By Larry Seltzer
August 29, 2005
Reports on the Full-Disclosure research list and by the SANS Internet
Storm Center indicate a common bug in software that interacts with the
Windows registry. The bug could allow malicious programs to hide
values there, obscuring evidence of their presence on the system.
The problem involves registry values with names between 256 and 260
characters long, although there may be additional problems with names
at the outer limits of length restrictions for Microsoft's and other
registry editors. As the Full-Disclosure report  indicates, the
existence of such a key can hide not only its own presence, but also
other values in the same key.
The Full-Disclosure report demonstrated the effect in the Microsoft
Registry editing program that comes with Windows. Further research by
the Internet Storm Center  indicated several other programs,
including security-related programs, are similarly-incapable of seeing
or modifying these values.
The main security concern relates to the "Run" keys, which are
specific keys that contain the names and locations of programs that
Windows should load at boot- and login-time. By using a value name
greater than 256 characters, a malicious program could possibly hide
its presence from security software, which usually checks these keys
for malicious use.
The use of such a key could not stop the security software from
scanning the file system and finding the programs being loaded through
these registry keys, and it could not stop intrusion prevention and
other behavior-monitoring software from taking note of the fact that a
value was being written to the Run keys, an action that usually raises
The Internet Storm Center notes many programs that cannot read the
keys, including Lavasoft's Ad-Aware (no version specified), the
Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools,
including other versions of Microsoft registry tools, behave
The Internet Storm Center page also includes links to a free tool that
searches a computer's registry for value names that could cause the
problem noted in the reports.
 http://isc.sans.org/diary.php?date 05-08-25
Sept 16-18th, 2005
San Diego, California