Update on Long registry entries bug

Incidents.org has an update on yesterdays story of very long registry entries not being visible in most registry tools (regedit among others.) They have an updated list of what does and does not read these long keys. They’ve alluded to nasties in the wild that are already taking advantage of this and have confirmed that the length is greater than 254 characters. On handler has written a program to scan the registry for these stealth entries

The list of programs that detect the abnormally long invisible registry entries…

AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k)

the programs that are not able to see them, or behave unexpectedly when these sort of entries are present in the registry…

Autoruns 8.13
MS AntiSpyware Beta
HijackThis v1.97.0.7
HiJackThis v1.99.0
HiJackThis v1.99.1* (Generate StartupListLog)
Msconfig (WinXP)
Norton SystemWorks 2003 Pro
RegAlyzer 1.1
reg.exe (under some circumstances)
Registry Explorer
Spybot S&D
WinDoctor v. 7.00.22

There is a further list of programs which cannot see the entry once set, but might detect or prevent the setting of an abnormally long registry key (or one of any size)…

Spybot S&D TeaTimer

They also have a list of tools or tips….

Cygwin regtool
(example: regtool list /HKLM/Software/Microsoft/Windows/CurrentVersion/Run)
Cygwin ls
(example: ls -l /proc/registry/HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run)
Perl’s Win32::TieRegistry
System Information tool (winmsd.exe)
export registry, make your edits and then re-import

Near the bottom of their writeup is a link to Tom Liston’s registry scanning utility which will search for keys longer than 254 characters.

   Send article as PDF   

Similar Posts