Michael Horowitz

Scrubbing email out of a Windows computer

February 03, 2012 2:17 PM EST

The legacy approach to email, typified by Microsoft's Outlook program, permanently mated email to one computer. Many flaws in this mode of operation are obvious, but I recently ran across a flaw that isn't so obvious.

Before getting rid of an old Windows XP laptop, I was removing data files and un-installing applications. Turns out it's fairly hard to totally scrub the details of Outlook and Outlook Express email accounts from the Windows Registry.  

Before removing Outlook 2003, I wanted to insure that I knew the password (this wasn't my computer). To that end, I ran Mail PassView from Nirsoft. Nir Sofer, the man behind nirsoft.net, makes some excellent, free, portable software for Windows.

In addition to passwords, Mail PassView displays many other attributes of an email account as shown below.

=============================
Name             : Firstname LastnameApplication     : Thunderbird
Email             : someuser@gmail.com
Server            : pop.gmail.com
Server Port     : 123
Secured         : No
Type              : POP3
User              : someuser
Password       : apasswordwashere
Profile            :
Password Strength : Medium
SMTP Server          :  smtp.gmail.com
SMTP Server Port   :  25
==============================

It supports a long list of email clients including Thunderbird, all versions of Outlook, Windows Mail (both the Live and dead versions), IncrediMail and Eudora. If a webmail account has a password stored in a Windows application (such as a Hotmail password stored in a Microsoft Messenger app) chances are that Mail PassView can find it.

Running Mail PassView before removing Outlook 2003 revealed everything, including the fact that Outlook was configured for both a POP3 account from an ISP and a Gmail IMAP account.

It also revealed a surprise, Outlook Express had, at one time, been used for email on this machine. I ran Outlook Express to see what was there, and found just a single, very old, message. Even though the account was not really used, the owner of the computer certainly would not appreciate the details of their old email address (including the password) being available to the next user of the computer.

So, I un-installed both Outlook Express and Outlook 2003.

Since Windows applications often leave traces behind, I re-ran Mail PassView and fell off my chair. It reported all the same data that it had before un-installing the email programs. It was as if the applications had never been removed.

This, by the way, is one of many reasons that I prefer portable Windows applications. And, for the record, I never liked the Windows Registry, either in concept or implementation.

To help scrub the computer I turned to the Pro version of the popular Revo Uninstaller. Unlike the free edition, the Pro version includes a feature called Forced Uninstall that sounded just like what I needed. According to Revo it  

...allows you to remove leftovers of programs that are already un-installed, incomplete installations and un-install remnants of programs! It does not matter if the program, you want to remove, is not listed in Revo Uninstaller Pro or in Windows Add/Remove Programs Control Panel applet.

The Forced Uninstall feature takes as input either the program name or a folder path. I told it to look for "Outlook" and then removed all the Registry entries and files it turned up.

Revo Uninstaller makes Restore Points before doing anything, so there is protection should the Registry trimming cause a problem.

I was amazed at the files Outlook 2003 had left behind, they included both an NK2 nicknames file and a PST file, among others.

Despite this surgery, Mail PassView was still able to report all the details of the three email accounts, including the passwords.
 
Then I tried the Advanced Scanning Mode for the Forced Uninstall, again searching for "Outlook". This found more Registry entries and files, but removing them still did not prevent Mail PassView from reporting on everything.

After removing files, Revo said that some would be deleted when the system was restarted. Yet, after restarting Windows, Mail PassView again reported everything.  

I then noticed that folder

C:\Program Files\Outlook Express

had not been deleted despite being on Revo's hitlist. And, there were still files in the folder. So, I deleted them.

But they came back.

Was the computer haunted? Apparently not, I was able to replicate this on another XP SP3 machine where Outlook Express had also been (supposedly) un-installed. Go figure.

The Nirsoft website includes an article, Password Storage Locations For Popular Windows Applications, that details where both Outlook and Outlook Express store their passwords. Outlook Express passwords are stored in a section of the Registry known as Protected Storage located at

HKEY_CURRENT_USER\Software\Microsoft\
Protected Storage System Provider

After making a Restore Point, I deleted all the subkeys under "Protected Storage System Provider." Mail PassView still saw all three accounts, but it no longer found the passwords. 

But that's not sufficient for Defensive Computing. I wanted no trace of these email accounts left behind.

The Nirsoft article also said that Outlook 2003 stores passwords in the Registry at
 
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows Messaging Subsystem\
Profiles\[Profile Name]\
9375CFF0413111d3B88A00104B2A6676\
[Account Index]

Removing the subkeys to this, finally got rid of the Outlook 2003 email accounts. But, the Outlook Express account still showed up in Mail PassView.

I tried the Revo Uninstaller looking for "Outlook Express". Again, I deleted Registry entries and files to no avail, the email profile (email address, POP3 server name and POP3 server userid) was still visible to Mail PassView.

After making another Restore Point, I turned to Microsoft Knowledge Base article KB209169, How to create and use identities in Outlook Express 5.x and 6.0, which said that identity information is stored in the Registry at

HKEY_CURRENT_USER\Identities\account_ID

I deleted all the subkeys under "Identities" but still, Mail PassView was able to find the Outlook Express email account.  

Finally, I turned to another Microsoft Knowledge Base article (KB188093), How to Back Up the Account List in Outlook Express, which said that you could backup Outlook Express accounts and their configuration information by exporting this registry key:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

I found five subkeys under "Accounts". The first one was called "00000001" and seemed to be the Outlook Express email profile. I removed the entire 00000001 subkey and finally, got a clean bill of health from Mail PassView, which reported no traces of email.

Needless to say, webmail is looking much better about now. Score one for the cloud.