# Editing User.dat ?



## ohheck (Jan 5, 2003)

does anyone know how to find text in the registry that isnt in text form? - there is information in the user.dat file im looking for;
i know it's there because if i open user.dat as a text file and do a search it shows up- e.g. : Search "rabbit"- 
but when i open regedit, "rabbit" is nowhere to be found. ??
user.dat as a text file is mostly gibberish so i try to find land marks- a few lines before rabbit is RecentDocs; ok, i find RecentDocs in regedit but still dont find the word rabbit.
i think i may be in binary form, yes? anybody have any tips where that rabbit is hiding?


----------



## fpmm25 (Sep 13, 2002)

can you please explain a bit more what you are looking for. The "rabbit" that you are searching for is that a text file? or what kind of file is it and what operating system you are using and why are you searching for "rabbit" in the user.dat file?


----------



## ohheck (Jan 5, 2003)

win98se- 
open your user.dat in wordpad and you'll see-
here's an example: i downloaded a zip named spider116.zip last night, this is copied from user.dat using wordpad------

ê:i ¢Ø +00 #C:\ î 1 ¹,s¯ Mame MAME 1 ¹, ° ctrlr CTRLR ÿÿÿÿ y 89 àOÐ ê:i ¢Ø +00 #C:\ î% 1 ¸,a¿ Program Files PROGRA~1 % 1 º,Å Sonic Foundry SONICF~1 è4 n 90 àOÐ ê:i ¢Ø +00 #C:\ RGDB ð ~A ® « r q 
RecentDocs ÿÿÿÿ MRUListfcedba ÿÿÿÿ / aSIREGIST.TXT 0 Siregist.txt.lnk xt.l % b111.reg 0 111.reg.lnk ÿÿÿ ! c1.reg 0 1.reg.lnk pg.l 1 dspider116.zip ! 0 spider116.zip.lnk k ! e1.txt 0 1.txt.lnk ÿÿÿÿ % fftp.txt 0 ftp.txt.l

when i open regedit and do a search for 'spider' it's not found !


----------



## TheShadow395 (Jan 5, 2003)

Welcome to TSG 
First time I've said that - well, I did only join about three hrs ago!


----------



## Bryan (Jul 3, 1999)

Shadow, User.dat is part of the registry along with System.dat

So when your in Regedit, I assume your using the Edit>Find option.

If so, just to be sure, are you highlighting MyComputer before the search so it searches the entire registry? 

Did you Select All of the boxes so it searches "Keys, Values and Data"? 

Did you Unselected "Match Whole String Only"? 

Are you pressing F3 to continue searching after it finds one instance of what your searching for?


----------



## ohheck (Jan 5, 2003)

Bryan- yes, yes, and yes  but thanks for trying- 
i did a search of every file on my computer containing the word spider116 and it is only in user.dat - these all seem to be recently viewed files- ( "spider116.zip.lnk" )- i located and deleted every reference to recently viewed files in the registry, recently docs is empty on the start menu, but still the links are there (in text form) in the user.dat file- does windows have some super hidden registry keys or something?...


----------



## Bryan (Jul 3, 1999)

I've really never gotten into trying to read the user.dat file in a text editor since it's really nothing you can get done doing it that way.

Anyway, just a guess but if the registry was compacted, those items your seeing may disappear but that's just a guess. Maybe someone else knows otherwise.

Are you running W95, W98 or ME?


----------



## TonyKlein (Aug 26, 2001)

You can't edit User.dat or System.dat directly. Period.

You _must_ use Regedit to search and edit the Registry.

There are a number of places where MRU lists are stored, and sometimes the data are coded as well.

Good MRU cleaners like MRU Blaster or SpyBot will clean these.


