Need help decoding a registry value

[daanodinot]

I'm trying to create a script that executes the 2 actions "Group by" and "Collapse all groups", for when I'm in the "Recycle Bin". This way, I can immediately see from what different paths I'm removing any files. I've already made a script that utilizes keyboard keys, but now I'd like make one that directly edits the registry.

All of the registry edits related to these actions, can be made in one key:

HKEY_USERS[user Name]SoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBags[# of recycle bin]Shell[iD of recycle bin]

The parts between [] are different per person. "[iD of recycle bin] is in my case "{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}" but I'm afraid this is not always the case. "[# of recycle bin]" will be "1" if you delete the whole "Bags" key and you open the recycle bin first - so that's one way to find the right bag.

There are 3 values inside the key that control the first action "Group by". By editing these values you can control, based on what the files are grouped and whether they're grouped at all. I've already done this action so I won't go further into this.

The value "GroupCollapseState" controls the action "Collapse all groups" and contains binary data containing each group name/path and whether the group is collapsed or expanded.

Two points about the 'behavior' of this registry value:

- The value is only re-read when you re-open the recycle bin, not when you're still inside it. (This is also applies to the other 3 mentioned values.)

- The value is only updated when you explicitedly perform an action that either collapses or expands 1 or more groups. If you just move a file to the recycle bin and let Windows figure out the default collapsed state nothing will change inside the value! If the recycle bin was previous empty and you move 10 files to it, the "GroupCollapseState" key won't even exist until you explicitedly define a collapsed state.

Because of this last mentioned behavior, things get much more difficult: it means you can't simply search/replace inside the value. Instead you have to create the value from scratch.

Let me give you one example of the binary data inside "GroupCollapseState", and show you the stuff I've decoded so far:

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,4d,00,00,00,01,00,00,

00,12,00,00,00,44,00,3a,00,5c,00,44,00,61,00,61,00,6e,00,5c,00,44,00,6f,00,

77,00,6e,00,6c,00,6f,00,61,00,64,00,73,00,00,00,00,00,00,00,0e,00,00,00,44,

00,3a,00,5c,00,44,00,61,00,61,00,6e,00,5c,00,47,00,61,00,6d,00,65,00,73,00,

00,00,01,00,00,00,15,00,00,00,44,00,3a,00,5c,00,44,00,61,00,61,00,6e,00,5c,

00,4d,00,69,00,6a,00,6e,00,20,00,76,00,69,00,64,00,65,00,6f,00,27,00,73,00,

00,00,01,00,00,00,18,00,00,00,44,00,3a,00,5c,00,44,00,61,00,61,00,6e,00,5c,

00,4d,00,69,00,6a,00,6e,00,20,00,64,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,

74,00,65,00,6e,00,00,00

Counter: Counts how many groups there are.

Group: The group name/path.

State: The holy grail! 00 means that the upcoming group is expanded, 01 means collapsed.

Unknown: I can't figure out what it means. The first red bit after the counter (4d), is directly related to the value of the counter, but then I still don't know what the value means.

I hope someone can help me out!

Thanks in advance!

Edited January 25, 2013 by KeyMs92