I know at least that some rootkits rely on Registry entries with strings containing the null character (ASCII/UTF8/UTF16 code-point 0), because that character ends a C-style string, so regedit won't pick up anything after the null character, even though lower-level APIs for accessing the Registry do pick up the entire string and make use of it.

One possibility is that such strings are in fact handled incorrectly by the Win32 API (the lowest-level API for which ordinary Windows programs can be programmed) but correctly by the Native API, used by the kernel, drivers, and...rootkits.