Hidden entries?

[LoneLurker]

Can RegAlyzer display any HIDDEN entries?

Thank you again for reading my question,

[PepiMK]

Hidden exactly how?

There are for example the typical 0x00 tricks - since 0x00 usually means the end of some text, it is sometimes used to hide stuff that follows this 0x00.
We do not use such zero-terminated strings though when reading from the registry, and even if the display cuts of at those points, our hex view doesn't. See feature request #97, just added

There might be other methods to hide things, if you provide more details, I can give you more detailed answers

[LoneLurker]

Hidden exactly how?

There are for example the typical 0x00 tricks - since 0x00 usually means the end of some text, it is sometimes used to hide stuff that follows this 0x00.
We do not use such zero-terminated strings though when reading from the registry, and even if the display cuts of at those points, our hex view doesn't. See feature request #97, just added

There might be other methods to hide things, if you provide more details, I can give you more detailed answers

If I was smarter maybe I would or could, but; with my limited knowledge that will have to suffice for now or maybe someone else reading this thread may know enough to ask the more intelligent question to gain the better response. I am just too limited to know how to ask those smarter questions.

Thank you for this reply and for taking the time to post to my 'post toasty',

[gerdb]

How about 00s in key and value names? These can only be handled by using the low-level Nt... functions. See Sysinternals article about RegDelNull for more information.

[PepiMK]

Rootkit-hidden key/value detection

A lot of it is already done; the code to handle these already existed anyway from registry handling in Spybot. NT mode browsing is also already possible through our Total Commander plugins.

[gerdb]

Good to read that. A full-blown Registry-Editor with the ability to handle names with embedded nulls, that would really be something.