| About | Buy | News | Products | Rants | Search | Security | |
Home » News » Roundups » 29
29 Reasons to Not Get Vista
10 January 2007 Reason #10: The Registry.'You can run but you can't hide': everybody's heard the expression. But when it comes to the Registry it's more like 'you can run and you can hide too - easily'. The Registry is the single most important reason trojans can survive on your computer. And other 'bad' stuff too. You downloaded a shareware program but didn't like it? Too bad - the software probably went and hid something in your Registry. And odds are you'll never find it. If you try downloading the same program again it will probably be for nought. The software remembers where it hid that secret data last time around. It's not like it's easy to find anything in there - the Registry is huge. It's a jungle of arcane keys and values and data - and even the most experienced software engineers can find a trip to the Registry daunting. And Microsoft recommend you never go in. Which works out nicely - for the wrong people. Programmers welcomed the Registry after years of dealing with paraplegic 'INI files': simple text files using the 'INI' extension. Microsoft hadn't worked out - as others had done - how you store data in an arbitrary format in a text file. So all you could do was fetch and store character strings. Microsoft actually provided an 'API' to fetch integers as well (as if that was much help) but to store the same numbers back again programmers had to write their own routine. Welcome to the World of Microsoft. So moving to the Registry was welcome from their point of view. Suddenly you could fetch and store character strings, multiple character strings, integers, raw binary data - whatever you wanted. It was a complex system but still and all it was manageable. And it made for better software than was possible when using only INI files. All data in the Registry is stored in two major keys which function much like disk folders: HKEY_LOCAL_MACHINE and HKEY_USERS (or (HKLM and HKU respectively). The former is for hardware, the latter for software. There seem to be other major keys but there aren't: HKEY_CLASSES_ROOT (HKCR) is an alias into HKLM and HKEY_CURRENT_USER (HKCU) is an alias into HKU. Some of the data in the Registry is stored on disk; some is not. In particular the system creates hives in HKLM on startup to define the local configuration which are volatile: they're never stored on disk. Software settings - including those for Windows - are stored in HKU (but there are exceptions). And the layout is hierarchical: for example it's common to see the following path describing settings for Windows. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion To find CurrentVersion in your Registry editor, you have to drill down from HKEY_LOCAL_MACHINE through each successive path component - through Software, Microsoft, and Windows - to find what you're looking for. Given that many people experience vertigo when confronted with more than two hierarchical levels and given that all the above terminology is unfathomable, it's not hard to see why they're scared of the Registry. Couple that with the fact that all changes occur immediately and there is no 'undo' and you have a 'challenging' situation. Which is why it's the perfect hiding place unwelcome guests. Those trojans - and even ordinary shareware - are not about to hang a sign out front when they take up residence either. No: they'll obfuscate their presence. Pick a place that looks almost legit to the untrained eye. Malware of today regularly polls the status of the Registry continually and changes values right before your eyes: you find unwelcome visitors in there, you delete them, and POOF right before your eyes they're back again. The Registry is simultaneously a system weakness - some would say a system design flaw - in that all crucial data is stored willy-nilly in a small number of disk files. And as it's stored in 'binary' format, it's vulnerable to 'gray zone errors': glitches in the twilight between the hardware and software. If the data alignment's off by a single byte your system is toast. And there are no upper limits either: if your Registry bloats too much (and it always bloats) you'll suddenly find strange things happening. The system will have 'maxed out' - all you'll get from your computer is 'gibberish'. And you can't recover the data either: it was in binary format; there's no way to figure out what went wrong; your data's gone forever. A minor disk I/O error - one byte out of whack - and your computer is a worthless piece of junk. And did you ever notice how your system seems to go slower and slower for each passing day? That's your Registry helping out again. Each time you try a new program (and leave remnants behind) your Registry gets more cluttered - with data you'd presume was irrelevant. But your Registry doesn't see it like that. Each file extension - each key under HKCR must be kept up to date at all times. Which considering the architecture of the Registry seems impossible. But Microsoft found a way around that too. And it's a memory glutton. Basically your system traverses the all but trivial HKCR at system startup and builds up a sort of database in your computer memory, and each time you rename a file or change a file association, the system's there to notice it. And that takes a lot of memory (and CPU) to keep going continually. And each time a new program that can't clean up after itself leaves more junk in your Registry, this 'realtime' operation the system performs gets even slower. And sometimes you think you're seeing things: that Registry seems to be sucking up more and more disk space all the time. And it's true - Registry storage technology literally 'sucks': it's based on 'OLE2', covered elsewhere in this series. Microsoft initially promised the Registry would be gone in Vista, but promises are made to be broken. |
| About | Buy | News | Products | Rants | Search | Security |
| Copyright © Radsoft. All rights reserved. |