how to remove key name with embedded nulls?

[charles]

On Windows 2000 I've got a registry key that contains embedded nulls
(apparently put there for license purposes by a program I no longer use)
that I want to remove.

I can't rename/delete or do anything with it with either regedit or
regedt32 or 3rd party tools. When I do a search for it using an external
tool it reports "Windows reported error code 2."

Can anyone suggest a way to get rid of this key?

Thanks.

 

[Crouchie1998]

Is the key to do with a Windows service?

What is the key?

Crouchie1998
BA (HONS) MCP MCSE

 

[Crouchie1998]

Error Code 2 = Cannot find file

What permissions are you running? Right-click the key, choose
Security/permissions & then try again to remove it.

You can also boot into safe mode & try to delete it.

If you give me the exact key then I will write a small VB.NET application &
use registry permissions to delete the key for you, but its not 100% that
will work either, although, we can try. Its not going to take 5 minutes to
knock-up the application, but I need the 'exact' key. 'Example Only':

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
d

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
d\HideFileExt

Crouchie1998
BA (HONS) MCP MCSE

 

[Mark V]

Error Code 2 = Cannot find file

What permissions are you running? Right-click the key, choose
Security/permissions & then try again to remove it.

You can also boot into safe mode & try to delete it.

If you give me the exact key then I will write a small VB.NET
application & use registry permissions to delete the key for
you, but its not 100% that will work either, although, we can
try. Its not going to take 5 minutes to knock-up the
application, but I need the 'exact' key. 'Example Only':

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explo
rer\Advance d

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explo
rer\Advance d\HideFileExt

My impression thus far is that this is not a permissions issue.
Rather a key specifically created to be unreadable using the Win32
API registry functions. Typical of both rootkits and some vendors
licensing keys.

The only known to me methods are
Use the Native NT APIs
Manually edit a binary hive file in offline mode. NOT
recommended!
Un-install the application that created such a key. This may or
may not be effective. Often not effective if the software was a
"trial version".

 

[Crouchie1998]

All I was saying to the user is that its worth a try.

If it doesn't work then at least we've tried.

If it was on my computer then I would have knocked up a small application to
try it anyway. I wouldn't wait 3-4 days for someone come up with an
alternative answer.

Crouchie1998
BA (HONS) MCP MCSE

 

[charles]

All I was saying to the user is that its worth a try.

If it doesn't work then at least we've tried.

If it was on my computer then I would have knocked up a small application to
try it anyway. I wouldn't wait 3-4 days for someone come up with an
alternative answer.

Crouchie1998
BA (HONS) MCP MCSE

Thanks to both of you for replying.

Yes, I don't think it is a permissions issue and yes, I think it is
specifically designed to be unreadable. I found it using Sysinternals'
rootkitrevealer. When I asked the author he replied that he has had a
number of reports of this particular incident.

The application that probably installed the key has been removed form
this box long ago. I do remember that getting rid of the rest of it took
some work so they apparently have little respect for their customers'
property.

Exporting the branch fails. The best I've been able to do is to copy the
key name in regedit which loses the hidden chars. It is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System

I'm having at it with a hex editor but still having a problem just
finding the key.

Thanks again for any help.

 

[Crouchie1998]

Are you sure its the key is not called Default?

I wasn't saying that this is a permissions issue, but that I would code a
program for you that forces full registry permissions on that key. You
misunderstood what I meant I think & so did the other user.

If you're getting an error 2 then the file... isn't found - correct, but I
have many applications that have been removed from my computer & I can
remove all registry keys.

Those tools you mention from that website I know because I have tried them
in the past. If you don't need my help then I will remove the flag from the
post & leave you to it.

Good luck

Crouchie1998
BA (HONS) MCP MCSE

 

[Crouchie1998]

I have taken a look at the C++ source code for the reg hide application on
the system internal website & it is to do with security rights & a null
terminating unicode string

Crouchie1998
BA (HONS) MCP MCSE

 

[Mark V]

All I was saying to the user is that its worth a try.
Absolutely.


If it doesn't work then at least we've tried.
Absolutely.


