How to access an invalid registry key?
 

Hi,

Looking at a software protection that stores some data in an invalid registry key. Trying to open/delete/rename the key results in "Cannot open <keyname>: Error while opening key."

How do I see what is in there, rename it or delete it?

Thanks in advance!

bb

Like Antivirus / Firewalls ? or Exe Protectors ?

For Antivirus / Firewalls :
They are not invalid key, the Anti/Fire software uses the SSDT Hook to prevent their changes...

To clean SSDT hook try SSDT Unkookers Tools before manipulate these keys
.

Hi STRELiTZIA,

It is a simple time trial that I suspect is hiding the 'start date/run times' etc in this key, but since I can't look at it, delete it or rename it, I can't confirm that is the case just yet.

I will try the SSDT Unhooker you mention - thanks!

bb

Managed to find the contents, and delete it using Registry Trash Keys Finder using the 'Search Null-embedded Keys' option.

Reset the trial perfectly. Now just to reverse RTKF to find out how it deletes the key and I can make my own automated trial reset for the software.

Simples!

Thanks all.
bb

You'd probably be interested in the source code for Mark Russovich's old RegHide program. It provides a demonstration on how to create, verify, and remove a key containing embedded NULL characters. When he sold out to Microsoft they removed all of his source code from the current site, but there are mirrors available.

You can download the original RegHide with source here:

Wow - great find LouCypher!

Thanks a lot - I'll read into that this evening (or today if my boss stays in his office :D)

Thanks mate!

That error also occurs when you do not have the rights to change that key, e.g. with some services. Simply right click the registry entry and check the Permissions. They are probably set to not allow that much.

Hi piccolo,

In this instance it wasn't a rights issue - it was the NULL terminated key name.

I was hoping to modify the source code from Sysinternal's RegHide but my C skillz are so weak that I can't even get the original source to compile without a bunch of errors such as :

41 C:\RegHide\REGHIDE.C invalid conversion from `int (*)()' to `NTSTATUS (*)(void*, DWORD, OBJECT_ATTRIBUTES*, DWORD, UNICODE_STRING*, DWORD, long unsigned int*)'

So I guess I'll have to knock up a little MASM framework to do it in this coming weekend when I get some free time (hopefully!).

I'm aiming to base it on NtCreateKey and NtDeleteKey as per that source - since it appears the NtDeleteKey (according to the brief look I've had) relies on a handle being passed to it created by a successful call to NtCreateKey or NtOpenKey.

Damn my feeble C skills - its times like this that being entirely self taught shows that I had a poor teacher! :D

bb