Freeware to view hidden registry entries.
John Corliss
the Registry. These entries can be:
1. anything over 256 characters in length
2. anything with a "/0" (a "null" character) in its name.
RegEdit and RegEdit32 use the Windows API to view the Registry and
because of this, won't show such portions. So I've been using the free
version of TrashReg AKA "Registry Trash Keys Finder", which *does* use
the Native API:
http://www.databack4u.com/snc/rtkf_eng.html
to show such hidden keys:
http://en.wikipedia.org/wiki/Native_API
For each entry that it finds, TrashReg provides the last modification
date of the key and information about it:
Location in the registry
DisplayName
Publisher
InstallLocation
DisplayVersion
The program won't allow you to delete or show you information about
certain keys which it detects unless you pay for the "Full Version"
though, and IMO this renders the program crippled in many instances. You
can still use what little info it gives about the entry to chase it down
in most instances.
I've also been pointed to a command line program named "RegDump":
http://www.codeproject.com/KB/recipes/RegistryDumper.aspx
The author says, "It's perfect to just dump the hives before and after
software installation and just compare changes with text diff (for
example commandline version from UnixUtils is great)."
However I tried the program and forgive my density, I couldn't figure
out a way to print the output to text files so that I could run that
comparison. I even posted something on the site by the way (scroll down
to the "Message Board" portion of the page) asking how to do this. Maybe
one of you knows the answer?
Then there's this discussion about removing hidden Registry entries:
http://forum.sysinternals.com/removing-hidden-registry-entries_topic399.html
In the very last post to that discsussion, Registry Explorer is mentioned:
The program download links at that website give an "Ooooops - We didn't
find what you are looking for" message. You can, however, download the
.dll only version.
I found a download link for the full program at Major Geeks though:
http://majorgeeks.com/Registry_Explorer_d1909.html
Not absolutely sure that Registry Explorer uses the Native API to view
the Registry, but it's worth a look I guess.
Note that Virustotal says that Symantec rates it a "Suspicious.Insight"
detection:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
Who cares.
--
John Corliss BS206. I block all Google Groups posts due to Googlespam,
and as many posts from anonymous remailers (like x-privat.org for eg.)
as possible due to forgeries posted through them.
No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited,
trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.
John Corliss
> I'm want to be able to see hidden (and if necessary, delete) entries in
> the Registry. These entries can be:
>
> 1. anything over 256 characters in length
> 2. anything with a "/0" (a "null" character) in its name.
>
> RegEdit and RegEdit32 use the Windows API to view the Registry and
>
> http://www.regxplor.com
>
> The program download links at that website give an "Ooooops - We didn't
> find what you are looking for" message. You can, however, download the
> .dll only version.
>
> I found a download link for the full program at Major Geeks though:
>
> http://majorgeeks.com/Registry_Explorer_d1909.html
>
> Not absolutely sure that Registry Explorer uses the Native API to view
> the Registry, but it's worth a look I guess.
Okay, I looked. I installed the ".dll only" version following the
directions give at the site. Although an icon appeared on my desktop as
described, double-clicking on it made the desktop shortcuts and taskbar
disappear briefly and then reappear. Other than that, nothing occurred.
I unregistered the .dll file and rebooted.
Next I tried the full install version of Registry Explorer 1.4.4. It
works as described, but searching for something (in this case I was
looking for all instances of the word "Armadillo") in the registry takes
forever. I stopped the search it was taking so long. This caused Windows
Explorer to crash and restart. I still have the program installed
because I can still look at the Registry as long as I don't do a search,
but I'm giving serious consideration to uninstalling the program at this
point.
Guess I'll keep looking for a program that does what I need.
charles
wrote:
>I'm want to be able to see hidden (and if necessary, delete) entries in
>the Registry. These entries can be:
>
>1. anything over 256 characters in length
>2. anything with a "/0" (a "null" character) in its name.
>
1 - Nirsoft's regscanner.exe has an option to display data with a length
range in bytes.
2 - Sysinternal's RegDelNull.exe program deletes registry keys per your
above spec.
That should do it without a lot of complication.
za kAT
<snip>
I just tried with regscanner
http://www.nirsoft.net/utils/regscanner.html
You can set byte size. I set 256 to 65535, and find any item.
10,000 finds later... Default max which can be changed.
Really quick actually.
Seems on Vista anyhow > 256 bytes is quite common.
Good luck looking through that lot :)
VanguardLH
I already had Nirsoft RegScanner installed but never bothered to use the
size range. I did a test where I specified a range of 250 to 999999999
bytes (I didn't know what else to specify for an undefinded upper range so I
used a value that far exceeded the total size of my registry). It found
3112 items in that size range. Corliss claimed that regedit.exe would not
display such overly long items (these are registry keys with data items
whose value are usually binary and very long).
