Elf Qrin's Lair


Sensible Data Storage in Windows
v1.4 r27Oct2003 fr20Aug2000
by Elf Qrin



This guide shows you where some popular programs store their data and how can you protect your privacy by deleting or modifying them. Also, these information can be useful if you want to back up your data.

If not specified otherwise, files are stored in the same directory in which the program resides (typically C:\PROGRAM FILES\*PROGRAMNAME*). Note that some directory names could be localized, for example "PROGRAM FILES" varies according to the user's language.

You can edit .ini and other configuration files with a good text editor, while to modify information stored in the Windows Registry, you have to use the RegEdit.exe utility (usually located in the C:\Windows directory). You can execute RegEdit from Start Menu/Execute... or by typing "RegEdit" in a MS-DOS window.
Be careful when modifying a configuration file or even more if it's a Registry entry. You'd better make a back'up of files, first.

Note that when you erase data from Windows (or from MS-DOS with a DEL or DELTREE command), they still can be retrieved since they are not phisically erased from the disk: simply, the disk area they occupe is declared as free. Yet, the file remain on disk and can be retrieved. The only way to eliminate it is to wipe it (which means that the file is first overwritten then deleted). The best wiper around to clean up all your confidential data is Evidence Eliminator.




Sections:
Windows OS - Internet applications - Multimedia - Text editing - Misc




o Windows OS


Windows

Computer Name:

Your computer's name is stored in the registry entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName

Find/Files or Folders...

The list of files you searched for is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Delete all the entries (except for the Default one). If you want to delete only one or more entries, you have to edit the MRUList entry as well, deleting the letters of the entries you removed.

Find/Computer...

The list of the computers you searched for in your LAN is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
Delete all the entries (except for the Default one). If you want to delete only one or more entries, you have to edit the MRUList entry as well, deleting the letters of the entries you removed.

To disable password caching by Windows, open the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network and add the entry DisablePwdCaching

Windows Temp files: C:\WINDOWS\TEMP

Many programs store temporary data in the Windows temporary directory, and often doesn't remove it. For example, check WinZip, KABcam, Kodak cameras .

Other programs stores the files you are currently updating in the temp directory. If the program crashes or terminates in some unconventional way, those file will remain there (for example EditPad temporary files look like txtA162.TMP)

Windows System Default Directories:

System Default Directories (such as C:\WINDOWS, C:\MY DOCUMENTS) are specified in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders .
Be careful if you want to modify these entries. They can be already be chosen as default directories by some programs you installed.


RegClean (MicroSoft's Registry cleaner)

Leaves an UNDO file in the same directory in which is installed.


DosKey

If you use the DosKey MS-DOS shell extension and want to delete all the command lines you entered so far (especially if you set a large buffer), you have to reinstall DosKey, with the following command:
DosKey /Reinstall (of course, you can set other options, such as DosKey /Reinstall /BufSize:2048 /Insert)




o Internet applications


MicroSoft Telnet

If you use the standard MS telnet provided with Windows, the last server you telneted can be located from the registry key HKEY_CURRENT_USER\Software\Microsoft\Telnet . Delete LastMachine and Machine1 entries.


Internet Explorer

Cached information:

The latest pages you visited are stored, together with graphics and all, in C:\WINDOWS\Temporary Internet Files

The latest links you visited are stored, together with dates, in C:\Windows\Chronology

Cookies, which may contain information about your navigation, are stored in C:\Windows\Cookies (yet, some cookies could be useful because may contain your preferences and customized options for a certain website)

Favorites:

Your "favorite" URLs, together with the date of creation and last time you've accessed them, are stored inside C:\WINDOWS\Favorites

URL history:

The URLs you visited (the ones that appear in the pull down menu in the "Address" bar) are stored in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
Select all the entries "FileN" except for the first one (default) and press the Delete key to remove them.

Internet Explorer Internet prefixes:

It doesn't make sense to change them, but you might want to know where they are stored: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
The default Internet prefix, the one that IE put if you don't specify any ("http://", since it is assumed you want to visit a Web page) can be found in the Registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
The Default URL templates are stored in the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate

Internet Explorer about:

The entries contained in the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs contain the files invoked by IE when you request an "about" page (such as about:blank)

Internet Explorer default search engine:

If you want to change the default search engine for Internet Explorer, modify all of these entries in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main (Search Page)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl (Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main (Default_Search_URL and Search Page)
Put the URL for your favorite search engine instead of the default one. For example with http://www.altavista.com/cgi-bin/query?pg=aq&what=web&text=yes you'll set AltaVista, Advanced Query, Text mode as the default Internet Explorer search engine.
Note that this will change also the search URL for the Find/On the Internet... function in the Start Menu.


