? Ellipsis In Registry Value

[Alec S.]

Hi,

I've noticed that sometimes, when I look at some values in the registry using Regedit, there will be an ellipsis at the end of it.
I resize the column to make room for it, but it's still there. I then open the value to see if there's more data (sometimes it will
be truncated no matter what, for example if it's a really large binary) but there is no more. For example I will see this:

Foo REG_SZ Bar.

If I edit the value (or just click OK in the edit dialog), it goes away but when whatever application that generated it writes it
again, it will be back. Furthermore, I believe that it affects how or the order in which values are read by an app. For example,
I've noticed that mp3shield selects the folder with the ellipsis as the default when it starts up.


Does anyone know what it is or how to use it? Is there a way to do it when writing to the registry with the API? regedit? Does it
have anything to do with the ordering?


Thanks a lot.

 

[Dave Patrick]

Some data types can only be edited safely with regedt32.exe

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

| Hi,
|
| I've noticed that sometimes, when I look at some values in the registry
using Regedit, there will be an ellipsis at the end of it.
| I resize the column to make room for it, but it's still there. I then
open the value to see if there's more data (sometimes it will
| be truncated no matter what, for example if it's a really large binary)
but there is no more. For example I will see this:
|
| Foo REG_SZ Bar.
|
| If I edit the value (or just click OK in the edit dialog), it goes away
but when whatever application that generated it writes it
| again, it will be back. Furthermore, I believe that it affects how or the
order in which values are read by an app. For example,
| I've noticed that mp3shield selects the folder with the ellipsis as the
default when it starts up.
|
|
| Does anyone know what it is or how to use it? Is there a way to do it
when writing to the registry with the API? regedit? Does it
| have anything to do with the ordering?
|
|
| Thanks a lot.
|
|
| --
| Alec S.
| news/alec\\\synetech/cjb/net
|
|

 

[Alec S.]

Some data types can only be edited safely with regedt32.exe

That's what I'm using.

 

[Dave Patrick]

Ok, you mentioned regedit.exe. Some examples may make help.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

| That's what I'm using.
|
|
| --
| Alec S.
| news -.- alec -@- synetech -.- cjb -.- net
|
|
|

 

[Alec S.]

Ok, you mentioned regedit.exe. Some examples may make help.

Actually I mentioned Regedit (no extension). When running regedit from the shell, it automatically redirects to regedt32 (you have
to explicitly use regedt32 from the command line though, I learned that the hard way.)


Examples, examples… examples.

Like I said, MP3Shield does this. Run MP3Shield and select a folder or two. Quit and open Regedit and look at
HKEY_LOCAL_MACHINE\SOFTWARE\MP3Shield\Folders. You'll see some folders listed as regular string data but their values will be
displayed as "C:\mp3…" or "D:\media\mp3…". If you edit the value, you'll see that the ellipsis is not part of the data, nor is
there any extra data that could not fit in the column. If you cancel, the ellipsis is still there, but if you click OK, it will be
gone. If you then run MP3Shield again and add a new folder, it will add them again. However, it only happens if MP3Shield actually
writes the value (a new folder). If it's already there, it won't write it, so the ellipsis will not return. Obviously there is
something special about the way MP3Shield (and a rare few other apps) write to the registry.

I thought that the ellipsis had something to do with the order of the data but it does not. (Speaking of which, is there a way to
control the order?)

 

[Mark V]

Hi,

I've noticed that sometimes, when I look at some values in the
registry using Regedit, there will be an ellipsis at the end of
it. I resize the column to make room for it, but it's still

[ ... ]

I suggest doing a
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\MP3Shield\Folders" /v
under both conditions and post the results. Perhaps it will reveal
something, or not.