----------



## ohheck (Jan 5, 2003)

yes, i know i cant edit user.dat as a txt file that's why i want to know how to find it in regedit- just downloaded mru blaster, ran it, the information is still there!
more bits: they are files ive deleted, the recycled in shows as empty, except if i hit 'select all' , 'empty recycled bin'
a message pops up: "Are you sure you want to delete these 19 items?" - yes, ---> "system error"
ok, the information in user.dat is recently deleted files that have been deleted from the recycle bin, but the delete information wont go away..............



the messes i get myself into............. :\


----------



## TonyKlein (Aug 26, 2001)

Your Recycle Bin is probably corrupted.

Go to Start > Shutdown > Reboot into MS-DOS

If you're running Win ME, start up with a boot disk.

Now type the following lines to delete your recycle bin, clicking 'enter' after each line:

*cd\
deltree recycled
exit* or *win* (to return to Windows).

A brand new Recycle bin will be recreated, and your problem should be over.

About the lingering stuff in your Registry, personally I wouldn't lose sleep over it, frankly.


----------



## TheShadow395 (Jan 5, 2003)

Oh, OK. Sorry


----------



## TonyKlein (Aug 26, 2001)

No prob!


----------



## pgriffet (Aug 10, 2002)

Hi all. I had noticed the same "problem" on my Win98 box. Some uninstalled programs were still visible in the registry with a viewer but a search with regedit gave no result.
Actually, a lot of values are stored in hexa or binary and you can't see them within regedit. But with a standard viewer (I use Total Commander - former Windows Commander - which has a powerful viewer, opening huge files within a second), you can see the hexa and the text part of a value. I had noticed it under

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

*Ohheck*, as for your question, check this key :

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs]

Take a look at the values in the right panel. You have to right-click on a value and then, choose modify. You will now see the binary value converted in hexa but also the text value of your downloaded file. Even if you clean your "RecentDocs" folder, the last 15 values (under 9x) are still stored in the registry.

Another way to find out the string :

1) export the full registry with regedit in a .reg file
2) convert the name of the file (or the string) you are looking for in hexa : rabbit is 726162626974
3) don't search with this hexa value in the .reg file because the value is binary. 
.reg files show binary values separated with commas. So you have to search for the following string : 72,61,62,62,69,74

HTH

Pierre.


----------



## ohheck (Jan 5, 2003)

Pierre - Thanks- I think that's it!
-Though i gave up yesterday and replaced user.dat with a 4 day old backup through DOS.
Long story short: i recently installed notron utilities and was surprised at all the "deleted" stuff that was still on the hd and in the registry. It turned in to an obsession to "beat the machine";
I win! :^)
thanks for all the responses


----------



## WhitPhil (Oct 4, 2000)

Many times the "deleted" stuff, is exactly that. Deleted.
Unfortunately, it is "logically" deleted, not "physically" deleted.

That is why you can see old urls in the index.dat files, and possibly the reason why you are seeing old uninstalled items in the registry.

These files are databases and if Windows had to recreate the file, everytime something was deleted (just to get rid of that item), it would not be very productive.

As a result, many database schemes to nothing more than "mark/flag" records as being deleted, and any programs that want to access these files sequentially (as opposed to going through an index), have to check these flags to see if the record is a valid one, or whether it has been deleted.

For example, Spider just reads index.dat files sequentially and ignores the fact that some records have been marked as deleted. Whereas Explorer, when you browse the cache, only shows the valid records.

The registry is a similar concept. Regedit only shows legitimate (not deleted) records, whereas programs like WordPad will show everything.

You commented on Norton. Do you mean the Registry utility that shows entries that are no longer valid? If so, this is showing registry entries that point to files, and the files no longer exist. This is due to shoddy, poorly designed uninstall programs. AND, they are everywhere. 
(the worst I have seen to date is Incredimail. I have never seen so much "crap" left in the registry after doing an uninstall. It's criminal!!)


----------



## pgriffet (Aug 10, 2002)

Hi ohheck, your fight to beat the machine has just begun. 
Take a look here : http://www.techimo.com/forum/showthread.php?s=&threadid=41461

and search for my pseudo. You will be convinced to use a monitoring tool. As you have mentionned Norton, it includes such a tool to monitor the installation of new programs.