In the normal left/right pane view (registry keys in left pane, data items
and their values in the right pane), expanding the data value field (by
dragging its rightside handle repeatedly to the right) resulted in seeing a
"<somelonglistofbytes>...". That is, eventually the increase in the value
field's size would not show more of the value but the display of it got
truncated with "..." to show there was more. However, that is simply a
limit in how much the *preview* pane will show you. You can double-click on
the over long data item to load it in its own hex/text viewer window.
Here are some registry keys under which the data items exceeded 256
characters in length but which were still completely visible if you viewed
the data item in its own hex/text view window:
HKEY_CURRENT_USER\Control Panel\Appearance\Schemes
(712 bytes long for each data item under this key)
HKEY_CURRENT_USER\Software\Canon\CanoScan Toolbox\4.9\Data
For a Canon scanner's cached data
(ranged from 348 to 2048 bytes long)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing
IE8's antiphishing filter data (WU updates this every month)
(a "UserFile" data item was 79,044 bytes long ... uffda)
NOTE: Only 4944 bytes could be viewed in the hex/text view window)
I sorted Nirsoft's hit list by size (reverse order so biggest was at the
top). The largest data item was:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
Data item: PastIconsStream
at a whopping 1 megabytes in size! This is the cached list of icon handling
data for the Windows taskbar's system notification area (aka systray). I
suspect it is this size because applications are expected to update their
icon graphics based on the state of the application. To clean the tray icon
cache, I used CCleaner and restarted explorer.exe (which is used by the
desktop: use Task Manager to kill explorer.exe and its File -> New Task menu
to restart it). That not only reduced the size of this registry key but
actually deleted the PastIconsStream data item (which will get rebuilt later
as the tray icons change).
I'm not sure how to use RegScanner to find embedded nulls within just the
registry key or data items names. I had to leave while doing this testing.
Johnw
> I'm want to be able to see hidden (and if necessary, delete) entries in the
> Registry. These entries can be:
>
> 1. anything over 256 characters in length
> 2. anything with a "/0" (a "null" character) in its name.
>
RegSeeker for cleaning the registry, but have you used > Find in
registry ( the 1st entry on the page )
Tick all the keys boxes, I just put "/0" into it & found one entry.
Armadillo search took less than 2 minutes.
John Corliss
> John Corliss wrote:
>
> <snip>
> I just tried with regscanner
>
> http://www.nirsoft.net/utils/regscanner.html
>
> You can set byte size. I set 256 to 65535, and find any item.
> 10,000 finds later... Default max which can be changed.
> Really quick actually.
> Seems on Vista anyhow> 256 bytes is quite common.
> Good luck looking through that lot :)
I got 802 items with the lower limit set to 1000.
Well, I installed XP on this machine back on Dec. 16, 2005. Probably
time to format and reinstall everything (leaving out stuff that I don't
use that often anymore.) THAT will clean up the registry.
John Corliss
> charles wrote:
>
>> On Thu, 08 Apr 2010 03:18:28 -0700, John Corliss<q34w...@yahoo.com>
>> wrote:
>>
>>> I'm want to be able to see hidden (and if necessary, delete) entries in
>>> the Registry. These entries can be:
>>>
>>> 1. anything over 256 characters in length
>>> 2. anything with a "/0" (a "null" character) in its name.
>>>
>>
>> 1 - Nirsoft's regscanner.exe has an option to display data with a length
>> range in bytes.
>>
>> 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your
>> above spec.
>>
>> That should do it without a lot of complication.
>
> I already had Nirsoft RegScanner installed but never bothered to use the
> size range. I did a test where I specified a range of 250 to 999999999
> bytes (I didn't know what else to specify for an undefinded upper range so I
> used a value that far exceeded the total size of my registry). It found
> 3112 items in that size range. Corliss claimed that regedit.exe would not
> display such overly long items (these are registry keys with data items
> whose value are usually binary and very long).
I was only quoting what I saw on the internet. For example:
http://blogs.microsoft.co.il/blogs/pavely/archive/2008/07/02/malware-and-hidden-registry-keys.aspx
And what I saw said that Regedit and Regedit32 use the Win31 API to view
the Registry and suffer from that limitation. Programs which use the
Native API don't suffer from that problem.
Johnw
> Well, I installed XP on this machine back on Dec. 16, 2005. Probably time to
> format and reinstall everything (leaving out stuff that I don't use that
> often anymore.) THAT will clean up the registry.
