Freeware to view hidden registry entries.
in [Freeware]
|
From: B. R. 'BeAr' Ederson on 10 Apr 2010 06:27 On Thu, 08 Apr 2010 17:09:48 +0000, charles wrote: >>I'm want to be able to see hidden (and if necessary, delete) entries in >>the Registry. These entries can be: >> >>1. anything over 256 characters in length >>2. anything with a "/0" (a "null" character) in its name. > > 1 - Nirsoft's regscanner.exe has an option to display data with a length > range in bytes. The length restriction, which results in hidden keys is not connected to the *data*, but to the length of the *name* of a key or a value. /Key/ names of exactly 255 characters and /Value/ names of 256 to 259 characters pose problems to MS Regedit and some other registry tools. The Nirsoft RegScanner /can/ filter and display such keys and values, tough. But not in the way you suggested. You need to use an appropriate find string and search for "Matching: Registry item contains the specified RegEx". Unfortunately, RegScanner does not support the "number of occurrences" RegEx expression (numbers in curly brackets). Therefore, you need to copy 255 dots into the find string field. (Create them with a text editor showing the number of characters in a line.) Tick in only the "Look at: Values, Keys" search parameters. I checked this in a Win2k setup and it worked appropriately. Please note: Although unlikely, you may find valid /value/ names of 255 characters. To /only/ find hidden entries, search first with 255 dots for key names and afterwards with 256 dots for value names. (Don't use "exact RegEx matching" in the second case or in the general search above, to also find strings longer than 256 or 255 characters.) > 2 - Sysinternal's RegDelNull.exe program deletes registry keys per your > above spec. RegDelNull does not handle long name cases, just /string data values/ containing a 0x00 byte. RegDelNull is probably the best method to deal with such entries. Because of its malware-like character, trustworthy software developers should not use null-byte embedding. Btw.: Nirsoft RegScanner will /not/ show such values. Dealing with overlong hidden entries is, IMHO, a matter of taste. One can search and delete them with RegScanner. But this covers only a small spectrum of possible hidden information inside the registry. Most such information will be "hidden in plain view": Somewhere in an arbitrary key inside a registry branch continuously accessed by the system, with encryption (or otherwise encoded),... There is one case of hidden entries, which /has/ to be dealt with: Any kind of autostart. For these entries, SysInternals Autoruns is one of the best tools available. (It /does/ show hidden entries.) BeAr -- =========================================================================== = What do you mean with: "Perfection is always an illusion"? = ===============================================================--(Oops!)===
From: John Corliss on 10 Apr 2010 10:56 Craig wrote: > Brian wrote: >> John >> >> I've been following this thread with interest, from the cheap >> seats. :) I remembered something from the Code Project and had a >> search: >> Registry Manipulation Using NT Native APIs - >> http://www.codeproject.com/KB/system/NtRegistry.aspx >> There are some compiled "demo" programs there, including a working >> Native Registry Editor (NtRegEdit) which might be of use to you. >> There is a "value from/to" option in the search function, but I've yet >> to delve further. Seems to work fine on XP Pro. > > Hey Brian; > > I'll bet John has your ggroups address white-listed but posting this > just to make sure. Since I upgraded to TB3, I got rid of News Proxy and now I don't have any Google Groupers whitelisted, so thanks for posting that. Good info and I thank Brian for posting it. I downloaded the program and will check it out. -- John Corliss BS206. I block all Google Groups posts due to Googlespam, and as many posts from anonymous remailers (like x-privat.org for eg.) as possible due to forgeries posted through them. No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited, trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.
From: John Corliss on 10 Apr 2010 10:58 B. R. 'BeAr' Ederson wrote: > > (big snip) > Dealing with overlong hidden entries is, IMHO, a matter of taste. One > can search and delete them with RegScanner. But this covers only a > small spectrum of possible hidden information inside the registry. > Most such information will be "hidden in plain view": Somewhere in an > arbitrary key inside a registry branch continuously accessed by the > system, with encryption (or otherwise encoded),... > > There is one case of hidden entries, which /has/ to be dealt with: Any > kind of autostart. For these entries, SysInternals Autoruns is one of > the best tools available. (It /does/ show hidden entries.) These two paragraphs pretty much cover it. Thanks, BeAr. Guess it's just time for me to do a format and reinstall. I was hoping to avoid it, but it's time to bite the bullet... -- John Corliss BS206. I block all Google Groups posts due to Googlespam, and as many posts from anonymous remailers (like x-privat.org for eg.) as possible due to forgeries posted through them. No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited, trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.
From: B. R. 'BeAr' Ederson on 10 Apr 2010 12:40 On Sat, 10 Apr 2010 07:58:54 -0700, John Corliss wrote: > B. R. 'BeAr' Ederson wrote: >> (big snip) [2 paragraphs left] > These two paragraphs pretty much cover it. I shouldn't have made them the last two, then. Eh? ;-) > Thanks, BeAr. You're welcome. > Guess it's just time for me to do a format and reinstall. I was hoping to > avoid it, but it's time to bite the bullet... Operating systems are too complex, nowadays, to manually check for vague symptoms. When there are reasons to mistrust a setup, it is better to do a clean re-install and just copy the data... :-( You doubtlessly knew this, already. It is just hard to acknowledge the unavoidable. ;-) BeAr -- =========================================================================== = What do you mean with: "Perfection is always an illusion"? = ===============================================================--(Oops!)===
From: B. R. 'BeAr' Ederson on 10 Apr 2010 12:47
On Sat, 10 Apr 2010 07:56:29 -0700, John Corliss wrote: [Native Registry Editor (NtRegEdit)] > I thank Brian for posting it. I downloaded the program and will check > it out. It shows long key and value names as well as string values containing 0x00 bytes. Please note, that its function to search for hidden entries only lists the 0x00 byte ones, though. The long entries are generally valid (not showing them is just an implementation flow); therefore they are not listed as hidden. BeAr -- =========================================================================== = What do you mean with: "Perfection is always an illusion"? = ===============================================================--(Oops!)=== |