If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Can registry entries be hidden?
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
Ads |
#2
|
|||
|
|||
Can registry entries be hidden?
I would search for *.REG files. This is probably a relic of the setup for
newsbin -- click the Ratings button. Voting helps the web interface. http://www.microsoft.com/wn3/locales...help_en-us.htm see ''rate a post'' Mark L. Ferguson "Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#3
|
|||
|
|||
Can registry entries be hidden?
"Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. What is the name of the [anti-]spyware program? |
#4
|
|||
|
|||
Can registry entries be hidden?
Daave wrote:
"Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. What is the name of the [anti-]spyware program? Stopzilla. |
#5
|
|||
|
|||
Can registry entries be hidden?
Daave wrote:
"Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. What is the name of the [anti-]spyware program? Stopzilla. I ran it and then saw the report. Other than 2 obvious issues I was aware of and dealt with manually and then these 11 registry entries. I got rid of the program. |
#6
|
|||
|
|||
Can registry entries be hidden?
"Big Al" wrote in message
news:x5y0k.972$qP.91@trnddc03... Daave wrote: "Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. What is the name of the [anti-]spyware program? Stopzilla. Definitely not one of the better ones. |
#7
|
|||
|
|||
Can registry entries be hidden?
Daave wrote:
"Big Al" wrote in message news:x5y0k.972$qP.91@trnddc03... Daave wrote: "Big Al" wrote in message news:j5w0k.802$0O1.315@trnddc07... I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. What is the name of the [anti-]spyware program? Stopzilla. Definitely not one of the better ones. I'll side with you on that comment.... now! |
#8
|
|||
|
|||
Can registry entries be hidden?
I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#9
|
|||
|
|||
Can registry entries be hidden?
Bill in Co. wrote:
I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. I don't have any final answer. The only thing I could find wrong was that newsbin is on my D: Drive, and when I reloaded 4/29 for SP3 I only formatted C: and left D: alone. Newsbin does not need an install. So when XP was reloaded I just ran newsbin. So technically there is no INSTALL entry in the registry. Note that the key above is UNinstall. It sounds a bit backwards, but since I never installed it, there were no installation entries that point to the uninstall program. I had a friend export his newsbin install entry and I changed the paths and loaded it into my system. I now have an uninstall entry in the control panel. I'm not sure if this threw stopzilla or not. Tuneup Utilities 2008 seems to like the registry. I even exported the entire registry then searched it with my text editor. And still could not find it. I'm leaving it as a mystery and other than sending an email to stopzilla support, I'm not going much further with it. I did search for .reg files as someone suggested. |
#10
|
|||
|
|||
Can registry entries be hidden?
They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that you are using. The keys are hidden from registry tools like Regedit but other registry tools can "see" these keys. The registry API can create and see the values, it's just that Regedit can't see them, tools like Autoruns, and others, can see them. John Bill in Co. wrote: I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\u ninstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#11
|
|||
|
|||
Can registry entries be hidden?
Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them. (Maybe it was just simpler not to, in its design as such a limited "editor"). John John (MVP) wrote: They can be hidden if they contain null characters or if the key name is longer than 255 or 232 characters, depending in the Windows version that you are using. The keys are hidden from registry tools like Regedit but other registry tools can "see" these keys. The registry API can create and see the values, it's just that Regedit can't see them, tools like Autoruns, and others, can see them. John Bill in Co. wrote: I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#12
|
|||
|
|||
Can registry entries be hidden?
Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ). Nonetheless the Registry API is capable of breaking that limit, perhaps the 255 character limit is mentioned because of the Registry tools, but I don't know that for sure. I'm not a programmer so I don't know the nitty gritty details of the API in question. Clearly, as discussed he http://forums.mozillazine.org/viewtopic.php?t=310577 and he http://isc.sans.org/diary.html?date=2005-08-25 that limit is not unbreakable. Microsoft may have made changes since the publication of the information in those pages but I don't know more than that about it. As for the registry null character issue it is one that has long been known, it creates invisible or undeletable registry entries. http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0 Mark Russinovich talks of these Hidden Registry Keys he http://technet.microsoft.com/en-us/s...97446.aspx#EZB He has written a tool to delete these entries: RegDelNull v1.1 http://technet.microsoft.com/en-us/s.../bb897448.aspx John Bill in Co. wrote: Now that is interesting. I'm curious why regedit wouldn't have been designed to be take that into account and be able to see them. (Maybe it was just simpler not to, in its design as such a limited "editor"). John John (MVP) wrote: They can be hidden if they contain null characters or if the key name is longer than 255 or 232 characters, depending in the Windows version that you are using. The keys are hidden from registry tools like Regedit but other registry tools can "see" these keys. The registry API can create and see the values, it's just that Regedit can't see them, tools like Autoruns, and others, can see them. John Bill in Co. wrote: I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion \uninstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#13
|
|||
|
|||
Can registry entries be hidden?
