Home/ Questions/Q 1032459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T14:04:48+00:00

I opened up regedit and made an empty binary value monitoring it using ProcessMonitor.exe.

  • 0

I opened up regedit and made an empty binary value monitoring it using ProcessMonitor.exe. I set up a filter so that it included anything mentioning the registry path of the empty binary value’s key and excluded everything else. When making a new binary value, it creates the unnamed one, then when I rename it to something else it deletes the unnamed one. However, it doesn’t set anything with the new name, it just queries the value which returns an error until after I close the key in regedit then open it again and it now queries successfully the empty REG_BINARY.

At no point do I see any set value calls, and I looked on msdn, it doesn’t say querying non-existing values creates them. How does it make the new value?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Doing this on XP, you can also get the RegMon output, and that lists SetValue:

    ProcMon:

    "Sequence","Time of Day","Process Name","PID","Operation","Path","Result","Detail","Event Class"
"8456","20:15:47,6493609","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","NAME NOT FOUND","Length: 144","Registry"
"8559","20:15:51,2066619","regedit.exe","420","RegQueryValue","HKCU\Software\test\foo","NAME NOT FOUND","Length: 144","Registry"
"8560","20:15:51,2066761","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","SUCCESS","Type: REG_BINARY, Length: 0","Registry"
"8561","20:15:51,2066864","regedit.exe","420","RegQueryValue","HKCU\Software\test\New Value #1","SUCCESS","Type: REG_BINARY, Length: 0","Registry"
"8562","20:15:51,2075572","regedit.exe","420","RegDeleteValue","HKCU\Software\test\New Value #1","SUCCESS","","Registry"
"8618","20:15:52,9198131","regedit.exe","420","RegCloseKey","HKCU\Software\test","SUCCESS","","Registry"

    RegMon:

    1   2.38380957  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 NOT FOUND       
2   2.38436174  regedit.exe:420 SetValue    HKCU\Software\test\New Value #1 SUCCESS     
3   5.36779499  regedit.exe:420 QueryValue  HKCU\Software\test\foo  NOT FOUND       
4   5.36780643  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 SUCCESS     
5   5.36781597  regedit.exe:420 QueryValue  HKCU\Software\test\New Value #1 SUCCESS     
6   5.36884880  regedit.exe:420 SetValue    HKCU\Software\test\foo  SUCCESS     
7   5.36890793  regedit.exe:420 DeleteValueKey  HKCU\Software\test\New Value #1 SUCCESS     
8   9.04430676  regedit.exe:420 CloseKey    HKCU\Software\test  SUCCESS

    The regmon output looks like a rename operation to me (QV,QVx2,SV,DV) Maybe regmon uses hooking and procmon uses the documented registry monitor api (Or maybe a procmon bug?)

    I tested both the latest and a older version on procmon; v1.37 (The older versions don’t have a huge ETW delay when you toggle monitoring on/off on XP)

    • 0