If it was on my computer then I would have knocked up a small
application to try it anyway. I wouldn't wait 3-4 days for
someone come up with an alternative answer.

Only sharing some information and ideas.

 

[Mark V]

[ ]

Thanks to both of you for replying.

Yes, I don't think it is a permissions issue and yes, I think it
is specifically designed to be unreadable. I found it using
Sysinternals' rootkitrevealer. When I asked the author he
replied that he has had a number of reports of this particular
incident.

The application that probably installed the key has been removed
form this box long ago. I do remember that getting rid of the
rest of it took some work so they apparently have little respect
for their customers' property.

Exporting the branch fails. The best I've been able to do is to
copy the key name in regedit which loses the hidden chars. It is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Syst
em

I'm having at it with a hex editor but still having a problem
just finding the key.

That sounds familiar.

(excerts from another server/group):
==========================================
Have either/both of you used software from O&O?
It may be that the trial version of some of their software creates
that key with an embedded nul character as part of the trial
license...

Based only on:
http://groups-
beta.google.com/group/microsoft.public.platformsdk.base/browse_thre
ad/thread/8c07688122c95cfb/9caec8f093286455?q=HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Windows\CurrentVersion\system#9caec8f093286455
or
http://makeashorterlink.com/?X575114AA
=========================================

=========================================
Bingo! I installed O&O Defrag on 1/6/2003, and thanks to a Total
Uninstall log I created at that time, I see that O&O Defrag added
the
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System" key.
=========================================

=========================================
Sure enough, I followed the advice given in that newsgroup posting
(i.e.
opened the SOFTWARE hive in WinHex, searched for
0700000053797374656D00,
and changed the trailing "00" to "AA"), and now I have the
following two
values showing under the "Systemª" key:

OODEFRAG04.00.00.01SERVER
OODEFRAG06.00.00.01WORKSTATION

....with some very long hex strings for data.

Mind, you, I did this on a previously-saved SOFTWARE hive, backed
up a few days ago with ERUNT. Haven't "gone live" with it yet.
=========================================


The manual hive editing procedure is *hazardous*! Adequate full
registry backups are *manadatory*. Fallback or "un-do" procedures
*must* be available. Not recommended. It would be safest to just
leave such a key in place. Provided FWIW and YMMV

 

[charles]

The manual hive editing procedure is *hazardous*! Adequate full
registry backups are *manadatory*. Fallback or "un-do" procedures
*must* be available. Not recommended. It would be safest to just
leave such a key in place. Provided FWIW and YMMV

Many thanks, your ref and answer was exactly the solution. I hexedited
an ERUNT backup, restored it and it worked fine.

O&O Defrag was indeed the culprit and the offending key had escaped
logging by Inctrl5 when installed.

My remaining question would be What is the leading 07000000 in the hex
search? Is that a global registry key delimiter? Without that info my
searches were fruitless.

(It probably would have been the most reasonable thing to do just leave
the key in place once it had been determined not malignant, but it was a
racking puzzle that needed a positive finish.) Thanks again.

 

[Mark V]

Many thanks, your ref and answer was exactly the solution. I
hexedited an ERUNT backup, restored it and it worked fine.

O&O Defrag was indeed the culprit and the offending key had
escaped logging by Inctrl5 when installed.

My remaining question would be What is the leading 07000000 in
the hex search? Is that a global registry key delimiter? Without
that info my searches were fruitless.

Actually I do not recall. There's all kinds of data stored in
there like time and date stamps, data Types, security info. ...
That's one reason the procedure is so dangerous.

(It probably would have been the most reasonable thing to do
just leave the key in place once it had been determined not

IMO it is always the safest and most prudent thing to just leave
well enough alone unless there is a specific problem that *must* be
corrected.

malignant, but it was a racking puzzle that needed a positive
finish.) Thanks again.

YW and I understand, which is why I posted.

 

[Keith Miller]

My remaining question would be What is the leading 07000000 in the hex
search? Is that a global registry key delimiter? Without that info my
searches were fruitless.

Just a guess here, but it might be a dword (0x00000007) indicating the length of the string in bytes (53 79 73 74 65 6D 00)

Keith