Pages

2/01/2013

Hiding Windows XP Registry

I came across some readings and I found this interested to share.

It is how to hide a registry entry under Windows XP and 2000.

There is a flaw from Registry Editor (regedt32.exe) in
  • Windows XP Home
  • Windows XP Pro
  • Windows 2000 Advanced Server
  • Windows 2000 Datacenter Server
  • Windows 2000 Server
  • Windows 2000 Professional
It has a weakness against a registry key with long name. If there is a registry string with name longer than 255 (preferably 256 - 259) characters long, all registry strings below it will be disappeared.

Unfortunately, this flaw has been considered a "feature" by Microsoft. That's why I can still test it on my Windows XP SP3 (fully patched, by Feb 2013) !!

Here, I generated a string with 256 characters long

I create a new registry key, named "test", under HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

I created 3 strings - Before, A*256, After

Press F5 to refresh, and now it's magically gone!!!

Now, with "reg.exe" command. The registry strings are still there.

And this is the method to delete it. 
Then, of course, the key "After" came back.

Also, I can just use the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and put some hidden strings inside. It would be much more fun. :)

More Info:



No comments:

Post a Comment