I'm running Windows XP Pro SP2 under MS Virtual PC (VPC) 2004 SP1. The
VPC XP install is perfectly clean as is the host system. I received
via e-mail a SOFTWARE hive from a system infected by adware.
RootKitRevealer was run on the infected PC and it identified a
HKLM\Software\Classes\CLSID\InprocServer32 key with the following
anomaly:

Key name contains embedded nulls (*)

I copied the SOFTWARE hive to a folder accessible to the VPC install.
I opened REGEDIT and loaded the SOFTWARE hive. The InprocServer32 key
cannot be viewed. The error message is: "Cannot open InprocServer32:
Error while opening key." Ownership and permissions cannot be reset on
this key. Neither this key nor the parent key can be deleted.

How can this key be managed with Regedit so it can be deleted and,
optionally, viewed?

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

To identify everything that starts up with Windows, download
"Silent Runners.vbs" at www.silentrunners.org

**********

Look into Bart's PE. Its a mini Windows environment. Regedit can be run from there, and the usual permissions and security measures don't apply.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Andrew Aronoff" <NOSPAM_WRONG.ADDRESS@yahoo.com> wrote in message news:g0n8r190ipqh1kobddhqv08fhmv7ncasu3@4ax.com...
> I'm running Windows XP Pro SP2 under MS Virtual PC (VPC) 2004 SP1. The
> VPC XP install is perfectly clean as is the host system. I received
> via e-mail a SOFTWARE hive from a system infected by adware.
> RootKitRevealer was run on the infected PC and it identified a
> HKLM\Software\Classes\CLSID\InprocServer32 key with the following
> anomaly:
>
> Key name contains embedded nulls (*)
>
> I copied the SOFTWARE hive to a folder accessible to the VPC install.
> I opened REGEDIT and loaded the SOFTWARE hive. The InprocServer32 key
> cannot be viewed. The error message is: "Cannot open InprocServer32:
> Error while opening key." Ownership and permissions cannot be reset on
> this key. Neither this key nor the parent key can be deleted.
>
> How can this key be managed with Regedit so it can be deleted and,
> optionally, viewed?
>
> regards, Andy
> --
> **********
>
> Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com
>
> To identify everything that starts up with Windows, download
> "Silent Runners.vbs" at www.silentrunners.org
>
> **********

Sorry, forgot the link:

http://www.nu2.nu/pebuilder/

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Andrew Aronoff" <NOSPAM_WRONG.ADDRESS@yahoo.com> wrote in message news:g0n8r190ipqh1kobddhqv08fhmv7ncasu3@4ax.com...
> I'm running Windows XP Pro SP2 under MS Virtual PC (VPC) 2004 SP1. The
> VPC XP install is perfectly clean as is the host system. I received
> via e-mail a SOFTWARE hive from a system infected by adware.
> RootKitRevealer was run on the infected PC and it identified a
> HKLM\Software\Classes\CLSID\InprocServer32 key with the following
> anomaly:
>
> Key name contains embedded nulls (*)
>
> I copied the SOFTWARE hive to a folder accessible to the VPC install.
> I opened REGEDIT and loaded the SOFTWARE hive. The InprocServer32 key
> cannot be viewed. The error message is: "Cannot open InprocServer32:
> Error while opening key." Ownership and permissions cannot be reset on
> this key. Neither this key nor the parent key can be deleted.
>
> How can this key be managed with Regedit so it can be deleted and,
> optionally, viewed?
>
> regards, Andy
> --
> **********
>
> Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com
>
> To identify everything that starts up with Windows, download
> "Silent Runners.vbs" at www.silentrunners.org
>
> **********

Bart's PE would work if this was a problem with the host or VPC
install, but it's not. Neither install is infected.

The problem, in fact, is the Win32 API used by REGEDIT, which can
view, but cannot manage, registry key names with embedded nulls. (It's
amazing how little info there is about this problem in the MS
newsgroups.)

The nature of the problem is described here:
http://www.sysinternals.com/Informat...tml#HiddenKeys

This link will also work: http://tinyurl.com/azzto

The "RegDelNull" tool will allow the null-containing entries to be
deleted. It can be downloaded here:

http://www.sysinternals.com/Utilities/RegDelNull.html

.... but MS should provide a better command-line tool that allows the
key and/or name/value pair to be fully managed.

Better, MS should prevent such data from being written to the registry
in the first place in all Windows versions. (IMHO, that's precisely
what the OS is for.)

regards, Andy

"Doug Knox MS-MVP" <dknox@mvps.org> wrote:
>Look into Bart's PE. Its a mini Windows environment. Regedit can be
>run from there, and the usual permissions and security measures don't
>apply.


--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

To identify everything that starts up with Windows, download
"Silent Runners.vbs" at www.silentrunners.org

**********