Hiding in the Windows Registry 18 years, 8 months ago by Martey Dodoo

From the SANS Internet Storm Center diary comes news of a vulnerability in the Windows Registry. In modern versions of Windows, the Registry stores data and configuration values for the system and various applications. This includes which applications are allowed to run when the system starts up, or certain users logon. These lists of applications are stored in locations that are collectively called the "Run keys."^[1]

The vulnerability found by Secunia involves the way that strings are handled in the Registry. If a strings with a very long name is created in the Registry, it will appear to be hidden. Even worse, any other strings created in the same "key" will also be hidden in the same fashion. While the Secunia advisory only concerns itself with the Windows Registry Editor, the good folk at SANS tested the problem with some of the most popular anti-spyware software utilities. What they found was not encouraging:

Spybot S&D, AdAware and MS AntiSpyware Beta don't seem to find anything offending with the long key. "Show Autostarts" of MS AntiSpyware Beta does not list the hidden keys.

On the positive side, the command line version of the Windows Registry Editor, reg, and Sysinternals' Autoruns utility had no problems detecting the hidden strings.

Since it is likely that malicious applications of all stripes will soon incorporate this vulnerability in order to make themselves even more undetectable, it would be good if Microsoft would release a security patch for regedit to fix this problem. While regedit was formerly my program of choice to use when editing the Windows Registry, I will have to switch to Autoruns until this issue is fixed.

^[1]They can be found at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, respectively.