Home Tutorials How Do You Know if a Registry Entry is Malware or Safe

How Do You Know if a Registry Entry is Malware or Safe

Posted: March 3, 2009

What are the Symptoms of a Corrupted Registry?

Here are some common symptoms when a registry is infected with spyware.

  • Spyware applications may fill your registry with unwanted files, orphaned applications and other trash that can cause slower operating speeds.
  • If your registry is populated with malicious entries, constant blue screens may appear.
  • The screen freezes when you turn your PC on and you may be unable to use your keyboard or the mouse when you attempt to boot to safe mode.
  • Spyware applications may make registry modifications which can make your system begin to display random error messages or cause crashes.
  • A malicious registry entry can force the system to run malicious program every time the compromised computer starts up.

How Can You Tell if a Registry Entry is Legitimate?

The registry is a complex structure and that can be corrupted by malicious programs, which can modify key values and create new values. Malicious programs such as spyware can have its code operate automatically; therefore, it often has a negative effect on other legitimate software.

Safe registry entries are created by legitimate software applications and the Windows operating system. The Windows operating system is composed of a huge hierarchical database called a registry. The Windows Registry holds configuration settings and options for the operating system and installed programs, which is vital for the basic operation of a PC and should be handled with extreme care.

Registry entries are split into a number of different logical sections mostly dependent on the type of function it performs. Safe registry entries and malicious registry entries may look similar in some instances, which is why it is important to determine the difference using our registry database.

Some Windows system files and registry files should not be modified. However, some
registry keys, INI files and other type of files are regularly modified by legitimate programs. For example: the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Registry key is a usually targeted by spyware authors, but Microsoft isn't able to block applications from modifying this registry key because some programs (e.g., anti-spyware programs) legitimately change the key. If you're not sure about the legitimacy of a registry key or entry, check for registry keys with an anti-spyware program.

The Effects of Malware on a Windows Registry

Malware registry entries are created to modify the behavior of an infected PC. Malware can make modifications to the Windows Registry to either delete, hide, or add registry entries in a system. Once a Windows Registry has been infected with malware, it can be manipulated to run malicious files every time a machine restarts and to perform other malicious functions such as changing settings on the Internet Explorer. Removal of malware registry entries is essential to rid a system of malware files or a malicious program.

The Windows Registry is a large hierarchical database full of instruction code that software applications rely on for successful operation and directions. When the registry becomes populated with malware registry entries, it could adversely affect system behavior, stability and possibly allow additional malware to be installed. Depending on the type of malware installed on an infected system, the number of malware registry entries populating the Windows registry may vary. Various malware applications or files have been known to repopulate due to a malware registry entry.

How to Repair Your Registry?

You can repair your computer's registry manually by launching regedit.exe in Windows directory. Be careful when it comes to editing your registry. Because the Windows registry is such a vast hierarchical database, you could easily cause irreversible damage to your system if you don't know what you're doing. To automatically get rid of unwanted registry keys or malicious registry entries, we recommend you use a combination of an anti-spyware program and a registry cleaner. To reduce spyware threats and risk, you mustuse a combination of an anti-spyware program and a registry cleaner to remove malicious registry entries from your PC.

One Comment

  • Javik says:

    About the only way to know what should or shouldn\'t be there is to look at the registry of a working computer and compare it to the infected one. Note, the operating system version (XP, Windows 7, etc) needs to be the same as well as Service Packs, and installed program differences will mean some settings are not present between them. Also removed programs often leave behind settings in the registry.

    Many of the things malware does to a computer are actually built-in \"features\" intended for use by network administrators to \"lock down\" the appearance or functionality of a business computer. These features are controllable through Group Policy but really end up as registry entry changes. A huge collection of system restrictions are applied here:

    HKEY_LOCAL_MACHINE\\Software\\Policies
    HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
    HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies

Loading...