Update on Long registry entries bug



Incidents.org has an update on yesterdays story of very long registry entries not being visible in most registry tools (regedit among others.) They have an updated list of what does and does not read these long keys. They’ve alluded to nasties in the wild that are already taking advantage of this and have confirmed that the length is greater than 254 characters. On handler has written a program to scan the registry for these stealth entries


The list of programs that detect the abnormally long invisible registry entries…

AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k)

the programs that are not able to see them, or behave unexpectedly when these sort of entries are present in the registry…

AdAware
Autoruns 8.13
MS AntiSpyware Beta
HijackThis v1.97.0.7
HiJackThis v1.99.0
HiJackThis v1.99.1* (Generate StartupListLog)
Msconfig (WinXP)
Norton SystemWorks 2003 Pro
RegAlyzer 1.1
RegEdit
reg.exe (under some circumstances)
Registry Explorer 3.0.0.276
Spybot S&D
WinDoctor v. 7.00.22

There is a further list of programs which cannot see the entry once set, but might detect or prevent the setting of an abnormally long registry key (or one of any size)…

Spybot S&D TeaTimer

They also have a list of tools or tips….

Cygwin regtool
(example: regtool list /HKLM/Software/Microsoft/Windows/CurrentVersion/Run)
Cygwin ls
(example: ls -l /proc/registry/HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run)
Perl’s Win32::TieRegistry
regdel
System Information tool (winmsd.exe)
export registry, make your edits and then re-import

Near the bottom of their writeup is a link to Tom Liston’s registry scanning utility which will search for keys longer than 254 characters.

Related Posts

Blog Traffic Exchange Related Posts
  • Nasty regedit bug This is unusual, but it sounds like there is a bug in regedit (and regedit32) which prevents the displaying of unusually long registry keys. Now, that sounds innocent enough, it also prevents the viewing of keys entered under them. Again, ok not a crisis. Imagine if you had an extremely......
  • Remove Proof Defender | Proof Defender Removal Proof Defender is another rogue security application that acts and claims to be antispyware/antivirus, but in reality is nothing more than a scam to get your dollars for a program that raises red flags over imaginary viruses and claims to clean them. It's related to the Perfect Defender 2009 family......
  • Clamav 0.88.4 and prior DoS According to incidents.org a denial of service vulnerability has been noted in all versions of clamav prior to 0.88.4 (inclusive). At incidents last report the download for 0.88.4 was back after disappearing for a while which seemed to indicate a fix, however. I wasn't aware 0.88.4 had been released before......
Blog Traffic Exchange Related Websites
  • Broadway Souvenir Programs Memorabilia -> Theater Memorabilia -> Playbills For fans of Broadway, musicals, specific plays or actors, or entertainment in general, Broadway souvenir programs are a great collectible item. We've all been to a play or concert, maybe a production filled with school kids, where programs are handed out at the door.......
  • How To Detect Windows Registry Errors And Fix Them? There are two ways to repair Windows registry errors in Windows XP and Vista. The PC registry is unique to Windows operating systems. It is also where we can find the bulk of the errors in Windows. The Windows registry exists to help your computer work efficiently and to maximize......
  • Travel Computer Acquired Last week I wrote that I was looking for a travel computer. Most people would call it a PDA, but I think they are much more than today. PDAs have gotten so powerful that they can replace a laptop in some instances. I kept an eye on Craigslist last week......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site