Can registry entries be hidden?

[Big Al]

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.
Worse yet, its a valid program Newsbin Pro. And even odder is the
errors are like:
HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\newsbin5\"helplink"="http://help.newsbin.com"


Again, the entry is not in the system.
I even search for 'newsbin5' and found only 3 and they are the typical
entries I would expect.

 

[Mark L. Ferguson]

I would search for *.REG files. This is probably a relic of the setup for
newsbin

 

[Daave]

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?

 

[Big Al]

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?

Stopzilla.

 

[Big Al]

I scanned my machine with a spyware program and its showing a few keys
in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?

Stopzilla. I ran it and then saw the report. Other than 2 obvious
issues I was aware of and dealt with manually and then these 11 registry
entries. I got rid of the program.

 

[Daave]

I scanned my machine with a spyware program and its showing a few
keys in a registry that don't show in regedit.

What is the name of the [anti-]spyware program?

Stopzilla.

Definitely not one of the better ones.

 

[Big Al]

I scanned my machine with a spyware program and its showing a few
keys in a registry that don't show in regedit.
What is the name of the [anti-]spyware program?

Stopzilla.

Definitely not one of the better ones.

I'll side with you on that comment.... now!

 

[Bill in Co.]

I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those entries
really there or was Stopzilla (or whatever it was) lying?

 

[Big Al]

I'd like to know just how that is possible (that they are there and hidden
in regedit). (unless some sneaky coder has managed to find a way to
actually do that!). What was the upshot of all this? WERE those entries
really there or was Stopzilla (or whatever it was) lying?

I don't have any final answer. The only thing I could find wrong was
that newsbin is on my D: Drive, and when I reloaded 4/29 for SP3 I only
formatted C: and left D: alone. Newsbin does not need an install. So
when XP was reloaded I just ran newsbin. So technically there is no
INSTALL entry in the registry. Note that the key above is UNinstall.
It sounds a bit backwards, but since I never installed it, there were
no installation entries that point to the uninstall program.
I had a friend export his newsbin install entry and I changed the paths
and loaded it into my system. I now have an uninstall entry in the
control panel.

I'm not sure if this threw stopzilla or not.

Tuneup Utilities 2008 seems to like the registry.

I even exported the entire registry then searched it with my text
editor. And still could not find it.

I'm leaving it as a mystery and other than sending an email to stopzilla
support, I'm not going much further with it.

I did search for .reg files as someone suggested.

 

[Big Al]

Doesn't look like a valid key name. More likely it should've been:

key: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\newsbin5
data item name: helplink
data item value: http://help.newsbin.com

And that's would be what I expected it to be.

You mentioned the ANTI-spwyare program (since presumably you really
aren't trying to use a spyware program) is StopZilla. Get something
better. Read:

http://www.adwarereport.com/mt/archives/000119.html

Notice the user ratings/reviews at download.com (only 2 out of 5 stars)
and http://fileforum.betanews.com/detail/STOPzilla/1146601166/1 (1.5 out
of 5 stars).

Some complaints about its poor uninstall. Read
http://sunbeltblog.blogspot.com/2007/12/and-yet-another-security-vendor.html.
So after uninstalling StopZilla, see if there is a separate entry for
the Ask Toolbar (if you got suckered into installing it). Read the
reviews at betanews.com to see how one user did the cleanup after the
uninstall.

Another feature of StopZilla is its popup blocking. You could go to
www.popuptest.com to see how well it actually fares. My popup blocker
(PopUpCop) passed all tests. Google's Toolbar popup blocker missed a
couple but was still a lot better than the several tests failed by IE7's
popup blocker. You could see just how well StopZilla fares in its popup
blocking by actually testing it.

StopZilla is bundleware. Don't expect stellar performance from any
individual component of bundleware. Anti-spyware products are known for
having low coverage and why you need to use a layered approach. Use
several well-known products. Don't have them all running their services
or background processes but just use then as on-demand scanners.

Thanks for the info, I'll be reading for the next 8 hours.
A friend has a virus/malware/spyware and something pointed him to
stopzilla to clean the particular problem he had. Seems one of the only
programs that fix it. I don't have details, but I thought I'd run it
to see how my pc faired. I don't generally use a spyware other than
windows defender. I did catch all the bundle ware and that bothers me
too. If I want yahoo toolbar, I'll go to yahoo and see if they have it
on their web site!!!

 

[John John (MVP)]

They can be hidden if they contain null characters or if the key name is
longer than 255 or 232 characters, depending in the Windows version that
you are using. The keys are hidden from registry tools like Regedit but
other registry tools can "see" these keys. The registry API can create
and see the values, it's just that Regedit can't see them, tools like
Autoruns, and others, can see them.

John

 

[Bill in Co.]

Now that is interesting. I'm curious why regedit wouldn't have been
designed to be take that into account and be able to see them. (Maybe it
was just simpler not to, in its design as such a limited "editor").

 

[John John (MVP)]

Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
here: http://forums.mozillazine.org/viewtopic.php?t=310577 and here:
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UTF-8&fr=yfp-t-501&cop=mss&p=registry+"null+characters"&x=0&y=0

Mark Russinovich talks of these Hidden Registry Keys here:
http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx

John

 

[Bill in Co.]

Interesting! Thanks for the info, John.

Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
here: http://forums.mozillazine.org/viewtopic.php?t=310577 and here:
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UTF-8&fr=yfp-t-501&cop=mss&p=registry+"null+characters"&x=0&y=0

Mark Russinovich talks of these Hidden Registry Keys here:
http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx

John

 

[Big Al]

Microsoft has always informed programmers of the 255 character key name
size limit ( http://msdn.microsoft.com/en-us/library/ms724872.aspx ).
Nonetheless the Registry API is capable of breaking that limit, perhaps
the 255 character limit is mentioned because of the Registry tools, but
I don't know that for sure. I'm not a programmer so I don't know the
nitty gritty details of the API in question. Clearly, as discussed
here: http://forums.mozillazine.org/viewtopic.php?t=310577 and here:
http://isc.sans.org/diary.html?date=2005-08-25 that limit is not
unbreakable. Microsoft may have made changes since the publication of
the information in those pages but I don't know more than that about it.

As for the registry null character issue it is one that has long been
known, it creates invisible or undeletable registry entries.
http://search.yahoo.com/search?ei=UTF-8&fr=yfp-t-501&cop=mss&p=registry+"null+characters"&x=0&y=0


Mark Russinovich talks of these Hidden Registry Keys here:
http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx#EZB

He has written a tool to delete these entries:
RegDelNull v1.1
http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx

John

And oddly enough after loading the install entry in the registry so the
uninstall shows in add/remove programs now, this uninstall item shows up
in the registry now too. I've been looking at your links John and when
I try to validate the error I originally had, its gone.
Now granted the "helplink" is nothing but a name of a field in Newsbin5.
And the data is of course the hyperlink. Both without quotes. I
guess it was just the way stopzilla displayed the keys and data.

Life's mystery #40938423
Interesting reading and learning however. Thanks too for your input.