Mystery key

[chromatic47]

So I was doing some registry pruning and once again stumbled upon this oddly titled key and value. Every time I see it it makes me go hmm. The full key is this:

[HKEY_LOCAL_MACHINE\Software\Microsoft\J9<000000]

"é "=hex:05,40,45,45

...and it has been there since a clean install of Win98se.

Google turns up nothing, so does anybody know, what gives with J9, and why would it ever be less than 000000? And further, what is up with that funky binary value? Somehow it seems a shame to delete this bit of cryptic until I understand its inscrutable purpose.

Edited January 6, 2009 by chromatic47

[whatever420]

I don't have that key... sorry

But... I do have this one:

[HKEY_LOCAL_MACHINE\Software\Microsoft\D=5000000]

"} "=hex:04,80,84,84

... which is also a bit strange...

[Mijzelf]

I've got this one:

[HKEY_LOCAL_MACHINE\Software\Microsoft\J46000000]

"d "=hex:05,05,00,05

[Molecule]

I have

[HKEY_LOCAL_MACHINE\Software\Microsoft\G52373<:=]

name = %sãú

value = cd cd f0 cd

might it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?

(reactOS is lurking large in the future ...)

[Lecco]

Mine :

HKEY_LOCAL_MACHINE\Software\Microsoft\G13?:8<02

1Żč, CC 0C F2 CC

might it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?

WGA in Win98 ? NO WAY !!!

[Multibooter]

might it be put there by the wga validation program

Definitely not. Perhaps it is the encrypted Windows serial number? Does Win98 still work after deleting this key? What registration info does Control Panel -> System show after deleting this key?

[chromatic47]

Perhaps it is the encrypted Windows serial number? Does Win98 still work after deleting this key? What registration info does Control Panel -> System show after deleting this key?

Well I deleted that key and Windows boots/runs with no complaints. The registration info is unchanged in CP. I'm going to merge it back in there though, as who knows if it will apply later on for some process.

[Dave-H]

Nothing like this on my machine, for what it's worth!

[Multibooter]

Nothing like this on my machine, for what it's worth!

Maybe it's a fingerprint or identifying code, so that they know who is doing what, for Big Brother's monitoring/tapping/recording of the whole internet? Or maybe a key for decrypting encrypted stuff?

Maybe it's just used to mark users of a US opsys version, since you are from the UK and you don't have it? All postings reporting markers, except for Lecco's, are from the US. Maybe they watch only those people who don't have a marker?

In any case it looks like something intentionally hidden, and is therefore worth while investigating.

What is listed on your Internet Explorer -> About under Cipher Strength? is it 128-bit (=strong encryption)?

Edited January 8, 2009 by Multibooter

[iamtheky]

congrats whatever420 you have a virus

http://www.symantec.com/security_response/...-99&tabid=2

Id be willing to bet most garbage keys you find in that path are malware, have you tried hijackthis to see what it thinks?

do a google for

HKEY_LOCAL_MACHINE\Software\Microsoft\G

HKEY_LOCAL_MACHINE\Software\Microsoft\J

HKEY_LOCAL_MACHINE\Software\Microsoft\K

you will see many eerily similar entries that other people cannot identify. Everything in this section should be M$ and clearly identified from what i gather. The most nondescript entry i have is the WZCSVC (wireless zero config service).

Edited January 8, 2009 by iamtheky

[Multibooter]

I'm going to merge it back in there though, as who knows if it will apply later on for some process.

What happens if you replace your marker with that of somebody else? If its an encryption key, something might stop working.

Also: maybe it's an identifyer for strong encryption of the installed IE, which about 10 years ago was still under US export controls?

[Joseph_sw]

i also curious, and made a quick check, found one too:

[HKEY_LOCAL_MACHINE\Software\Microsoft\J90000000]
")   "=hex:02,40,42,42

[Multibooter]

i also curious, and made a quick check, found one too

Do you use the US version of Win98? Does your IE have 128-bit encryption?

[chromatic47]

Also: maybe it's an identifyer for strong encryption of the installed IE, which about 10 years ago was still under US export controls?

In case this relates to that possibility -- the key names posted here are all 9 characters long, with 4 data values each. It would be rather a highly visible way to hide an encrypted string within the registry. I mean, there's less obvious ways to do it. Especially having only 4 characters, it seems possible that this data was meant to be written to, not just read.

I just tried substituting a different key, rebooted etc, but nothing happened.

(well..... so far .......

Edited January 8, 2009 by chromatic47

[Multibooter]

I just made a search with Win98 Find -> Containing text in \Windows\ with the 9 digit registry key name. This 9-digit string occurs only in the registry file System.dat and its backups, but a couple of bytes after its occurence the hexeditor displays the following:

CryptographyQ.......Q...........Machine Settings............CatRootE:\USWIN98\SYSTEM\CatRoot\....................Providers....................Trust"......."...........Initialization{.......{...&.......{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}............$DLLSOFTPUB.DLL

The registry has 2 entries under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}: SOFTPUB.DLL and SoftpubCheckCert

So it's possibly an encryption key, but what might Microsoft want to encrypt differently for each installed instance of Windows? Or is it just the encrypted Product Key (cd key) used to install Windows, saved in the registry?