ListLargeRegistryValues.ahk

1. ;ListLargeRegistryValues v1.0.1, March 2022.
2. ;https://pastebin.com/u/jcunews
3. ;https://greasyfork.org/en/users/85671-jcunews
4. ;https://www.reddit.com/u/jcunews1
5. ;
6. ;Scans Windows registry for values which have relatively large data.
7. ;A list text file will be created on the desktop and
8. ;will be automatically opened using Notepad.
9. ;
10. ;An idea based on a Reddit post:
11. ;https://www.reddit.com/r/windows/comments/tfrq2y/ntuserdat_taking_up_100gb_of_space/
12.  
13. getValueSize(hKey, name) {
14.   global fqueryval
15.   if (dllcall(fQueryVal, "ptr", hkey, "wstr", name, "ptr", 0, "ptr", 0
16.     , "ptr", 0, "int*", sz) == 0) {
17.     return sz
18.   } else return -1
19. }
20.  
21. processKey(key, subkey) {
22.   global fclosekey, fopenkey, keys, acnt, fcnt, tk, mvs, list
23.     , sortmap, hlbl
24.   k:= keys[key]
25.   if (dllcall(fOpenKey, "ptr", k, "wstr", subkey, "int", 0, "int", 1
26.     , "ptr*", hkey) == 0) {
27.     p:= subkey ? key "\" subkey : key
28.     loop reg, %p%
29.     {
30.       acnt++
31.       sz:= getvaluesize(hkey, a_loopregname)
32.       if (sz >= mvs) {
33.         fcnt++
34.         list.push([sz, a_loopregname, p])
35.         sortmap:= sortmap format("{:011u},{:u}", sz, list.length()) "`n"
36.       }
37.       t:= a_tickcount
38.       if ((t - tk) >= 1000) {
39.         tk:= t
40.         controlsettext, , Retrieving values...%acnt%/%fcnt%, ahk_id %hlbl%
41.       }
42.     }
43.     dllcall(fCloseKey, "ptr", hkey)
44.     loop reg, %key%\%subkey%, k
45.     {
46.       processkey(key, subkey ? subkey "\" a_loopregname : a_loopregname)
47.     }
48.   }
49. }
50.  
51. guiclose() {
52.   return true
53. }
54.  
55. guisize(hwnd, event, width, height) {
56.   global hbtn
57.   if (hbtn != "") {
58.     controlgetpos, , , a, , , ahk_id %hbtn%
59.     guicontrol move, % hbtn, % "x" ((width - a) / 2)
60.   }
61. }
62.  
63. gcancel() {
64.   msgbox 36, %a_scriptname%, Cancel operation?
65.   ifmsgbox yes
66.     exitapp
67. }
68.  
69. if (!fileexist(a_windir "\system32\config\systemprofile\*")) {
70.   if (a_args[1] == "/elevate") {
71.     a:= "Elevation request has been denied.`n"
72.       . "Do you want to retry the elevation?"
73.   } else {
74.     a:= "This script requires elevation for "
75.       . "accessing some system registries. Proceed with elevation?"
76.   }
77.   msgbox 51, %a_scriptname%, %a%
78.   ifmsgbox cancel
79.     exitapp
80.   ifmsgbox yes
81.   {
82.     run *runas "%a_ahkpath%" /restart "%a_scriptfullpath%" /elevate
83.       , a_workingdir
84.     exitapp
85.   }
86. }
87.  
88. while (true) {
89.   inputbox a, %a_scriptname%
90.     , % "Please enter the minimum registry value data size in Bytes.`n`n"
91.     . "The value should be at least 2048.`n"
92.     . "Otherwise the list may become too large."
93.     , , , , , , , , 16384
94.   if (errorlevel != 0) {
95.     exitapp
96.   }
97.   a:= trim(a) * 1
98.   if ((a != "") && (floor(a) == a) && (a >= 0)) {
99.     if (a >= 2048) {
100.       mvs:= a
101.       break
102.     } else {
103.       msgbox 51, %a_scriptname%
104.         , % "The data size is too small and the list may become too large.`n"
105.         . "Do you want to use it anyway?"
