Sign in to follow this  
Followers 0
pssquiet

Reading Win 7 Registry Data as ASCII

6 posts in this topic

In an excellent article here, Iron Geek talks about various Win 7 items of interest to security. In his discussions of data in the registry, he says many times, "Values are in HEX, but readable if you open them in ASCII view."

 

I'm trying to figure out how to do this. There's no obvious mechanism in Regedit for reading registry data in ASCII. My efforts on Google led me to a few rather old utilities that don't seem to work as advertised. Any advice would be appreciated.

1

Share this post


Link to post
Share on other sites

I tried exporting and reading with a hex editor, but it didn't work. I could be missing a major step though.....

 

Windows 10 actually has a "ascii or plain text view" like a hex editor. So you could read them in regedit  from windows 10. If I'm not mistaken Windows 7 - Windows 98 had two registry editors: RegEdit and RegEdit32.  Each had some different functions so you may want to try each and make sure you run them as administrator.

 

Here are a few tools  I found on google: https://www.raymond.cc/blog/convert-windows-registry-hex-to-text/

 

Cannot vouch for any of them... But looks like they should work.

 

 

Perhaps the hex editor I was using was just not using the same encoding as the Windows Registry? Maybe try exporting and reading in a hex editor that supports more encoding schemes. I just use HxD (a freeware one).

 

 

Here are some details about the Registry datatypes and how they are stored:

https://msdn.microsoft.com/en-us/library/windows/desktop/bb773476(v=vs.85).aspx

0

Share this post


Link to post
Share on other sites

@tekio: The utilities on the page you linked are the ones I found initially. I've tried two of them, and neither worked, but the failure mode was odd enough that I can't tell if the problem is with the utilities or not.

 

In regedit I navigated to the key of interest, double-clicked, and got a window containing HEX data. I copied the data, intending to paste it into the Hex-to-ASCII utilities, but when I went to paste it I was unable to do so. I even tried opening a Notepad file and pasting there, but no joy.

 

Even stranger, I went back to regedit and tried CUTTING the data out of the window rather than copying. I still couldn't paste it into either the utilities or Notepad - it was as if my clipboard was simply empty, even though the information disappeared from the regedit window just as it normally does when I cut something.

 

This is puzzling because Iron Geek refers to this so casually - as though it's a basic operation that anyone ought to know about. But it seems surprisingly complex.

 

EDIT: I was unable to find regedit32 in Win 7. I did run regedit as an administrator, but I'm still getting the odd behavior described above.

Edited by pssquiet
0

Share this post


Link to post
Share on other sites

Here's some more information. I tried the following:

 

I exported a key as a .reg file.

I right-clicked on the exported file and selected "Edit". This opened the file in a way that I could cut and paste. The data thus revealed was as follows:

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU]"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff"0"=hex:14,00,1f,78,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,00,00

I tried pasting the "=hex" data into the HEX-to-ASCII utilities I've been using. The paste was successful this time, which is an improvement, but the utilities were still unable to convert it to ASCII. I get an "invalid entry" error.

 

So I've confirmed that the data I'm looking at is HEX, and I've pasted it successfully into the utilities, but I still don't have ASCII.

0

Share this post


Link to post
Share on other sites

It's a hexadecimal representation of binary data. What is it supposed to be? 

 

I think "14,00" is some kind of meta information. Searching around google - all reg_binary data starts with "14,00".

 

"00" is a null character. 

 

 

Here is an HEX to ASCII (and extended ASCII) chart(s):

http://www.commfront.com/ascii-chart-table.htm

 

Here is how Windows stores reg_binary data:

2015_06_19_02_21_50_Start.png

 

 

Knock yourself out... There are plenty of functions in VB, C#, etc.. to read the data ant return the value of each byte. :-)

 

 

Perhaps someone will come along who can give you a cut-and-dry answer...  I was just trying to help the best I could. Hope that point you in the right direction... I just don't really have time to research it too much. 

 

 

EDIT: far as Iron Geek's tutorial, we know that might have been a feature provided in the registry keys at the time he wrote the paper. Perhaps that has been taken out. I don't have Win7 so I cannot see either way, and it's been a while since I've used Win7.

 

I do know Iron Geek did participate in these forums a while back. Though they were pretty busy back then. Maybe try looking over Iron Geek's site for a contact email? He was always helpful to people posting in these forums, so sending him a quick email might get a response...

Edited by tekio
0

Share this post


Link to post
Share on other sites

Just replying as a new reply, so OP might get an alert via email (vs editing).

 

 

I was on a Win7 machine today. To view ascii formatted (sometimes plain text) registry keys go to: view > view binary data.

 

It will bring up a window similar to the one I posted in Win10

Edited by tekio
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0