RegView – Exploring hidden windows registry data

Long time ago I came across Trojan.Poweliks. Its low detection rate, file-less nature and interesting persistence way made me thinking about the question: “is there a tool, freely available, allowing to display hidden registry values?

Tremendous research has been performed by Security Response, if you want to get familiar with this threat, you must absolutely read it:

 The evolution of the fileless click-fraud malware Poweliks


By the time being the question was remaining open, so I decided to make my hands dirty and tried following free Tools:

    • Windows RegEdit -> Failed to display hidden data (Key export failed as well)

    • ntRegedit -> Failed to display hidden data
    • SpyBot’s RegAnalyzer -> Failed to display hidden data
    • Autoruns -> Displayed the data partially

Script code:

from Registry import Registry
RegistryHiveHandle = open(HiveFile, “rb”)
reg = Registry.Registry(RegistryHiveHandle)

print(“Hive:        “, HiveFile)
print(“Key:         “, RegKey)
   key =
except Registry.RegistryKeyNotFoundException:
   print(“Couldn’t open key. Exiting…”)
print(“Modified:    “, key.timestamp())
for value in key.values():
       print (” – Value: [“,, “]”, ” —> [“, value.value(), “]”, sep=””)


Finally I got even more crazy idea; since I didn’t have much knowledge in C++ I realized that it’s a very good moment to get it by developing a tool I need.


That was the birth of RegView (a registry viewer by Witold ;-)) … The details below:

RegView is a command-line tool written in C/C++ based on imported registry functions from ntdll.dll library. It allows retrieving information from online windows registry (including hidden values and non-printable keys).

It can be useful during troubleshooting of a malware infection or during live forensics.


It does support:

-Hidden registry values (Not visible in Windows RegEdit)
-Hidden registry keys (incorrectly displayed and non-accessible in Windows RegEdit)
-Sub-keys enumeration
-Removal of registry key (including sub-keys and hidden keys/values)
-Exporting of registry keys containing hidden values or non-printable keys


Script usage (IMPORTANT)
-Run the script from command line with appropriate parameters.


/h Print help
-k <HKEY> Registry key for enumeration
/d Remove specified key (with sub keys) (/s gets enabled automatically)

“ACTION: DeleteKey!” appears in script’s output


/u Print Value Data in Unicode HEX (REG_SZ only)
/s Print SubKeys recursively
/v Print SubKey’s values
/t Print execution time (Start time, End time)


Examples (Taken from a machine infected with Trojan.Poweliks)

RegView /s /v -k "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" > ConsoleOutput.txt


Output Format:

 [LastWriteTime], [NT KeyPath], [KeyName: size in bytes], [KeyName], [KeyName in hex], [SubKeys Num], [Values Num]
 [ValueType], [ValueName: size in bytes], [ValueName], [ValueName in hex], [ValueData size in bytes], [DataValue], [ValueData in hex]



– Change: Added support for following registry types: REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_BINARY
– Some old code clean-up
– New parameter “/t” print execution time


Planned enhancement requests:


– “/d” Should support hex format of the key name… (For non-printable key names)
Like “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\/u0001/u0000/u0001”
– A parameter that controls the number of items displayed
– Create RegView.dll 😉
– Option to enumerate registry key within other user profiles
-Handle offline registry hives


Witold Lawacz