If you are going to format, try VIT which I had mentioned in your
previous post & you can see what you have left.
Vit Registry Fix Free Edition
http://www.softpedia.com/get/Tweak/Registry-Tweak/Vit-Registry-Fix.shtml
http://www.softpedia.com/progScreenshots/Vit-Registry-Fix-Screenshot-119237.html
http://www.vitsoft.org.ua/vit-registry-fix-free.htm
XP / Vista / XP X64 / Vista64 / 7
Screenshots on how to use.
http://www.mediafire.com/imageview.php?quickkey=jytnqmmdzdo&thumb=4
http://www.mediafire.com/imageview.php?quickkey=wldlfvjzzn4&thumb=4
http://www.mediafire.com/imageview.php?quickkey=tjnjkmzuc2n&thumb=4
http://www.mediafire.com/imageview.php?quickkey=zvj5zreyjn0&thumb=4
http://www.mediafire.com/imageview.php?quickkey=zjrdkczkrij&thumb=4
http://www.mediafire.com/imageview.php?quickkey=5wzymo50zdo&thumb=4
John Corliss
> John Corlisswrote:
>>
>> I'm want to be able to see hidden (and if necessary, delete) entries in
>> the Registry. These entries can be:
>>
>> 1. anything over 256 characters in length
>> 2. anything with a "/0" (a "null" character) in its name.
>
> 1 - Nirsoft's regscanner.exe has an option to display data with a length
> range in bytes.
Yep, I already have that one on my hard drive, but it's an older version
(1.77). I just downloaded the newest version and will give it a try. I
had no idea that it uses the Native API. It does, doesn't it?
> 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your
> above spec.
>
> That should do it without a lot of complication.
VanguardLH pointed it out to me the other day I believe. I'll take a
look at it again. IIRC, it's a command line utility and they warn that
deleting Registry entries, even ones with nulls in them, can screw up
programs.
Thanks for your reply, Charles.
za kAT
> I got 802 items
Peanuts, I just tried it on Windows 7 x64 clean new install and I got 2831.
VanguardLH
> VanguardLH wrote:
>
>> I already had Nirsoft RegScanner installed but never bothered to use the
>> size range. I did a test where I specified a range of 250 to 999999999
>> bytes (I didn't know what else to specify for an undefinded upper range so I
>> used a value that far exceeded the total size of my registry). It found
>> 3112 items in that size range. Corliss claimed that regedit.exe would not
>> display such overly long items (these are registry keys with data items
>> whose value are usually binary and very long).
>
> I was only quoting what I saw on the internet. For example:
>
> http://blogs.microsoft.co.il/blogs/pavely/archive/2008/07/02/malware-and-hidden-registry-keys.aspx
>
> And what I saw said that Regedit and Regedit32 use the Win31 API to view
> the Registry and suffer from that limitation. Programs which use the
> Native API don't suffer from that problem.
But it does appear true. First, the preview pane showing the values for
data items cannot be expanded without limit. Eventually the very long
values just have "..." at the end of them. Even the hex/text view window
when you double-click on a data item appears to have an upper limits of just
just 5000 characters. One data item in my range search came up at 1
megabyte (for the tray icon cache). So the articles you read were correct
that regedit won't let you see superlong values.
za kAT
> I got 802 items
I just tried it on XP SP3 clean install and I got 1265.
How come you only got 802?
John Corliss
Thanks! I'll give it a try.
(5 minutes later) I got a lot of entries which RegSeeker labeled as
"(string too long)..."
Also, I got several entries where "/0" was part of a date, as in
"05/01/2007".
Couldn't find the Armadillo one though.
John Corliss
> John Corliss wrote:
>
>> I got 802 items
>
> I just tried it on XP SP3 clean install and I got 1265.
>
> How come you only got 802?
I set the lower limit at 1000.
John Corliss
> za kAT wrote:
>> John Corliss wrote:
>>
>>> I got 802 items
>>
>> I just tried it on XP SP3 clean install and I got 1265.
>>
>> How come you only got 802?
>
> I set the lower limit at 1000.
Eh.... that is, 1000 bytes.
za kAT
> za kAT wrote:
>> John Corliss wrote:
>>
>>> I got 802 items
>>
>> I just tried it on XP SP3 clean install and I got 1265.
>>
>> How come you only got 802?
>
> I set the lower limit at 1000.
Gotcha, I thought you meant the finds limit.
za kAT
> John Corliss wrote:
>> za kAT wrote:
>>> John Corliss wrote:
>>>
>>>> I got 802 items
>>>
>>> I just tried it on XP SP3 clean install and I got 1265.
