This project has moved and is read-only. For the latest updates, please go here.
1
Vote

Windows Uninstall Does Not Remove All Registry Keys

description

Hello Mounir,

When I uninstall VeraCrypt due to some testing I was performing, I noticed that the registry still has references to the VeraCrypt and VeraCrypt Extender.

Would it be possible for the uninstaller to remove all the VeraCrypt Keys and/or values to the key to improve program cleanup when uninstalled?

For example, have VeraCrypt remove its value from MuiCache keys. In other instances, remove the key such as FileExts for ".hc".


Here are the keys I found with VeraCrypt when I uninstall the product:

HKEY_CLASSES_ROOT

[HKEY_CLASSES_ROOT\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_CLASSES_ROOT\Wow6432Node\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]


HKEY_CURRENT_USER

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.hc]

[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]


HKEY_LOCAL_MACHINE

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]


HKEY_LOCAL_MACHINE

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VERACRYPT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VERACRYPT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VERACRYPT]


HKEY_USERS

[HKEY_USERS\<Alphanumeric Number>\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]

[HKEY_USERS\<Alphanumeric Number>_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]

[HKEY_USERS\<Alphanumeric Number>\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]

[HKEY_USERS\<Alphanumeric Number>\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.hc]

Thank you!

file attachments

comments

Enigma2Illusion wrote Mar 6, 2015 at 9:16 PM

I missed three keys for hkey_local_machine when I copied and paste above. Here are the additional three keys.

HKEY_LOCAL_MACHINE

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib{9ACF6176-5FC4-4690-A025-B3306A50EB6A}]

idrassi wrote Mar 7, 2015 at 11:02 PM

Thank you for reporting this.

Concerning the GUID like entries, this is caused by older versions of the COM interface not being deleted after an upgrade. I will add a fix for this.

For the MuiCache entries, VeraCrypt never writes data there and on my system after an uninstall, there was no reference to VeraCrypt there. What kind of information do you have on your side?

For AppCompatFlags, VeraCrypt never writes their and it is Windows who is responsible. I'll try for find an efficient way to erase them but I'm afraid I will need to loop on all entries to search for any VeraCrypt value especially for [HKEY_USERS\<Alphanumeric Number>\ where there are many <Alphanumeric Number>.

Same thing for LEGACY_VERACRYPT and FileExts.hc: these are generated by Windows and I'll have to loop for them.

For the [HKEY_CURRENT_USER], any fix will only work if there is a single user. If there are many users on the machine, the information will only be erased for the user that runs the installer.

Enigma2Illusion wrote Mar 8, 2015 at 12:37 AM

Hello Mounir,
For the MuiCache entries, VeraCrypt never writes data there and on my system after an uninstall, there was no reference to VeraCrypt there. What kind of information do you have on your side?
.
The MuiCache is Windows tracking most used application executables.

Here are the entries I had in my registry until I deleted them manually:

[HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\VeraCrypt\VeraCrypt.exe"="VeraCrypt"
"C:\Program Files\VeraCrypt\VeraCryptExpander.exe"="VeraCrypt Expander"
"C:\Users\<Username>\Downloads\VeraCrypt Setup 1.0f-1.exe"="VeraCrypt Setup"
"C:\Users\<Username>\Downloads\VeraCrypt Setup 1.0f-2-Beta.exe"="VeraCrypt Setup"

I believe that if you delete from the HKEY_CLASSES_ROOT that these entries are removed from the HKEY_USERS and HKEY_CURRENT_USER.

idrassi wrote Mar 13, 2015 at 6:19 PM

I have implement a fix that removes all possible references of VeraCrypt from the registry: https://veracrypt.codeplex.com/SourceControl/changeset/080aab27be65d62fc8db8a491f40e93007ac7279

The only left references are "Enum\Root\LEGACY_VERACRYPT" under ControlSets which are impossible to delete because they are locked by Windows and any attemps to delete theme results on ACCESS_DENIED error even with the highest privileges.