If you understand French, I've posted an article about monitoring tools on a French forum :

http://213.246.36.243/archives/48604-1.htm

WhitPhil, I have some remarks. I run Win98 with IE 5.5, YMMV.

I agree with you about registry garbage. I run everyday Inctrl5 and I keep the report, so I know exactly when a key has been created/modified/deleted in my registry.

The "deleted" keys mentionned by ohheck are not marked deleted, I'm not sure that Windows acts like database programs. I've already searched for just deleted keys with Total Commander in user and system.dat and they are really gone. I think Windows write binary zeroes or another padding character.

About Spider and Explorer, I can't agree. I've made hundreds of tests with the IE cache and I can tell you that explorer.exe doesn't show only valid records. The number of files showed by explorer for my TIF folder never correspond to the reality. I use Total Commander to see ALL the files, including the stray files created by OE which never appear in explorer.exe, the index.dat, the desktop.ini's. There are a lot of files which appear in explorer but they are not in the TIF. The opposite is also true : recently, I had checked the option to delete the cache files when IE closes (sorry, I don't know the right name of the option as I have a French Windows). After the closing of IE, explorer showed only the cookies, no more cache files. But Total Commander showed me 400 (!) files which were still present.

David Pochron (the CacheSentry conceptor) has made a little freeware which handles IE bugs :

the random deletion bug, the stray file bug, the cache size bug are three bugs but there are others.

Here is an excerpt of the help file :

This is a program that fixes serious bugs in the Internet Explorer cache manager (versions 3.0 on up through and including Internet Explorer for Windows ME, and IE5.5 SP1). This program basically takes over the job of managing the cache from Internet Explorer, and the result is your web browsing session will be more enjoyable. CacheSentry isn't like those "web accelleration" programs that hook into IE and attempt to make guesses about your browsing habits. CacheSentry simply does a better job of removing files from the cache, and fixes a few other bugs present in most versions of Internet Explorer.

CacheSentry here : http://www.ticon.net/~dpoch/enigmatic/index.html

Pierre.


----------



## WhitPhil (Oct 4, 2000)

Pierre;
I forgot to define "valid" To Windows, the valid entries are those in the index.dat file, and that is all that windows displays.

The registry is a database file, and deleted entries are only marked as being deleted. That is why a Scanreg/Opt results in a smaller registry.

If you want to do a test, create a key under HKLM/Software called THISTESTKEY
Exit Regedit (I don't think this is required but ....)
Run Regedit and delete that key.
Run Wordpad (or any other text editor) and search for THISTEST

It will be found.


----------



## pgriffet (Aug 10, 2002)

Hi WhitPhil. You are right about the keys and values deleted in the registry. They are only marked deleted. As I often compact my registry, I thought the delete was immediate, I mean that the key was replaced with padding characters, as it does in the index.dat when you remove urls in explorer.exe.
About what you call valid entries in the index.dat, I agree but I can't trust explorer.exe because it doesn't show the reality. That's true for the Recycle Bin, for the TIF folders, actually, all the "special" folders that are driven by a desktop.ini which shows what MS wants we see. That's the reason why I use a third-party file manager to know exactly what is going on with my files. 
If IExplore.exe wouldn't show exactly a website as it is designed, everybody should rightly yell. However, that's what explorer.exe does and nobody seems to react, surprisingly.
Actually, the problem isn't that there are bugs in IE or explorer.exe. The problem is that MS doesn't speak about bugs (they prefer issues) and they don't explain what's going on with the cache. I've often read paranoid comments about the index.dat which is sort of MS spy to trace our surf habits for a lot of anti-MS people. I've found some information in Technet about the cache but MS has never clearly explained what's the purpose of the TIF index.dat, no more than an index to allow a faster Internet access to websites. There is no MS conspiracy but Gates feeds this myth with his silence. I've read an incredible comment from Jim Eshelman about MS programmers who have worked on XP, take a look here : http://www.aumha.org/elist.htm and search for "virtual memory and windows XP". I don't know what they fear as MS has 90% of the market, they behave as a victim of persecution.

Pierre.


----------

