - automatically set Filter - registry filter switch Ignore* - copy from notepad the keys and values you do not want to be shown. Format is key,key2,key3 for keys, for values it is: key;value1=data;value2=data,key2,key3 I added the ones that are always created when a sandboxed program starts. You can verify this by starting "run any program" in an empty sandbox and then running the viewer with filter=0. Partial match is supported so HKEY_LOCAL_MACHINE\software will ignore changes in all the subkeys. By the way this program is tested on XP only so files part may give weird results (like non translated path) on newer systems. This is due to changed (messed up is the right word) user folders locations.

Buster:

Fri Aug 21, 2009 8:26 am

Could you explain how to use it? Some instructions will not harm anyone. :wink:

Alucard: another registry viewer

Thu Aug 20, 2009 11:05 pm

It shows registry / files changes in a notepad. It's easy to use and fast (unless you install NET Framework sandboxed :twisted: ). Download: [url]http://www.datafilehost.com/download-8c99fe2d.html[/url]