Can registry entries be hidden?

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

I would search for *.REG files. This is probably a relic of the setup for
newsbin

--
click the Ratings button. Voting helps the web interface.
http://www.microsoft.com/wn3/locales...help_en-us.htm see ''rate a post''
Mark L. Ferguson

"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few keys in
a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the errors
are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"

Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?

Daave wrote:
"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?


Stopzilla.

Daave wrote:
"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?


Stopzilla. I ran it and then saw the report. Other than 2 obvious
issues I was aware of and dealt with manually and then these 11 registry
entries. I got rid of the program.

"Big Al" wrote in message
news:x5y0k.972$qP.91@trnddc03...
Daave wrote:
"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few
keys in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?
Stopzilla.

Definitely not one of the better ones.

Daave wrote:
"Big Al" wrote in message
news:x5y0k.972$qP.91@trnddc03...
Daave wrote:
"Big Al" wrote in message
news:j5w0k.802$0O1.315@trnddc07...
I scanned my machine with a spyware program and its showing a few
keys in a registry that don't show in regedit.
What is the name of the [anti-]spyware program?
Stopzilla.

Definitely not one of the better ones.



I'll side with you on that comment.... now!

I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

Bill in Co. wrote:
I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:
I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.



I don't have any final answer. The only thing I could find wrong was
that newsbin is on my D: Drive, and when I reloaded 4/29 for SP3 I only
formatted C: and left D: alone. Newsbin does not need an install. So
when XP was reloaded I just ran newsbin. So technically there is no
INSTALL entry in the registry. Note that the key above is UNinstall.
It sounds a bit backwards, but since I never installed it, there were
no installation entries that point to the uninstall program.
I had a friend export his newsbin install entry and I changed the paths
and loaded it into my system. I now have an uninstall entry in the
control panel.

I'm not sure if this threw stopzilla or not.

Tuneup Utilities 2008 seems to like the registry.

I even exported the entire registry then searched it with my text
editor. And still could not find it.

I'm leaving it as a mystery and other than sending an email to stopzilla
support, I'm not going much further with it.

I did search for .reg files as someone suggested.

They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

Bill in Co. wrote:

I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\u ninstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them. (Maybe it
was just simpler not to, in its design as such a limited "editor").

John John (MVP) wrote:
They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

Bill in Co. wrote:

I'd like to know just how that is possible (that they are there and
hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those
entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
he http://forums.mozillazine.org/viewtopic.php?t=310577 and he
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0

Mark Russinovich talks of these Hidden Registry Keys he
http://technet.microsoft.com/en-us/s...97446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/s.../bb897448.aspx

John

Bill in Co. wrote:

Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them. (Maybe it
was just simpler not to, in its design as such a limited "editor").

John John (MVP) wrote:

They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

Bill in Co. wrote:


I'd like to know just how that is possible (that they are there and
hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those
entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:


I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion \uninstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

Interesting! Thanks for the info, John.

John John (MVP) wrote:
Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
he http://forums.mozillazine.org/viewtopic.php?t=310577 and he
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0

Mark Russinovich talks of these Hidden Registry Keys he
http://technet.microsoft.com/en-us/s...97446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/s.../bb897448.aspx

John

Bill in Co. wrote:

Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them. (Maybe
it
was just simpler not to, in its design as such a limited "editor").

John John (MVP) wrote:

They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

Bill in Co. wrote:


I'd like to know just how that is possible (that they are there and
hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those
entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:


I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

John John (MVP) wrote:
Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
he http://forums.mozillazine.org/viewtopic.php?t=310577 and he
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UT...s%22&x=0 &y=0


Mark Russinovich talks of these Hidden Registry Keys he
http://technet.microsoft.com/en-us/s...97446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/s.../bb897448.aspx

John

Bill in Co. wrote:

Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them.
(Maybe it was just simpler not to, in its design as such a limited
"editor").

John John (MVP) wrote:

They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

Bill in Co. wrote:


I'd like to know just how that is possible (that they are there and
hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those
entries
really there or was Stopzilla (or whatever it was) lying?

Big Al wrote:


I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\newsbin5\"helplink"="http://help.newsbin.com"



Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.



And oddly enough after loading the install entry in the registry so the
uninstall shows in add/remove programs now, this uninstall item shows up
in the registry now too. I've been looking at your links John and when
I try to validate the error I originally had, its gone.
Now granted the "helplink" is nothing but a name of a field in Newsbin5.
And the data is of course the hyperlink. Both without quotes. I
guess it was just the way stopzilla displayed the keys and data.

Life's mystery #40938423
Interesting reading and learning however. Thanks too for your input.