>>>
>>> How come you only got 802?
>>
>> I set the lower limit at 1000.
>
> Eh.... that is, 1000 bytes.
OK, clean install, lower limit set to 1000, I get 391 on XP SP3.
Actually, it's a new Microsoft "Internet Explorer Application Compatibility
VPC Image"
John Corliss
> John Corliss wrote:
>> John Corliss wrote:
>>> za kAT wrote:
>>>> John Corliss wrote:
>>>>
>>>>> I got 802 items
>>>>
>>>> I just tried it on XP SP3 clean install and I got 1265.
>>>>
>>>> How come you only got 802?
>>>
>>> I set the lower limit at 1000.
>>
>> Eh.... that is, 1000 bytes.
>
> OK, clean install, lower limit set to 1000, I get 391 on XP SP3.
>
> Actually, it's a new Microsoft "Internet Explorer Application Compatibility
> VPC Image"
I've got about 86 installed programs and over 100 no-install programs on
my computer. That probably accounts for the registry bloat I have.
Johnw
> I've got about 86 installed programs and over 100 no-install programs on my
> computer. That probably accounts for the registry bloat I have.
Once again, use RegSeeker, 2nd item down > Installed applications.
3rd item down, you can check for nasties > Startup entries.
Here is another check.
Starter
http://www.softpedia.com/get/Tweak/System-Tweak/Starter.shtml
http://www.softpedia.com/progScreenshots/Starter-Screenshot-2345.html
http://www.snapfiles.com/get/starter.html
http://www.xtort.net/system/startup-utilities.php
http://codestuff.tripod.com/products_starter.html
Portable Starter
http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/System-Enhancements/Windows-Portable-Applications-Portable-Starter.shtml
Starter is yet another startup manager, that allows you to view and
manage all the programs that are starting automatically whenever
Windows boots. It lists all the hidden registry entries, as well as the
common Startup Folder items as well. You can choose to safely disable
selected entries, edit them or delete them altogether (if you know what
you re doing). Expert users can even add their own entries. Nice
interface, easy to use, no documentation though (but hardly needed).
Microsoft Windows 9x, Me, NT, 2000, XP, 2003, Vista.
Nemesis
>
> Who cares.
I do.
Armadillo writes stuff like:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{406BBE22-9A8E-68EC-3623-82EDFFD64641}]
(note, this is a REAL reg entry, do not delete)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{406BBE22-9A8E-68EC-3623-82EDFFD64641}\frbxzndgDydyn]
@="zldtGQVHmefnxpEwBruNwHQozkBZC}Vn"
(this, and the others, are false, delete them and you suddenly get your
program back)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{406BBE22-9A8E-68EC-3623-82EDFFD64641}\frYFHlsMgxmd]
@="xvEMO vQ{nZZ FrN\\pUJL{wa|SN]"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{406BBE22-9A8E-68EC-3623-82EDFFD64641}\jtnwvAeqllA]
@="kOa^NOI\\IjXPFKiq"
This cut and paste probably does not format well under windows,
but you get the idea. Do a registry backup and try searching for some of
these uncommon chars. I use this to reactivate some armadillo-protected
stuff that is no longer available.
[]'s
PS Adobe also uses this kind of stuff, no idea what for . Spyware ? User
ID ?
Johnw
> I've got about 86 installed programs.
Forgot to mention.
RegSeeker shows 187 installed programs on mine. Manual count, 80
uninstalled.
Johnw
Good info Nemesis, thanks.
Johnw
> http://blogs.microsoft.co.il/blogs/pavely/archive/2008/07/02/malware-and-hidden-registry-keys.aspx
For those that read the blog, here are other ways.
Tracking down a Trojan
http://www.hanselman.com/blog/TrackingDownATrojan.aspx
http://www.codinghorror.com/blog/archives/000888.html
I showed up and suggested we download the three horsemen: TCPView,
Autoruns, and ProcessExplorer.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Forum
http://forum.sysinternals.com/
Windows (including Vista and XP) process and DLL library
http://process-dll.com/pd/index.php
http://process-dll.com/pd/processes.php?from=A
Johnw
> Couldn't find the Armadillo one though.
Just did a google search & found these, 3 out of the 4 are old, but
Trial Reset is still maintained.
Trial Reset
http://quequero.org/Pack_Unpack
http://www.leechermods.com/2008/02/remove-trials-key-of-protector-as.html
http://quequero.org/uicwiki/images/TrialReset.zip
Installed, in the left hand column are 46 logo's, the 2nd one on the
left of that double column is Armadillo, scan found a heap.
Bit the the bullet, highlighted the lot & deleted.