I have update the Windows setup on SourceForge Nightly Builds folder to include this fix: https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/

Enigma2Illusion wrote Mar 14, 2015 at 12:01 AM

Thank you Mounir! Definitely a big improvement in removing current and previous versions.

Would it be possible to include the following?

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
"C:\Program Files\VeraCrypt\VeraCrypt Setup.exe"=dword:00000001

Enigma2Illusion wrote Mar 14, 2015 at 12:28 AM

I found a video on how to delete LEGACY entries from the registry.

Forward to the 2:10 to see the procedure at the link below.

https://www.youtube.com/watch?v=7OwfLtmqEwk

idrassi wrote Mar 15, 2015 at 12:30 AM

Thank you for the video.
I spent countless hours working on this...those LEGACY keys are very special and I tried to reverse engineer the calls made by the Regedit to perform what it described in the video but my implementation always encounters ACCESS_DENIED error when run in the setup. Some special parameters must be missing from my code...ACE and DACLs are not trivial to use to handle such special situations.

Anyway...this will be tough!

Enigma2Illusion wrote Mar 15, 2015 at 2:33 AM

And here is a site providing modifying DACL permissions.

http://www.tenouk.com/ModuleJ1.html

idrassi wrote Mar 15, 2015 at 11:55 PM

Thank you for the links.
Unfortunately, they were all missing a key point that I discovered afterwards: the SE_TAKE_OWNERSHIP_NAME must be enabled before being able to perform these operations.
I believe most the samples are from the 2000/XP era and things changes in Windows Vista/7.

So, the good news is that it is working now. Here is the commit: https://veracrypt.codeplex.com/SourceControl/changeset/67f5440fedffe791be00c7eb730f5889282b4c55

I uploaded the new setup as usual.

Concerning the AppCompatFlags keys, there is nothing we can do as it is the Windows Program Compatibility Assistant (PCA) that decides to put the VeraCrypt setup on the compatibility list and we can't delete ourselves from the list.
I searched on ways to avoid this but I didn't find any (some propose to modify the manifest to add compatibility indication but this is already the case in VeraCrypt and it doesn't help).
So, apparently, Windows doesn't link something in VeraCrypt installer and it decides to put it on the compatibility list...
Any help on this will be appreciated as I didn't find how to know the things that makes VeraCrypt being put in this list.

Enigma2Illusion wrote Mar 16, 2015 at 4:28 AM

Thank you for the extra effort to remove the LEGACY keys which worked on my Win 7 64-bit system.

I will research and report any findings regarding the AppCompatFlags keys. If I understood your explanation correctly, you cannot remove the entry while the program is being uninstall.

NewShortcuts Keys

A new issue that I have discovered during beta testing is if you uninstall VeraCrypt, install VeraCrypt and then uninstall the product, you leave behind keys in the NewShortcuts shown below.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\<UserAcctName>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCrypt.lnk"=dword:00000001
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCrypt.lnk"=dword:00000001
"C:\Users\<UserAcctName>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCryptExpander.lnk"=dword:00000001
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCryptExpander.lnk"=dword:00000001

[HKEY_USERS\<Alphanumberic_Chars>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\<UserAcctName>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCrypt.lnk"=dword:00000001
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCrypt.lnk"=dword:00000001
"C:\Users\<UserAcctName>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCryptExpander.lnk"=dword:00000001
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VeraCrypt\VeraCryptExpander.lnk"=dword:00000001

idrassi wrote Mar 16, 2015 at 8:47 AM

Thank for tests.

Concerning AppCompatFlags, the issue is that this entry is created after the setup program has finished. Even if I spawn a process from the setup that will run the setup is finished in order to remove these entries, Windows will wait for the spawned process to end before writing this entry.

Another important point: if VeraCrypt is uninstaller through "Control Panel -> Uninstall a program -> VeraCrypt" then the AppCompatFlags entries are not created!!
Should we force the use of Control Panel for VeraCrypt uninstall? I don't like personnaly...

