PrimoCache is interesting software that has a 30 day trial.
Unfortunately, as part of their license system they do two disturbing things to your computer in an attempt to prevent use after the 30 day trial is up.
- A small randomized file in the system32 directory
- A hidden unicode registry key in the registry
dir c:\windows\system32 /a:HS
You won't be able to delete it normally, it's held in a lock by the PrimoCache filesystem driver.
2. The hidden registry key
The second part is the hidden registry key. This uses an insidious method where the driver inserts NULL (00) into the string part of the registry key. This prevents *most* registry editors from being able to read the key.
This hidden method is explained in much detail in posts like this:
https://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs
But essentially, the normal Win32 Registry calls can't handle the unicode, it expects NULL terminated strings, but the Native API can, so if you write a registry key with unicode that has a NULL, normal registry editors can't read it.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\RxDeliveryStamp\{57C7DD3D-2E9C-4F3B-A270-391E8AEDF0C4}
If you attempt to access it, you'll first be hit by access denied errors. You'll need to change the security permissions on the key to access it. But to do that you have to first change the owner. Restart regedit with admin permissions, reset the owner to you, then add yourself as a full owner of the key.
That will then let you see the hidden subkey Parameter. If you click that you'll get a "Parameter cannot be opened" error. That is due to the UNICODE 00 characters. The name is something more like "Parameter\0\0\0\02347298742". Normal API calls fail because it thinks the parameter is "Parameter" because it sees the first NULL and assumes a null terminated string. The Native API returns and expects the ACTUAL string length to properly set/get names, so it doesn't care what characters are in it.
Luckily there ARE registry editors that CAN read it. Such as this one (another nice feature is that it actually has a SEARCH function find all such hidden keys)
Run it as administrator and it'll be able to see AND delete the dastardly registry key forever.
You can also use the excellent sysinternals program RegDelNull
---
An important note is that to do the deletions you'll need to have deleted any existing cache and uninstalled PrimoCache, as it is responsible for holding both the key and the file locked.
A side effect of this, is of course that PrimoCache will have forgotten everything about your computer and its trial timer will reset.
Note that if you attempt to reboot into recovery mode, delete the key and remove that file from the recovery console, PrimoCache will still regenerate it's trial limit, probably through the use of cache settings or other registry settings. You *must* do a full clean uninstall (and then check for any existing registry keys left over)
There is a discussion to be had here about who owns my computer. PrimoCache developers seem to think they have the right to install whatever they want onto MY PC, and in contrast, I believe I have total right to do whatever I want to my PC. In trying to protect their trial time, they have intentionally made it extremely difficult (impossible without 3rd party software or programming skills) for anyone to be fully in control of their PC.