Ran, ATF-Cleaner, CCleaner & Vit.
Refer my info in a previous post on installing & running for 2 of
these.
http://groups.google.com/group/alt.comp.freeware/browse_thread/thread/8b089902b54776dc?hl=en
Ran TrashReg & RegDelNull. All clean.
Rebooted, Ran > Trial Reset, TrashReg & RegDelNull. All clean.
John Corliss
> John Corliss pretended :
>
>> Well, I installed XP on this machine back on Dec. 16, 2005. Probably
>> time to format and reinstall everything (leaving out stuff that I
>> don't use that often anymore.) THAT will clean up the registry.
>
> If you are going to format, try VIT which I had mentioned in your
> previous post & you can see what you have left.
>
> Vit Registry Fix Free Edition
>
> http://www.vitsoft.org.ua/vit-registry-fix-free.htm
I don't speak Russian fluently, so this is probably a better link:
http://www.vitsoft.org.ua/Eng/vit-registry-fix-free.htm
Sorry I didn't reply last night. I was about to when my neighbor knocked
on the door and interrupted me.
Yes, I looked at that program's website. Couldn't determine whether the
program uses the Win32 API or the Native API. Also, I generally avoid
software originating from Russia because that's where most of the
seriously bad malware that I've had to deal with comes from.
Sorry.
John Corliss
> John Corliss explained on 9/04/2010 :
>
>> I've got about 86 installed programs and over 100 no-install programs
>> on my computer. That probably accounts for the registry bloat I have.
>
> Once again, use RegSeeker, 2nd item down > Installed applications.
>
> 3rd item down, you can check for nasties > Startup entries.
I use A2 HijackFree, IceSword or HiJackThis!
> Here is another check.
>
> Starter
> http://www.softpedia.com/get/Tweak/System-Tweak/Starter.shtml
> http://www.softpedia.com/progScreenshots/Starter-Screenshot-2345.html
> http://www.snapfiles.com/get/starter.html
> http://www.xtort.net/system/startup-utilities.php
> http://codestuff.tripod.com/products_starter.html
> Portable Starter
> http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/System-Enhancements/Windows-Portable-Applications-Portable-Starter.shtml
>
> Starter is yet another startup manager, that allows you to view and
> manage all the programs that are starting automatically whenever Windows
> boots. It lists all the hidden registry entries, as well as the common
> Startup Folder items as well. You can choose to safely disable selected
> entries, edit them or delete them altogether (if you know what you re
> doing). Expert users can even add their own entries. Nice interface,
> easy to use, no documentation though (but hardly needed). Microsoft
> Windows 9x, Me, NT, 2000, XP, 2003, Vista.
Well, I already have about five programs which let me see what's
starting up.
Johnw
> http://www.vitsoft.org.ua/Eng/vit-registry-fix-free.htm
Thanks for the english link, have updated my database.
I get most of my programs ( got close to 200 installed now ) from the
highly trusted sites Softpedia, CNET, FreewareFiles & a few others that
have already checked them out for infections & other problems, plus
they are in English, saves a lot of negotiating around a site.
John Corliss
> John Corliss wrote:
>>
>> Who cares.
>
> I do.
> Armadillo writes stuff like:
> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
> \{406BBE22-9A8E-68EC-3623-82EDFFD64641}]
> (note, this is a REAL reg entry, do not delete)
I was saying, "Who cares that the Virustotal website report says that
Symantec says that Symantec rates it (Registry Explorer) a
'Suspicious.Insight' detection", not "Who cares about Armadillo."
John Corliss
I ran RegDelNull just now and it came back without any nulls. Trashreg
still shows the Armadillo listing though.
Trial Reset's home page seems to be here:
and it doesn't look like the website's maintained any longer.
I did find this at the developer's forum:
http://forum.exetools.com/showthread.php?t=12581
That post dates to Dec. 12, 2009, not that long ago. You can't register
to join the group and you can't download the file unless you're
registered. You can download the file from another link that's given in
the discussion (as I did) but Virustotal gives it a seriously bad bill
of health:
so I Erased that download.
The version at the quequero link you provided above gives these results:
Not as bad (basically, they say "this file looks fishy" without being
specific).
I just ran it. Looks like a great little program and it found five
Armadillo entries. Thanks!
However, I will exercise caution when deleting registry entries of any
kind, of course.
John Corliss
Forgot to add, thanks anyway.
za kAT
> I got 802 items with the lower limit set to 1000.
Thanks ever so much for being my friend.
