Softwares always store registration data somewhere, whether in the registry or in a file.
The file that stores registration info may be found in one of these locations:
1. The program’s directory (best situation)
2. Document folder of the logged in user or of All Users:
“C:Documents and SettingsYOURNAMEDocuments”
“C:Documents and SettingsAll UsersDocuments”
3. Application Data of the logged in user or of All Users:
“C:Documents and SettingsYOURNAMEApplication Data”
“C:Documents and SettingsAll UsersApplication Data”
4. Application Data in Local Settings:
“C:Documents and SettingsYOURNAMELocal SettingsApplication Data”
5. Windows directory
6. WindowsSystem32 directory
7. etc.
To find registration info which is stored in a file, you should examine the directories listed above.
Here are some tips for searching:
• Make sure you’ve set you file manager to show hidden files during this process.
• Sort files by date because it is likely that this file is the newest in these directories.
• Examine all files that can store info (.ini, .txt, .key, .reg and such).
• Files with small size are more suspicious as the registration data is usually not so big.
• In some cases, mainly in windows or system32 directory, you should view dll, ocx and other files that are small and new – view them with your text editor, sometimes registration data is hidden in these files.
This kind of searching can be very cumbersome, but also challenging in the same time.
If it is stored in the registry, it can be almost everywhere. Mostly they are in HKEY_CURRENT_USER (HKCU) or in HKEY_LOCAL_MACHINE (HKLM) but sometimes you may find it in HKEY_CLASSES_ROOT (HKCR) (as we did it when creating My Notes Keeper in Chapter II).
The best is when it is located in HKCU, because users without admin rights can access it. If it is in HKLM or HKCR, users without admin rights won’t be able to import registration info and thus the portable they try to launch won’t be licensed.
In most cases the registration data cannot be found in the registry in the form it was entered in the registration box, because it is encrypted. If we couldn’t find anything with Registry Workshop, then we should use Regmon (see “Tools” directory).
Before introducing RegMon, here’s an easier way to find registration info. Monitor the software with Total Uninstall, but instead of a setup fiile, use the software’s main exe. If it captures nothing, then you should turn to RegMon.
This process is a bit more complicated. You have to monitor the registry with Regmon when entering the registration data into the registration fields in My Notes Keeper (especially when you hit OK button, because that is the time when registration info is written into the registry). Because RegMon captures all registry activity, the list it generates is very long. You should be as quick as you can to avoid capturing registry activity that is not related with the software’s registration data you are searching for.
Although you can apply several filters to reduce the length of RM’s log file, there will be a lot of entries that you have to examine to find the registration info that you’re searching for.
If it is in encrypted form, you won’t find it in a form that you can recognize (i.e. if you’re searching for “Conan the portable creator” as a user name, you maybe find it in a registry key “HKLMSoftware1431461fsd15613151313duuislsdfjl” with a value “010111101011″ which is not so easy to notice). So you’ll have to investigate suspicious ones by deleting them from the registry (using Registry Workshop) and then see if the program reverts to trial mode. If not, undo the deletion in RW and go to the next suspicious key. If it reverts to trial mode, then undo deletion and save that key as RegInfo.reg.
Similarly, you can use FileMon to capture changes made to your file system in real time (see Tools directory).
[...] 5. Hidden Registration Data [...]