Wednesday, August 24, 2005

Nasty Games of Hide and Seek in the Registry

"What started like a nice and quiet day ended with the potential for lots of nasty surprises. A reader alerted us to a vulnerability note published by Secunia that on first sight did not appear to be overly scary. Once we started to play with it, though, the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well.

[Pause, to give your wheels some time to spin]

Yes. This allows to add hidden entries under the famous HKLM\Software\MS\Windows\CV\Run. Entries that you can't see with regedit, but that will just as faithfully get run at startup. "

Oh I love the Registry.

Introduced, I think, as early as Windows 95, it had very limited uses, as many programs continued to use the well known, easy to use and understand, and most importantly localized ".ini" files. This old system allowed you to uninstall Windows software by simply deleting the folder it was in! While not perfect, the ".ini" system solves many problem that the far more complicated Registry creates. All the hype over how wonderful the Registry was is what first made me suspicious that there was a screw loose in the Microsoft architecture department (not that they actually have such a thing).

No comments:

Post a Comment