key name contains embedded nulls



Jeff
07-09-2005, 11:21 PM
Hi

I downloaded sysinternals utility "RootkitRevealer" and used it to scan my
system. It only found 3 items:

1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System "Key name contains
embedded nulls".

The info on the Sysinternals website about this is

" Key name contains embedded nulls:
The Windows API treats key names as null-terminated strings whereas the
kernel treats them as counted strings. Thus, it is possible to create
Registry keys that are visible to the operating system, yet only partially
visible to Registry tools like Regedit. The Reghide sample code at
Sysinternals demonstrates this technique, which is used by both malware and
rootkits to hide Registry data. "

Do I have a problem with my
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System key?

2. and 3. in my Documents and Settings..\Local settings\Application
data\Microsoft\Windows\UsrClass.dat.LOG:Kavichs - "Hidden from Windows API"

Advice?

--

Jeff Stevens
Email address deliberately false to avoid spam
jeff@stevens.com

Kelly
07-09-2005, 11:21 PM
http://www.google.com/search?hl=en&q=RootkitRevealer+support

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com


"Jeff" <jeff@phony.com> wrote in message
news:OWhxbVeVFHA.544@TK2MSFTNGP15.phx.gbl...
> Hi
>
> I downloaded sysinternals utility "RootkitRevealer" and used it to scan my
> system. It only found 3 items:
>
> 1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System "Key name
> contains
> embedded nulls".
>
> The info on the Sysinternals website about this is
>
> " Key name contains embedded nulls:
> The Windows API treats key names as null-terminated strings whereas the
> kernel treats them as counted strings. Thus, it is possible to create
> Registry keys that are visible to the operating system, yet only partially
> visible to Registry tools like Regedit. The Reghide sample code at
> Sysinternals demonstrates this technique, which is used by both malware
> and
> rootkits to hide Registry data. "
>
> Do I have a problem with my
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System key?
>
> 2. and 3. in my Documents and Settings..\Local settings\Application
> data\Microsoft\Windows\UsrClass.dat.LOG:Kavichs - "Hidden from Windows
> API"
>
> Advice?
>
> --
>
> Jeff Stevens
> Email address deliberately false to avoid spam
> jeff@stevens.com
>
>
>


key name contains embedded nulls