(W2K and no MP3Shield here)

 

[Dave Patrick]

We assume Windows 2000 since you posted here but didn't tell us otherwise.
Obvious now by your remark that you're running Windows XP. No MP3Shield here
so no idea what you've got going. Might be they know something here.

http://forums.vnunet.com/

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

| Actually I mentioned Regedit (no extension). When running regedit from
the shell, it automatically redirects to regedt32 (you have
| to explicitly use regedt32 from the command line though, I learned that
the hard way.)
|
|
| Examples, examples. examples.
|
| Like I said, MP3Shield does this. Run MP3Shield and select a folder or
two. Quit and open Regedit and look at
| HKEY_LOCAL_MACHINE\SOFTWARE\MP3Shield\Folders. You'll see some folders
listed as regular string data but their values will be
| displayed as "C:\mp3." or "D:\media\mp3.". If you edit the value, you'll
see that the ellipsis is not part of the data, nor is
| there any extra data that could not fit in the column. If you cancel, the
ellipsis is still there, but if you click OK, it will be
| gone. If you then run MP3Shield again and add a new folder, it will add
them again. However, it only happens if MP3Shield actually
| writes the value (a new folder). If it's already there, it won't write
it, so the ellipsis will not return. Obviously there is
| something special about the way MP3Shield (and a rare few other apps)
write to the registry.
|
| I thought that the ellipsis had something to do with the order of the data
but it does not. (Speaking of which, is there a way to
| control the order?)
|
|
| --
| Alec S.
| news/alec\\synetech/cjb/net
|
|

 

[Alec S.]

I've noticed that sometimes, when I look at some values in the registry using Regedit, there will be an ellipsis at the end of it.
I resize the column to make room for it, but it's still there. I then open the value to see if there's more data (sometimes it will
be truncated no matter what, for example if it's a really large binary) but there is no more.

I think I figured it out. After running some tests I can confirm that it is caused when an app writes a string to the registry that
is too long: one that has data past the terminating-zero. I am also writing an article with more details.

Since it is a bug which can be exploited, I am going to notify them about it right now, and will keep an eye out for other apps that
do it.


Ah, I've been wondering about this issue for quite some time now (a few years), and with a few apps. It feels good to finally
understand the cause.

 

[Mark V]

I think I figured it out. After running some tests I can
confirm that it is caused when an app writes a string to the
registry that is too long: one that has data past the
terminating-zero. I am also writing an article with more
details.

If you mean that the key contains a nul value, see Sysinternals
tools: RootkitRevealer and RegDelNull (and RegHide) and the web
pages that relate t them

I suspect your situation is different.

 

[Alec S.]

I think I figured it out. After running some tests I can

If you mean that the key contains a nul value, see Sysinternals
tools: RootkitRevealer and RegDelNull (and RegHide) and the web
pages that relate t them

I suspect your situation is different.

Yes, that's basically what the problem is. A few rare apps use Native API calls to write to the registry and pad the data with
NULLs. This is okay with the Win32 API because the first NULL character terminates the string but the Native API relies on the
specified length, thus allowing NULLs. Regedit uses the Native API calls to read the registry but the text printing routines use
NULL-terminated strings. Regedit appends an ellipsis to show that the data is longer than can be displayed. It's quite clever
really.

 

[Mark V]

Yes, that's basically what the problem is. A few rare apps use
Native API calls to write to the registry and pad the data with
NULLs. This is okay with the Win32 API because the first NULL
character terminates the string but the Native API relies on the
specified length, thus allowing NULLs. Regedit uses the Native
API calls to read the registry but the text printing routines
use NULL-terminated strings. Regedit appends an ellipsis to
show that the data is longer than can be displayed. It's quite
clever really.

And all this time I thought that the disparity just sucked! <G>
Since you know about it, good luck.

 

[Alec S.]

We assume Windows 2000 since you posted here but didn't tell us otherwise.
Obvious now by your remark that you're running Windows XP.

You're right, I'm using XP but I'm posting here because there is no XP Registry newsgroup and this is the closest.

 

[Dave Patrick]

No problem. Just explaining the reason for your confusion.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

| You're right, I'm using XP but I'm posting here because there is no XP
Registry newsgroup and this is the closest.
|
| --
| Alec S.
| news/alec->synetech/cjb/net
|
|