Concerning the new shortcuts keys, I don't have them on my machine. I tried different configuration but I was never able to have them after an uninstall. Nevertheless, I added code to remove them: https://veracrypt.codeplex.com/SourceControl/changeset/1e7f72d4a1e3f7a0cd2000aa1f3236f5d3a594a4

I uploaded a new binary the contains this modification.

Enigma2Illusion wrote Mar 16, 2015 at 6:11 PM

Compatibility Assistant\Persisted

.
Concerning AppCompatFlags, the issue is that this entry is created after the setup program has finished. Even if I spawn a process from the setup that will run the setup is finished in order to remove these entries, Windows will wait for the spawned process to end before writing this entry.

Another important point: if VeraCrypt is uninstaller through "Control Panel -> Uninstall a program -> VeraCrypt" then the AppCompatFlags entries are not created!!
Should we force the use of Control Panel for VeraCrypt uninstall? I don't like personnaly...
.
I confirm your results. If I uninstall via the Control Panel method, the VeraCrypt value is removed from the AppCompatFlags. However if I uninstall via the Start Menu > All Programs > VeraCrypt > Uninstall method, the VeraCrypt value remains in the AppCompatFlags.

Regarding forcing the user to use the Control Panel method for uninstalling VeraCrypt to remove the registry entry from AppCompatFlags seem to be a reasonable approach and follows MS User Interface Design standards.

See number 5.

https://msdn.microsoft.com/en-us/library/ms954377.aspx

What are your thoughts?

NewShortcuts Keys

Thank you for adding the NewShortcuts for removal. I retested with the latest beta and the VeraCrypt values are gone after uninstalls performed by either Start Menu or Control Panel methods.

Many thanks for your hard work!

idrassi wrote Mar 17, 2015 at 11:07 PM

Thank you for the Microsoft link...this may explain why the setup is put in the AppCompatFlags list since it goes against Microsoft UI standards.

I modified the setup so that the install link actually launch the standard Add/Remove Programs window: https://veracrypt.codeplex.com/SourceControl/changeset/b2799437ba220f7b3c674f9987432384dec861c1

And I uploaded the corresponding setup to Sourceforge Nightly Builds. On my side, I have no more traces of VeraCrypt after uninstall.

Any comments?

Enigma2Illusion wrote Mar 18, 2015 at 2:25 AM

I received the same results as you in not finding any VeraCrypt when searching the registry after uninstall using the Start Menu method with the latest beta.

Just for clarification, the MS User Interface Design standards are recommending not including the Uninstall in the Start Menu's program name's folder. For example, if you look at the Microsoft folders in the Start Menu, you will not find the Uninstall option. Instead MS is expecting the user to access the Control Panel method to uninstall any program.

I know you prefer having the the Uninstall listed in the Start Menu for VeraCrypt. :)

I only mention this in case in the future this starts to turn into a coding complexity between different versions of the Window OSs.

Thank you again for working so hard on getting the registry entries removed! This task was not as simple as either of us expected. :)

idrassi wrote Mar 18, 2015 at 9:19 AM

Yeah...this is was really complex but "tout est bien qui finit bien"
For now, I want to keep the uninstall link...

Thank you for your help on this issue.

idrassi wrote Mar 18, 2015 at 9:19 AM

** Closed by idrassi 03/18/2015 1:19AM

Enigma2Illusion wrote Feb 21, 2016 at 5:29 PM

Hello Mounir,

I am reopening this ticket due to test I performed uninstalling using 1.18 Beta 1 shows that there are VeraCrypt registry entries existing in the following sections:
  • HKEY_CLASSES_ROOT
  • HKEY_LOCAL_MACHINE
I have attached a file called "1.18 Deinstall Registry Entries Remaining.txt" showing the entries on my Win7 Professional 64-bit system after uninstalling 1.18 version.

Kind Regards.