Hi @ll, according to the value data for REG_SZ and REG_EXPAND_SZ must be | A null-terminated string... and the value data for REG_MULTI_SZ must be | A sequence of null-terminated strings, terminated by an empty string (\0). The registry hives delivered with ALL versions of Windows but contain entries with improper/invalid value data which does not satisfy the data type definitions given above. ERRORS: * all (about 1550) REG_SZ entries with value name "CatalogThumbprint" in the COMPONENTS hive of Windows Vista, 2008, 7, 8, 8.1 and 2012 are NOT NUL-terminated (the size of the value data is 64 resp. 128 bytes, but should be 66 resp. 130 bytes). JFTR: a developer with a sane mind would but use REG_BINARY for hashes! * all REG_SZ entries with value name "ConfigFilePath" (in subkeys of the key "Microsoft\Fusion\PublisherPolicy\Default") of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated. * the REG_SZ entries in the unnamed default values of the following keys of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated: "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF63-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF66-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF67-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF68-8C46-11d1-8D99-00A0C913CAD4}" * the REG_MULTI_SZ entry "Languages" in key "Control Panel\International\User Profile System Backup" of the DEFAULT and all NTUSER.DAT hives (except for the SYSTEM profile) of Windows 8, 8.1 and 2012 contains 2 strings of 4 characters (which need 22 byte), but has a size of only 12 bytes. * the REG_DWORD entries in the unnamed default values of the following keys of the SECURITY hive have a length of 0 bytes: "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount" "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID" "Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT" "Policy\Secrets\DefaultPassword" "Policy\Secrets\DPAPI_SYSTEM" "Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}" "Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75" "Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588" "Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}" "Policy\Secrets\NL$KM" "Policy\Secrets\_SC_Alerter" "Policy\Secrets\_SC_ALG" "Policy\Secrets\_SC_Dnscache" "Policy\Secrets\_SC_LmHosts" "Policy\Secrets\_SC_MSDTC" "Policy\Secrets\_SC_RpcLocator" "Policy\Secrets\_SC_RPCSS" "Policy\Secrets\_SC_SSDPSRV" "Policy\Secrets\_SC_upnphost" "Policy\Secrets\_SC_WebClient" * the REG_QWORD entries in the "ExecTime" values of the following keys of the SOFTWARE hive have a length of 16 bytes: "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logoff\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logon\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logoff\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logon\0\0" "Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0" "Policies\Microsoft\Windows\System\Scripts\Startup\0\0" * (some more...) The erroneous, not NUL-terminated REG_[*_]SZ values can lead to buffer overflows. The zero sized REG-DWORD values can lead to use of random data. The erroneous, 16 byte long REG_QWORD values can lead to buffer overflows. JFTR: why does Microsofts SDL and their QA miss such silly, automatically detectable errors? ISSUES: * the REG_SZ entries in the subkeys of the key "Software\Classes\Local Settings\MuiCache" in the DEFAULT and every users NTUSER.DAT hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entries in the unnamed default values of the following keys of the SOFTWARE hive have a size twice their actual string length: "Classes\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.dot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.fpx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mic\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mix\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mpp\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.obd\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.pot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.xls\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.xlt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" * the REG_SZ entries with value names "SetId", "Recent" and "Internal" in the subkeys of the key "ControlSet001\Control\GraphicsDrivers" of the SYSTEM hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entries with value names "Previous Names", "ColorProfiles" and "App Registration" in the subkeys of the key "ControlSet001\Control\Print\Environments\Windows NT x86\Drivers" of the SYSTEM hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entry "SpecialPollTimeRemaining" in key "ControlSet001\Services\W32Time\TimeProviders\NtpClient" of the SYSTEM hive has a size which is larger than the actual string length. * (many more...) A complete log of errors and inconsistencies found in the registry hives (of the evaluation version) of Windows 8.1 (codename "BLUE", hence the filename) is available from This log was generated by a Win32 program that uses OFFREG.DLL (cf. , included in Windows 8.1) to dump offline registry hives and to detect errors and inconsistencies in key names, value names and value data. regards Stefan Kanthak