106.       ifmsgbox cancel
107.         exitapp
108.       ifmsgbox yes
109.       {
110.         mvs:= a
111.         break
112.       }
113.     }
114.   } else {
115.     msgbox 16, %a_scriptname%, Data size must be a positive integer number.
116.   }
117. }
118.  
119. gui -resize -sysmenu hwndhgui
120. gui margin, 40, 20
121. gui font, s12
122. a:= ""
123. loop 20
124. {
125.   a:= a chr(160)
126. }
127. gui add, text, center hwndhlbl, %a%Retrieving values...0/0%a%
128. gui add, button, ggcancel hwndhbtn y+30, Cancel
129. gui show
130.  
131. hm:= dllcall("GetModuleHandle", "str", "advapi32.dll", "ptr")
132. fCloseKey:= dllcall("GetProcAddress", "ptr", hm, "astr", "RegCloseKey", "ptr")
133. fOpenKey:= dllcall("GetProcAddress", "ptr", hm, "astr", "RegOpenKeyExW", "ptr")
134. fQueryVal:= dllcall("GetProcAddress", "ptr", hm, "astr", "RegQueryValueExW"
135.   , "ptr")
136.  
137. keys:= {}
138. keys.HKEY_CLASSES_ROOT:= 0x80000000
139. keys.HKEY_CURRENT_USER:= 0x80000001
140. keys.HKEY_LOCAL_MACHINE:= 0x80000002
141.  
142. list:= [] ;[[size, value, key], ...]
143. sortMap:= "" ;000size,index
144. acnt:= 0
145. fcnt:= 0
146. tk:= a_tickcount
147.  
148. ;%userprofile%\NTUSER.DAT and %localappdata%\Microsoft\Windows\UsrClass.dat
149. processKey("HKEY_CURRENT_USER", "")
150.  
151. ;%systemroot%\ServiceProfiles\LocalService\NTUSER.DAT
152. processKey("HKEY_USERS", "S-1-5-19")
153.  
154. ;%systemroot%\ServiceProfiles\NetworkService\NTUSER.DAT
155. processKey("HKEY_USERS", "S-1-5-20")
156.  
157. ;%systemroot%\system32\config\DEFAULT
158. processKey("HKEY_USERS", ".default")
159.  
160. ;%systemroot%\system32\config\SOFTWARE
161. processKey("HKEY_LOCAL_MACHINE", "software")
162.  
163. ;%systemroot%\system32\config\SYSTEM
164. processKey("HKEY_LOCAL_MACHINE", "system")
165.  
166. sort sortmap, cr
167. s:= ""
168. loop parse, % substr(sortmap, 1, strlen(sortmap) - 1), `n
169. {
170.   a:= substr(a_loopfield, instr(a_loopfield, ",", true, 0) + 1)
171.   b:= ""
172.   if (list[a][1] >= 10240) {
173.     b:= b format(" ({:.2f} KB", list[a][1] / 1024)
174.     if (list[a][1] >= 10485760) {
175.       b:= b format(" / {:.2f} MB", list[a][1] / 1048576)
176.       if (list[a][1] >= 10485760) {
177.         b:= b format(" / {:.2f} GB", list[a][1] / 1073741824)
178.       }
179.     }
180.     b:= b ")"
181.   }
182.   s:= s list[a][3] "`n  " list[a][2] " = " list[a][1] " Bytes" b "`n"
183. }
184. gui hide
185.  
186. fn:= a_desktop "\" substr(a_scriptname, 1, strlen(a_scriptname) - 3) "txt"
187. filedelete %fn%
188. fileappend %s%, %fn%, utf-8
189. msgbox 32, %a_scriptname%, List has been saved into desktop.
190. regread a, HKCU\Software\Microsoft\Notepad, fWrap
191. regwrite REG_DWORD, HKCU\Software\Microsoft\Notepad, fWrap, 0
192. run notepad.exe "%fn%", %a_desktop%
193. sleep 1000
194. regwrite REG_DWORD, HKCU\Software\Microsoft\Notepad, fWrap, %a%
195. exitapp
196.