--
za...@pooh.the.cat - www.zakATsKopterChat.com
za kAT
> From: za kAT <za...@johnstubbings.invalid>
> X-Authenticated-User: $$gwbwayjc_wip36mbewj-e-pml
BWHAHAHAHAHAHAHA!!!!!
3 days off service, and your wings clipped, you impotent prick...
Brian (Groups)
I've been following this thread with interest, from the cheap
seats. :) I remembered something from the Code Project and had a
search:
Registry Manipulation Using NT Native APIs - http://www.codeproject.com/KB/system/NtRegistry.aspx
There are some compiled "demo" programs there, including a working
Native Registry Editor (NtRegEdit) which might be of use to you.
There is a "value from/to" option in the search function, but I've yet
to delve further. Seems to work fine on XP Pro.
Brian
Craig
Hey Brian;
I'll bet John has your ggroups address white-listed but posting this
just to make sure.
<quietly exits ---> that-a-way>
--
-Craig
Brian (Groups)
> Hey Brian;
>
> I'll bet John has your ggroups address white-listed but posting this
> just to make sure.
>
> <quietly exits ---> that-a-way>
> --
> -Craig
Thanks Craig. I know GGs is a source of lots of junk, but I find it so
easy when I'm on the move.
One more thing - it also has a "find hidden" search function so you
can trawl through each hive. Also seems to work as advertised.
Brian
Johnw
I do all my viewing via GG. Much, much easier to read & follow the
posts.
For those reading this & don't know what we are talking about, here is
the link.
Craig
There's no doubt ggs is "a good thing(tm)." I mean, they'll continue to
improve it until it matches deja news, right? <grin> Good reminder on
the search fxn.
thx,
--
-Craig
B. R. 'BeAr' Ederson
>>I'm want to be able to see hidden (and if necessary, delete) entries in
>>the Registry. These entries can be:
>>
>>1. anything over 256 characters in length
>>2. anything with a "/0" (a "null" character) in its name.
>
> 1 - Nirsoft's regscanner.exe has an option to display data with a length
> range in bytes.
The length restriction, which results in hidden keys is not connected
to the *data*, but to the length of the *name* of a key or a value.
/Key/ names of exactly 255 characters and /Value/ names of 256 to 259
characters pose problems to MS Regedit and some other registry tools.
The Nirsoft RegScanner /can/ filter and display such keys and values,
tough. But not in the way you suggested. You need to use an appropriate
find string and search for "Matching: Registry item contains the specified
RegEx".
Unfortunately, RegScanner does not support the "number of occurrences"
RegEx expression (numbers in curly brackets). Therefore, you need to
copy 255 dots into the find string field. (Create them with a text
editor showing the number of characters in a line.) Tick in only the
"Look at: Values, Keys" search parameters. I checked this in a Win2k
setup and it worked appropriately. Please note: Although unlikely,
you may find valid /value/ names of 255 characters. To /only/ find
hidden entries, search first with 255 dots for key names and afterwards
with 256 dots for value names. (Don't use "exact RegEx matching" in the
second case or in the general search above, to also find strings longer
than 256 or 255 characters.)
> 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your
> above spec.
RegDelNull does not handle long name cases, just /string data values/
containing a 0x00 byte. RegDelNull is probably the best method to deal
with such entries. Because of its malware-like character, trustworthy
software developers should not use null-byte embedding. Btw.: Nirsoft
RegScanner will /not/ show such values.
Dealing with overlong hidden entries is, IMHO, a matter of taste. One
can search and delete them with RegScanner. But this covers only a
small spectrum of possible hidden information inside the registry.
Most such information will be "hidden in plain view": Somewhere in an
arbitrary key inside a registry branch continuously accessed by the
system, with encryption (or otherwise encoded),...
There is one case of hidden entries, which /has/ to be dealt with: Any
kind of autostart. For these entries, SysInternals Autoruns is one of
the best tools available. (It /does/ show hidden entries.)
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)===
John Corliss
> Brian wrote:
>> John
>>
>> I've been following this thread with interest, from the cheap
>> seats. :) I remembered something from the Code Project and had a
>> search:
>> Registry Manipulation Using NT Native APIs -
>> http://www.codeproject.com/KB/system/NtRegistry.aspx
>> There are some compiled "demo" programs there, including a working
>> Native Registry Editor (NtRegEdit) which might be of use to you.
>> There is a "value from/to" option in the search function, but I've yet
>> to delve further. Seems to work fine on XP Pro.
>
> Hey Brian;
>
> I'll bet John has your ggroups address white-listed but posting this
> just to make sure.
Since I upgraded to TB3, I got rid of News Proxy and now I don't have
any Google Groupers whitelisted, so thanks for posting that. Good info
and I thank Brian for posting it. I downloaded the program and will
check it out.
