viewer9 documentation

Procmon Bug: Garbage in Registry Data

Procmon regularly shows garbage on the end of the Data field in certain kinds of Registry operations where the Data is not completely captured in the PML -- a PML only includes up to 16 bytes for RegType REG_BINARY/REG_NONE and up to 2KB for other types.

The worst case is with REG_BINARY/REG_NONE values over Length 16 bytes and QueryValType 1 in RegEnumValue and RegQueryValue where Procmon will generally read beyond the end of the evresults (see PML Binary Data and Results Offsets).

The following example shows how reasonable the garbage can look, especially because 32 bytes are displayed which is the same as the Length. But only the first 16 bytes are legitimate, the remainder were not captured and Procmon is displaying garbage.

The binary visibility in viewer9 allows examination of where Procmon goes past the end of evresults. The RegData is the last 16 bytes of evresults shown at the bottom in green starting at evresults[48]. Clicking into the file offset link at the top of the evresults would show where Procmon gets the garbage data from -- it actually includes bytes from the beginning of the next event in the PML.

The same problem has been observed for a REG_SZ with Length over 2048 in a RegSetValue event.

But another example where Procmon shows garbage on the end of the Data field is different because the complete value is captured in the PML. This case was observed for a RegType REG_SZ QueryValType 2 with odd Length of 9. Although a REG_SZ value should have an even byte Length because each char is 2 bytes, Windows apparently allows an odd length of data to be stored. Oddly (pun intended), Procmon shows a 9 character wide string where only the first 4 characters are legitimate.

Procmon Bug: Garbage in Registry Data

See also