Nasty regedit bug



This is unusual, but it sounds like there is a bug in regedit (and regedit32) which prevents the displaying of unusually long registry keys. Now, that sounds innocent enough, it also prevents the viewing of keys entered under them. Again, ok not a crisis. Imagine if you had an extremely long registry key entered in the ….software/microsoft/windows/currentversion/run area? Annoying maybe? Ok, what if it were put there by malware? Oooooooh… that would be bad….



The handlers diary at Incidents.org is detailing this bug which has been reported by Secunia. Essentially the extremely long key can be added, just not viewed with regedit/regedit32. It sounds as though the command line, reg program can display it…

(BTW as of this writing the Secunia site seems down. 8/24 9:17PM EDT)

C:\>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

the above for instance would display it, but a browse in regedit wouldn’t. Also note that items in the extremely long entry would run just as well. The Sans Institute also mentions another program that will find the “invisible” entries Sysinternals Autoruns.

They further point out how much fun removing one of these entries might be…

Once you’ve found them, getting rid of the offending registry entries isn’t too easy, either. What worked for us during the tests was again “Autoruns” from Sysinternals, presumed you use the current (8.13) version. Older versions seem to occasionally choke on the long keys. Another approach one of the handlers used successfully was to do a “reg export” on the command line of the entire “Run” key. Then he manually deleted the entire “Run” key from the registry, edited the exported file to remove the offending keys, and re-imported the reg file, thus recreating the “Run” key.

Of course, the usual disclaimer applies when you are monkey-wrenching the registry. You have been warned.

They are also soliciting information on any other registry editors/programs that can see these extremely long entries and or remove them. Most of the more familiar tools don’t see them there….

Update 20:21 UTC: Spybot S&D, AdAware and MS AntiSpyware Beta don’t seem to find anything offending with the long key. “Show Autostarts” of MS AntiSpyware Beta does not list the hidden keys. Spybot S&D TeaTimer will intercept the registry key from being added.

That would be REAL bad….

   Send article as PDF   

Similar Posts