Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

reading the registry


  • Please log in to reply
8 replies to this topic

#1 bpv_newhacker

bpv_newhacker

  • Members
  • 233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern new jersey
  • Local time:01:50 PM

Posted 09 October 2010 - 07:52 AM

Hi,
Are there any applications (preferably open source) that will read the registry's contents and display it without having to use the API, and just read the hive/files to get the info? Maybe this doesn't matter, but since I am new to this, I was just wondering if malware can hook into the API calls, know it is being read, and thwart any programs trying to read the registry contents.

P.S.
I wasn't sure if this is the right place to post this.

BC AdBot (Login to Remove)

 


#2 ErikAlbert

ErikAlbert

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Antwerp
  • Local time:07:50 PM

Posted 12 October 2010 - 12:01 PM

If you are a less-knowledgeable user (like me), you don't even see the difference between a good, bad and superfluous registry. So even when you have a tool to read all registries of Windows Registry in a very comfortable way, what are you going to do with it, if you don't know the purpose of each registry and don't understand the contents of each registry.
You have to learn alot about registries first and most users are not willing to do this, unless they want to become an expert in Windows Registry and believe me this is BORING STUFF.

Don't fool around with registries and don't use any registry software, not even the registry cleaner of the popular "CCleaner".
All registry cleaners are dangerous to use and they remove also INNOCENT registries, even CCleaner removes innocent registries and they can damage your system.
If you really want to see and edit registries, use the command "regedit" (Start - Run) and do this only when you have a backup of your system or Windows Registry.
A free tip : "Never do something new on your computer, unless you can go back to a previous state." Most users don't even know what this means and that's why they always get in trouble.

Any existing object on your computer can be a target of malware, so malware can be anywhere on your system and API is just one of them.

Edited by ErikAlbert, 12 October 2010 - 12:35 PM.

ErikAlbert - "Simplicity is always brilliant" - "Every software sucks, some suck more than others."
WinXPproSP3 + Comodo Firewall + FirstDefense-ISR + Anti-Executable + Sandboxie + ShadowProtect - no scanners, no cleaners.
I remove superfluous and evil objects, not because they are there, but because they weren't there.

#3 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:12:50 PM

Posted 12 October 2010 - 12:17 PM

IMHO if I may state. From what I can tell most people don't know any more about the registry than I do. I know just enough to get in trouble. A registry cleaned used properly by some one with the proper knowledge could be use full. I have no idea where to go just to learn the basics of a Windows registry.

#4 ErikAlbert

ErikAlbert

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Antwerp
  • Local time:07:50 PM

Posted 12 October 2010 - 01:00 PM

I don't need that knowledge and my Windows Registry is very clean, because I don't allow any change in Windows Registry, unless I want it myself.
There are other ways to protect your system, but that is a total different story and requires another topic. It's not only about Windows Registry, it's about your entire system. Windows Registry is just a small part of it. You have to see things much bigger.

Edited by ErikAlbert, 12 October 2010 - 01:38 PM.

ErikAlbert - "Simplicity is always brilliant" - "Every software sucks, some suck more than others."
WinXPproSP3 + Comodo Firewall + FirstDefense-ISR + Anti-Executable + Sandboxie + ShadowProtect - no scanners, no cleaners.
I remove superfluous and evil objects, not because they are there, but because they weren't there.

#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:50 AM

Posted 12 October 2010 - 01:40 PM

To answer the original question: Yes there are tools that will read the raw data from hive files, no none that I know of are open source (though the WINE project may have one,) and yes malware certainly can hook the registry access APIs to hide its entries. Such functionality is commonly one of the protection mechanisms of a rootkit infection.

Rootkit infections are serious business. If you have one then you should seek the aid of an experienced malware cleaning person (like the ones here at Bleeping Computer!) I would strenuously advise against modifying any registry hive file, especially on a live system or any system you can't afford to have crash in a most awesome display of digital fireworks. There are tools such as RootKitRevealer which can alert you to discrepancies between what the registry API is saying and what is actually in the registry hive, but the results from such tools must be interpreted by someone who can tell a bad entry from a good one.

In any event always, always, always back up the registry before making any changes whatsoever by whatever means. ERUNT is an excellent backup tool.

#6 bpv_newhacker

bpv_newhacker
  • Topic Starter

  • Members
  • 233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern new jersey
  • Local time:01:50 PM

Posted 12 October 2010 - 01:42 PM

Hi,
the purpose of my registry question is because I have become interested how viruses work and how to detect them. I know some trojans/worms/etc. can detect when certain programs run such as sysinternals process explorer or the port sniffer, because I have seen them kick me out of the program. if I know where to look for a registry entry that a trojan has set, and I want to clean it, and the trojan has hijacked regedit for instantce, it may become necessary for another tool which handles registries differently that the trojan won't detect. that is the reason I was interested in starting the topic, to get some ideas.

#7 ErikAlbert

ErikAlbert

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Antwerp
  • Local time:07:50 PM

Posted 12 October 2010 - 02:15 PM

Here is a list of more than 30 anti-rootkit software. Poor users !!!
http://www.antirootkit.com/software/index.htm
Have fun with them, certainly not my kind of fun.
It's much easier for me, not to allow any change in my system, including Windows Registry.

Edited by ErikAlbert, 12 October 2010 - 02:29 PM.

ErikAlbert - "Simplicity is always brilliant" - "Every software sucks, some suck more than others."
WinXPproSP3 + Comodo Firewall + FirstDefense-ISR + Anti-Executable + Sandboxie + ShadowProtect - no scanners, no cleaners.
I remove superfluous and evil objects, not because they are there, but because they weren't there.

#8 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:50 AM

Posted 12 October 2010 - 04:04 PM

Hi,
the purpose of my registry question is because I have become interested how viruses work and how to detect them. I know some trojans/worms/etc. can detect when certain programs run such as sysinternals process explorer or the port sniffer, because I have seen them kick me out of the program. if I know where to look for a registry entry that a trojan has set, and I want to clean it, and the trojan has hijacked regedit for instantce, it may become necessary for another tool which handles registries differently that the trojan won't detect. that is the reason I was interested in starting the topic, to get some ideas.



You might be interested in the Malware Removal Training Program.

#9 bpv_newhacker

bpv_newhacker
  • Topic Starter

  • Members
  • 233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern new jersey
  • Local time:01:50 PM

Posted 12 October 2010 - 08:08 PM

Hi,
thank you for the tip Andrew, but I already enrolled last week. However, there are no openings right now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users