Netscape Navigator 3.x

Cached information:

The latest pages you visited are stored, together with graphics and all, in C:\Program Files\Netscape\Navigator\Cache

The latest links you visited are stored, together with dates, in C:\Program Files\Netscape\Navigator\*.hst and C:\Program Files\Netscape\Navigator\*.db

Cookies, which may contain information about your navigation, are stored in C:\Program Files\Netscape\Navigator\cookies.txt (yet, some cookies could be useful because may contain your preferences and customized options for a certain website)

Newsgroups:

The newsgroup you've subscribed together with the header of the messages are stored inside C:\Program Files\Netscape\Navigator\News\

Bookmarks:

Your "bookmarked" URLs, together with the date of creation and last time you've accessed them, are stored in C:\Program Files\Netscape\Navigator\BOOKMARK.HTM

URL History:

The URLs you visited (the ones that appear in the pull down menu in the "Address" bar) are stored in HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\URL History
Select all the entries "FileN" except for the first one (default) and press the Delete key to remove them.

E-Mail information:

Your personal data (the ones entered in Edit/Preferences.../Mail & Groups/Identity) are stored in the Registry entries at HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User


Netscape Navigator 4.x

Cached information:

The latest pages you visited are stored, together with graphics and all, in C:\Program Files\Netscape\Users\*USERNAME*\Cache

The latest links you visited are stored, together with dates, in C:\Program Files\Netscape\Users\*USERNAME*\*.hst and C:\Program Files\Netscape\Users\*USERNAME*\*.db

Cookies, which may contain information about your navigation, are stored in C:\Program Files\Netscape\Users\*USERNAME*\cookies.txt (yet, some cookies could be useful because may contain your preferences and customized options for a certain website)

Newsgroups:

The newsgroup you've subscribed together with the header of the messages are stored inside C:\Program Files\Netscape\Users\*USERNAME*\News\ (there's a subdirectory for each newsserver)

Bookmarks:

Your "bookmarked" URLs, together with the date of creation and last time you've accessed them, are stored in C:\Program Files\Netscape\users\*USERNAME*\BOOKMARK.HTM

URL History:

Edit the file C:\Program Files\Netscape\users\*USERNAME*\prefs.js (if Netscape has been installed in C:\Program Files, otherwise locate the correct directory, first) and look for lines such: user_pref("browser.url_history.URL_n", "URL"); ("n" can be any number) and delete them.
In the same file, you'll find other lines you can modify, but nothing you can't do from the Preferences (by the way, since Netscape 4.5 you can delete the URL history from the Preferences as well).
In the same file you'll also find the last popmail password used, encrypted: user_pref("mail.pop_password", "*PASSWORD*");

E-Mail information:

Your personal data (the ones entered in Edit/Preferences.../Mail & Groups/Identity) are stored in the Registry entries at HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Users\*USERNAME*


Mozilla 1.x

Cookies:

Remove all cookies from Mozilla interface:
Edit -> Preferences... -> Privacy & Security -> Cookies -> Managed Stored Cookies -> Remove All Cookies

Note that when removing cookies you can check the checkbox "Don't allow sites that set removed cookies to set future cookies" to prevent site whose cookies were removed to set cookies again.

Also, you can limit lifetime of all cookies to current session so that all cookies will automatically be discarded when you close your browser. In this case you'll lose "legitimate" cookies as well, like the ones that keep you logged here on ElfQrin.com

Cookies are physically stored in the file cookies.txt in the Mozilla data directory, normally something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\cookies.txt

Cache:

Clear cache from Mozilla interface:
Edit -> Preferences... -> Advanced -> Cache -> Clear Cache

From here you can see (and change) the directory where the cache is stored. Normally is something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\Cache Deleting this directory "manually" would clear the cache as well.

