I am a big fan and regular user of RegAlyzer (and can't live without FileAlyzer). I just installed the current RegAlyzer on a computer I just reinstalled WindowsXP and it appears I've found a bug.
If I search the entire registry the search is normal and fast until the status line displays /HKLM/System/ControlSet002. The status line stops updating, and the task manager shows the amount of memory grows rather fast until RegAlyzer crashes with an EOutOfMemory error. The same thing happens if I try to search just the ControlSet002 hive. If the search does not include this hive it runs to normal completion without significant memory usage. I then noticed that RegAlyzer will not expand/explore ControlSet002, but will expand/explore ControlSet001 and CurrentControlSet. RegAlyzer will export ControlSet001/CurrentControlSet, but if I try to export CurrentControlSet002 it takes long time, until it finally silently crashes without an error message.
I exported all 3 hives using RegEdit and compared them to the hives exported by RegAlyzer using BeyondCompare. If I ignore the case of the letters used to represent the hex values then there is only one difference between the file exported by RegEdit and that exported by RegAlyzer. The difference occurs on every key that begins with hex(7): .
Regedit exports these values with 2 hex values, the second one being 00:
Code:
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
RegAlyzer exports the same values as single hex values:
Code:
"IPAddress"=hex(7):30,2E,30,2E,30,2E,30,00,00
By comparison keys that begin with hex:, hex(2):, hex(8):, or hex(A): are exported the same by RegEdit & RegAlyzer (exact same hex values & number of hex values):
RegEdit:
Code:
"WbemAdapFileTime"=hex:00,50,11,c8,ff,4e,c2,01
RegAlyzer:
Code:
"WbemAdapFileTime"=hex:00,50,11,C8,FF,4E,C2,01
RegEdit:
Code:
"windir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,00,00
RegAlyzer:
Code:
"windir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,6F,00,6F,00,74,\
00,25,00,00,00
RegEdit: "BootConfig"=hex(8):01,00,00,00,05,00,00,00,00,00,00,00,01,00,01,00,02,00,00,\ ...
RegAlyzer: "BootConfig"=hex(8):01,00,00,00,05,00,00,00,00,00,00,00,01,00,01,00,02,00,00,\ ...
I reviewed ControlSet2 exported by RegEdit and did not see anything suspicious, and the keys/values were identical to CurrentControlSet.
I was looking for anything special about the ControlSet002 but I didn't see anything. FYI: I had just re-installed Windows XP/SP1 using HP restore disks, and it appears that the only differences between ControlSet002 and ControlSet001/CurrentControlSet are that ControlSet001/CurrentControlSet have a few new keys related to hardware/software that were probably set during install. There were no keys/values in ControlSet002 that were not also in in ControlSet1/CurrentControlSet.
This problem may be related to the thread:
http://forums.spybot.info/showthread.php?t=44737
Attached is a screenshot of the comparison of part of the ControlSet002 hive by RegAlyzer(on left) and RegEdit. (Red values are differences, Blue valuesare unimportant case differences.)