Interesting! Thanks for the info, John.
John John (MVP) wrote: Microsoft has always informed programmers of the 255 character key name size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ). Nonetheless the Registry API is capable of breaking that limit, perhaps the 255 character limit is mentioned because of the Registry tools, but I don't know that for sure. I'm not a programmer so I don't know the nitty gritty details of the API in question. Clearly, as discussed he http://forums.mozillazine.org/viewtopic.php?t=310577 and he http://isc.sans.org/diary.html?date=2005-08-25 that limit is not unbreakable. Microsoft may have made changes since the publication of the information in those pages but I don't know more than that about it. As for the registry null character issue it is one that has long been known, it creates invisible or undeletable registry entries. http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0 Mark Russinovich talks of these Hidden Registry Keys he http://technet.microsoft.com/en-us/s...97446.aspx#EZB He has written a tool to delete these entries: RegDelNull v1.1 http://technet.microsoft.com/en-us/s.../bb897448.aspx John Bill in Co. wrote: Now that is interesting. I'm curious why regedit wouldn't have been designed to be take that into account and be able to see them. (Maybe it was just simpler not to, in its design as such a limited "editor"). John John (MVP) wrote: They can be hidden if they contain null characters or if the key name is longer than 255 or 232 characters, depending in the Windows version that you are using. The keys are hidden from registry tools like Regedit but other registry tools can "see" these keys. The registry API can create and see the values, it's just that Regedit can't see them, tools like Autoruns, and others, can see them. John Bill in Co. wrote: I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. |
#14
|
|||
|
|||
Can registry entries be hidden?
John John (MVP) wrote:
Microsoft has always informed programmers of the 255 character key name size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ). Nonetheless the Registry API is capable of breaking that limit, perhaps the 255 character limit is mentioned because of the Registry tools, but I don't know that for sure. I'm not a programmer so I don't know the nitty gritty details of the API in question. Clearly, as discussed he http://forums.mozillazine.org/viewtopic.php?t=310577 and he http://isc.sans.org/diary.html?date=2005-08-25 that limit is not unbreakable. Microsoft may have made changes since the publication of the information in those pages but I don't know more than that about it. As for the registry null character issue it is one that has long been known, it creates invisible or undeletable registry entries. http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0 Mark Russinovich talks of these Hidden Registry Keys he http://technet.microsoft.com/en-us/s...97446.aspx#EZB He has written a tool to delete these entries: RegDelNull v1.1 http://technet.microsoft.com/en-us/s.../bb897448.aspx John Bill in Co. wrote: Now that is interesting. I'm curious why regedit wouldn't have been designed to be take that into account and be able to see them. (Maybe it was just simpler not to, in its design as such a limited "editor"). John John (MVP) wrote: They can be hidden if they contain null characters or if the key name is longer than 255 or 232 characters, depending in the Windows version that you are using. The keys are hidden from registry tools like Regedit but other registry tools can "see" these keys. The registry API can create and see the values, it's just that Regedit can't see them, tools like Autoruns, and others, can see them. John Bill in Co. wrote: I'd like to know just how that is possible (that they are there and hidden in regedit). (unless some sneaky coder has managed to find a way to actually do that!). What was the upshot of all this? WERE those entries really there or was Stopzilla (or whatever it was) lying? Big Al wrote: I scanned my machine with a spyware program and its showing a few keys in a registry that don't show in regedit. Worse yet, its a valid program Newsbin Pro. And even odder is the errors are like: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com" Again, the entry is not in the system. I even search for 'newsbin5' and found only 3 and they are the typical entries I would expect. And oddly enough after loading the install entry in the registry so the uninstall shows in add/remove programs now, this uninstall item shows up in the registry now too. I've been looking at your links John and when I try to validate the error I originally had, its gone. Now granted the "helplink" is nothing but a name of a field in Newsbin5. And the data is of course the hyperlink. Both without quotes. I guess it was just the way stopzilla displayed the keys and data. Life's mystery #40938423 Interesting reading and learning however. Thanks too for your input. |
Thread Tools | |
Display Modes | |
|
|