History:

Clear history from Mozilla interface:
Edit -> Preferences... -> History -> Clear History

History is physically stored in the file history.dat in the Mozilla data directory, normally something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\history.dat

Location Bar:

Clear location bar from Mozilla interface:
Edit -> Preferences... -> History -> Clear Location Bar

The content of the Location bar is physically stored in the file localstore.rdf in the Mozilla data directory, normally something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\localstore.rdf

Bookmarks:

Delete bookmarks from Mozilla interface:
Open the bookmark manager (Bookmarks -> Manage bookmarks... , or press CTRL+B ), then select all the bookmarks and folders you want to delete and delete them (use Delete from the menu or the Delete key).

Your "bookmarked" URLs, together with the date of creation and last time you've accessed them, are stored in the Mozilla data directory, normally something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\bookmarks.html

Downloaded files:

The list of downloaded files is stored in the file downloads.rdf in the Mozilla data directory, normally something like: C:\WINDOWS\Application Data\Mozilla\Profiles\YOUR_PROFILE\YOUR_PROFILE_CODE\downloads.rdf

HTML editor:

Files opened in the HTML editor are stored in the keys "editor.history_url_?" in prefs.js (note that there could be a back up file too, called prefs.bak )


Opera

Cached information:

The latest pages you visited are stored, together with graphics and all, in C:\Program Files\Opera\CACHE

These files: OUsr310.dat, global.dat, opera.dir, vlink.dat in the C:\Program Files\Opera directory contain information about your navigation.

Cookies, which may contain information about your navigation, are stored in C:\Program Files\Opera\cookies.dat (yet, some cookies could be useful because may contain your preferences and customized options for a certain website)

Newsgroups: news.rc contain information about the newsgroups you've subscribed.

E-Mail information:

User's information (name, address, server) are contained in the [MAIL] section of C:\Windows\Opera.ini


Mirabilis ICQ

Your personal data are stored in the directory C:\Program Files\ICQ\DB
In particular, the file named UINmsg.dat (where UIN is your ICQ#) contains the message history (all the messages sent or received) and can be read with Notepad or another text reader/editor.
Your personal data are stored in C:\Program Files\ICQ\UIN\ICQ#.UIN in this format:
[ICQ User]
UIN=
Email=
NickName=
FirstName=
LastName=


mIRC

Check mirc.ini In the [mirc] section are stored your name, nickname and E-Mail address (the same shown to the other users in an IRC session).
In [channels] are stored the channels shown in the channels window.
the logdir= entry, in the [dirs] section, specifies in which directory are stored the log files of channels and private conversations.


GetRight

In GetRight.ini, contained in the default download directory, are stored ALL the files you downloaded with GetRight, including date and time of downloading and eventual resumes.
In HKEY_CURRENT_USER\Software\HeadLight\GetRight\TypedURLs are stored the last URLs you entered.
In HKEY_CURRENT_USER\Software\HeadLight\GetRight\MRU, the URLN entries store the latest files you downloaded from the Web and in FileN where in your Hard Disk have been saved.
In HKEY_CURRENT_USER\Software\HeadLight\GetRight\FileQueue are contained the files in queue to be downloaded.
In HKEY_CURRENT_USER\Software\HeadLight\GetRight\Config check the entries UserCountries, UserCountry, UserLocation, that basically tell where in the world you are.


Forte Agent

Data are stored in the Data subdirectory in the main program's directory.

Your preferences are stored into AGENT.INI. You can erase anything else in the directory to delete all subscribed newsgroups and the newsgroup list.

Specifically, the newsgroup list is stored in the files GROUPS.DAT and GROUPS.IDX

Other configuration files: RANGES.DAT urltype.dat FILTERS.DAT FILTERS.IDX grpprops.dat layout.dat WORDS.DAT WORDS.IDX XPOST.DAT

You can delete all .BAK files


Anawave Websnake

The recent file list is contained in the registry key HKEY_CURRENT_USER\Software\Anawave\WebSnake\Recent File List.


WS_FTP

In WS_FTP.ini are stored your ftp sites and the parameters to log-in into them (server name, user name, password, local and remote directory...). Passwords are encrypted.


SkyNet (FTP server)

In SkyNet.ini, contained in the SkyNet directory (usually C:\Program Files\SkyNet) are stored authorized user's information. If a password is present, it's encrypted.


NetLab (Internet tools)

All the files with extension .dat in the program's directory contains the names of the servers you've contacted with that specific tool.


BombSquad (clean up your mailbox after a bomb mailing)

Your mail server, your user name and password (encrypted), are stored into C:\Program Files\BombSquad\squad.cfg .