John Corliss
>
> (big snip)
> Dealing with overlong hidden entries is, IMHO, a matter of taste. One
> can search and delete them with RegScanner. But this covers only a
> small spectrum of possible hidden information inside the registry.
> Most such information will be "hidden in plain view": Somewhere in an
> arbitrary key inside a registry branch continuously accessed by the
> system, with encryption (or otherwise encoded),...
>
> There is one case of hidden entries, which /has/ to be dealt with: Any
> kind of autostart. For these entries, SysInternals Autoruns is one of
> the best tools available. (It /does/ show hidden entries.)
These two paragraphs pretty much cover it. Thanks, BeAr. Guess it's just
time for me to do a format and reinstall. I was hoping to avoid it, but
it's time to bite the bullet...
B. R. 'BeAr' Ederson
> B. R. 'BeAr' Ederson wrote:
>> (big snip)
[2 paragraphs left]
> These two paragraphs pretty much cover it.
I shouldn't have made them the last two, then. Eh? ;-)
> Thanks, BeAr.
You're welcome.
> Guess it's just time for me to do a format and reinstall. I was hoping to
> avoid it, but it's time to bite the bullet...
Operating systems are too complex, nowadays, to manually check for
vague symptoms. When there are reasons to mistrust a setup, it is
better to do a clean re-install and just copy the data... :-(
You doubtlessly knew this, already. It is just hard to acknowledge
the unavoidable. ;-)
B. R. 'BeAr' Ederson
[Native Registry Editor (NtRegEdit)]
> I thank Brian for posting it. I downloaded the program and will check
> it out.
It shows long key and value names as well as string values containing
0x00 bytes. Please note, that its function to search for hidden entries
only lists the 0x00 byte ones, though. The long entries are generally
valid (not showing them is just an implementation flow); therefore they
are not listed as hidden.
za kAT
> Operating systems are too complex, nowadays, to manually check for
> vague symptoms. When there are reasons to mistrust a setup, it is
> better to do a clean re-install and just copy the data...
Assuming 'whatever' isn't hidden in the data...
> You doubtlessly knew this, already.
Ditto.
B. R. 'BeAr' Ederson
>> When there are reasons to mistrust a setup, it is better to do a clean
>> re-install and just copy the data...
>
> Assuming 'whatever' isn't hidden in the data...
As long as there is no trigger mechanism (trojan, software bug) left
or comes new onto the system, one is pretty safe from "whatever" that
is hidden in the data... ;-)
Btw., if one wishes to retain a software [freeware, of course ;-) ]
archive after a clean install following an (assumed) security breach,
the /least/ security measure should be to wait a couple of weeks before
running /any/ software from that archive.
All archived programs ought to be scanned by at least one trustworthy
up-to-date AV program at this point. If one needs a couple of programs
earlier, they should be installed as fresh downloads from the Net.
(Checksum comparison will also suffice, of course.)
Again, most people know this. Yet few really follow this path...
za kAT
> On Sat, 10 Apr 2010 17:04:32 +0100, za kAT wrote:
>
>>> When there are reasons to mistrust a setup, it is better to do a clean
>>> re-install and just copy the data...
>>
>> Assuming 'whatever' isn't hidden in the data...
>
> As long as there is no trigger mechanism (trojan, software bug) left
> or comes new onto the system, one is pretty safe from "whatever" that
> is hidden in the data... ;-)
John seems concerned about 'whatever' could have been hidden in the
registry. I can't see hiding 'whatever' in the data, presents a real
problem either. I'm assuming 'whatever' refers to confidential data, not
malware.
> Btw., if one wishes to retain a software [freeware, of course ;-) ]
> archive after a clean install following an (assumed) security breach,
> the /least/ security measure should be to wait a couple of weeks before
> running /any/ software from that archive.
>
> All archived programs ought to be scanned by at least one trustworthy
> up-to-date AV program at this point.
Yep, or preferably from a clean backup.
> Again, most people know this. Yet few really follow this path...
I'd say 60-70% of people have evolved inner ear flaps which close whenever
backups are discussed.
B. R. 'BeAr' Ederson
> John seems concerned about 'whatever' could have been hidden in the
> registry. I can't see hiding 'whatever' in the data, presents a real
> problem either.
"Whatever" in the data on a potentially compromised system /can/ be a
thread or a breach of the secrecy of personal data, though. As you
write further on:
> I'm assuming 'whatever' refers to confidential data, not malware.
Or traces of malware running undetected. (Because of missing detection
in AV software or very sophisticated concealment.) Presence of hidden
data in registry usually points either to obsessive attempts to protect
some intellectual property or to spyware/malware.