KABcam

Windows TEMP folder: Leaves shots captured from your webcam in your temp directory, with the name kabcam.tmp, or names like JCC123.TMP.dib, JCC1C0.TMP.dib, JCC2022.TMP.dib for older shots.




o Multimedia


Corel Draw!

Locate coreldrw.ini and edit it.
In the [IMPORT] section, the ImportDefaultDirectory entry stores the last directory from which you've loaded a file.
In the [EXPORT] section, the ExportDefaultDirectory entry stores the last directory to which you've saved a file.
In the [Recent File List] section, are stored the names of the lastest files you've opened, such as File1=FileName1 , File2=FileName2 .


Corel Photo-Paint

Locate photopnt.ini and edit it In the [IMPORT] section, the ImportDefaultDirectory entry stores the last directory from which you've loaded a file.
In the [EXPORT] section, the ExportDefaultDirectory entry stores the last directory to which you've saved a file.
In the [Recent File List] section, are stored the names of the lastest files you've opened, such as File1=FileName1 , File2=FileName2 .


Autodesk 3D Studio Max

The recent files list is stored in C:\Program Files\3D Studio Max R2\3dsmax.ini , in the [FileList] section, such as File1=FileName1 , File2=FileName2 .


MicroSoft Windows Paint

The recent files list is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent .


ACDSee 2.x

Check the registry key HKEY_CURRENT_USER\Software\ACD Systems\ACDSee32 . In the LastFolder entry is stored the directory in which was contained the last image you watched.


ACDSee 3.x

The registry key HKEY_LOCAL_MACHINE\Software\ACD Systems\ACDSee contains the entries UserName and UserEMail


Microsoft MediaPlayer

The recent files list is stored in HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentURLList .


WinAmp

In WINAMP.INI cwd= parameter shows the default directory, the one from which you played the last file.
WINAMP.M3U contains the last playlist or the last file played, including the full path.


Real Player 6.0

The recent files list is stored in HKEY_CLASSES_ROOT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1 .


Kodak cameras (such as Kodak DC215)

Windows TEMP folder: When you download pictures from the camera, they will be also stored in your temp directory, in a subdirectory called KODAK.TMP (file names are progressive and looks like DCP00275.JPG). They are not automatically deleted at the end of the picture transfer process.




o Text editing


WordPad

The recent files list is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\WordPad\Recent .


RogSoft Notepad+

The recent files list is stored in HKEY_CURRENT_USER\Software\RogSoft\NotePad+\Recent Files .
Select all the entries "FileN" except for the first one (default) and press the Delete key to remove them. If you want to delete only one or more entries, you have to set the RecentFiles entry to the number of files remaining.


JGsoft EditPad Lite

The recent files list is stored in HKEY_CURRENT_USER\Software\JGsoft\EditPadLite\Reopen (values are encoded).


JGsoft EditPad Classic

The recent files list is stored in HKEY_CURRENT_USER\Software\JG\EditPad\Reopen (values are encoded).


ES-Computing EditPlus 2.x

The recent files list is stored in HKEY_CURRENT_USER\Software\ES-Computing\EditPlus 2\Recent File List .




o Misc


WinZip

Last processed files are stored into HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\filemenu .
Windows TEMP folder: If you execute a program (or read a file) from a WinZip window and you close WinZip before to closing the file opened from it, it will be kept in the temp directory.


Master Converter 2.0

MCONVERT.INI contains the last converted unit, and user defined units.


Visual Basic 6.0

The recent files list is stored in HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0\RecentFiles .


MAME32 (Multi Arcade Machine Emulator, Win32 version)

The entry DefaultGame in the registry key HKEY_CURRENT_USER\Software\Freeware\Mame32 contains the last game played.


Ultra HAL (Heuristically programmed ALgorithm)

Your "heuristic" profile is stored in *YOURNAME*.hal and things you've teached to HAL are stored in *YOURNAME*.lrn .


Chat by Matthew Probert - Servile Software

Your conversation is logged in chat.log .


KeyCopy (a key logger for MS-DOS)

Stores typed keys in C:\KEYCOPY .


KeyLog95 (a key logger for Window 95)

Stores typed keys in files inside the directory C:\WIN\LOGX


Hex Workshop 3.1.x

The recent files list is stored in HKEY_CURRENT_USER\Software\BreakPoint\Hex Workshop 3.1\Recent File List .



Issued on Elf Qrin's Hacking Lab
Legal notices and disclaimer