B. R. 'BeAr' Ederson
> thread
^ Hmph. Make this "threat" :-(
za kAT
My point being in this case, that if John thinks some 'confidential data'
may have been 'harvested', then data from the previous system could
potentially contain that, not just the registry. If you have thousands of
files, how would you know? For instance you could hide the information in
image files.
John Corliss
What?
John Corliss
>
> My point being in this case, that if John thinks some 'confidential data'
> may have been 'harvested', then data from the previous system could
> potentially contain that, not just the registry. If you have thousands of
> files, how would you know? For instance you could hide the information in
> image files.
Naw, there ain't no confidential data on my machine. I've always been
real careful about that. And I'm more concerned about code which allows
either MS or the feds to snoop on my ass than malware from hackers.
John Corliss
>
> [Native Registry Editor (NtRegEdit)]
>> I thank Brian for posting it. I downloaded the program and will check
>> it out.
>
> It shows long key and value names as well as string values containing
> 0x00 bytes. Please note, that its function to search for hidden entries
> only lists the 0x00 byte ones, though. The long entries are generally
> valid (not showing them is just an implementation flow); therefore they
> are not listed as hidden.
Eh... the download is uncompiled code. I wasn't able to find a download
for a ready-to-use version of the program.
B. R. 'BeAr' Ederson
>> [Native Registry Editor (NtRegEdit)]
> Eh... the download is uncompiled code. I wasn't able to find a download
> for a ready-to-use version of the program.
http://www.codeproject.com/KB/applications/NtRegEdit.aspx
If you aren't sure which VC libraries you have installed, get the
"all demos" *.zip and try all three compiled versions.
Johnw
> On Sat, 10 Apr 2010 16:43:44 -0700, John Corliss wrote:
>
>>> [Native Registry Editor (NtRegEdit)]
>> Eh... the download is uncompiled code. I wasn't able to find a download
>> for a ready-to-use version of the program.
>
> http://www.codeproject.com/KB/applications/NtRegEdit.aspx
>
> If you aren't sure which VC libraries you have installed, get the
> "all demos" *.zip and try all three compiled versions.
>
> BeAr
For those that are wanting to download NtRegEdit & don't want to
register at codeproject, this link downloads NtRegEdit_all_demos.
http://www.softpedia.com/get/Tweak/Registry-Tweak/NtRegEdit.shtml
Brian (Groups)
<br.eder...@expires-2010-04-30.arcornews.de> wrote:
> http://www.codeproject.com/KB/applications/NtRegEdit.aspx
>
> If you aren't sure which VC libraries you have installed, get the
> "all demos" *.zip and try all three compiled versions.
Oh yeah... and what he said :-o
I should have mentioned that "demos" on the code project are (usually)
working (compiled) versions of the source.
Thanks for that qualification BeAr.
Brian
John Corliss
> John Corliss wrote:
>>>
>>> [Native Registry Editor (NtRegEdit)]
>>
>> Eh... the download is uncompiled code. I wasn't able to find a download
>> for a ready-to-use version of the program.
>
> http://www.codeproject.com/KB/applications/NtRegEdit.aspx
>
> If you aren't sure which VC libraries you have installed, get the
> "all demos" *.zip and try all three compiled versions.
Thanks, BeAr. I downloaded the "all demos" zip and since both the 6.0
and 7.1 versions work, I guess I must have the latter version.
Just curious though, how does one get from:
http://www.codeproject.com/KB/system/NtRegistry.aspx
to:
http://www.codeproject.com/KB/applications/NtRegEdit.aspx
There's so much crap on that first page, I'm sure if there's a link I
missed it.
B. R. 'BeAr' Ederson
>> If you aren't sure which VC libraries you have installed, get the
>> "all demos" *.zip and try all three compiled versions.
>
> Thanks, BeAr. I downloaded the "all demos" zip and since both the 6.0
> and 7.1 versions work, I guess I must have the latter version.
It doesn't matter. Functionality will be the same. The different versions
just refer to different compilers. Dan ensured this way, that his source
will compile with different VC versions.
> Just curious though, how does one get from:
>
> http://www.codeproject.com/KB/system/NtRegistry.aspx
>
> to:
>
> http://www.codeproject.com/KB/applications/NtRegEdit.aspx
>
> There's so much crap on that first page, I'm sure if there's a link I
> missed it.
Since the original link on top of the page ("This is the Native Registry
Editor (NtRegEdit) article ...") is broken, searching for "NtRegEdit" in
the Code Project search engine is the way to go. ;-)