Windows ConfidentialEncoding Is Not Encrypting

Raymond Chen

Start menu usage information is encoded—a word I select carefully so as not to mislead—in the registry. While encoding is about changing the form of data, encryption suggests that recovering the plain text is intended to be difficult: It isn't. Encryption also suggests that the encoding algorithm is supposed to be resilient to attack: It isn't.

The usage information is encoded so that it won't turn up during F3 searches through the registry for SomeAppName.exe. Such searches happen when people run hand-written "uninstall verification" tools that scour the hard drive and registry. If the usage information were recorded in plain text, these tools would find the entry in the usage database and then report a supposed uninstall as incomplete. However, uninstall programs are not expected to delete that registry key. They didn't create it; they don't need to delete it. In fact, usage information is supposed to outlive the uninstall. That way, if a user uninstalls and then reinstalls a program, the Start menu can say, "Welcome back! Here is your high-ranking spot on the Start menu."

Encoding also serves as a signal to programmers: "You are not expected to mess with this." If programmers do want to mess with it, they have to apply the (extremely simple but still non-null) decoding algorithm before proceeding. This makes updates, deletions and other types of messing around with those registry values impossible to do inadvertently. When you start pounding out a decoding algorithm for data in an undocumented registry key, you've obviously set about doing so intentionally. Hopefully at some point a voice in your head tells you, "Maybe I'm not supposed to be doing this."

In other words, the encoding serves as a "No Trespassing" sign. It doesn't prevent people from entering your property, but makes clear that their presence is unwelcome and removes their "But I didn't know!" defense.

The encoding has nothing to do with security. The information is stored in the user hive, so access already is restricted to the user (and administrators). No sensitive information, such as passwords, gets stored there. The encoding is just a speed bump to give application developers who attempt to tamper with the registry values, whether out of ignorance or carelessness, another chance to realize that the information really isn't for them.

Of course, the speed bumps don't stop programmers from writing the functions to encode and decode the data anyway. With one example I found, if a user reconfigured the program, then the program would in turn manipulate the usage data—and this wasn't part of an uninstall; it happened during runtime. In other words, the programmers intentionally set out to manipulate the usage data and thereby alter the program's positioning on the Start menu.

Figuring out the decoding algorithm is hardly cause for bragging—it isn't that hard to do. And besides, the decoding algorithm may not be the one you reverse-engineered anyway, because also in use may be another (equally undocumented) registry key for changing the encoding algorithm. The program I mention in the example didn't take this extra wrinkle into account. If the encoding wasn't set to its default value, the tool found usage data it perceived as corrupted. Thank goodness the code didn't try to "repair" that!

One of the criteria for the encoding is that it has to be extremely fast so as not to slow down decisions about what goes on your Start menu. You don't want 80 percent of the Start menu startup time spent inside some cryptography function.

The encoding algorithm has remained unchanged since it was introduced in Windows 2000, so that the information would be carried forward when upgrading to Windows XP and Windows Vista.

However, Windows 7 Start menu developers did temporarily change the encoding algorithm. This coincided with decisions to change the format of the application usage information and not to carry over old usage information from earlier Windows versions. Changing the encoding algorithm made distinguishing old from new data easier. This temporary change triggered a flurry of misinterpretations among Windows watchers, who assumed upon seeing a new encoding that the Start menu developers were "fixing" the weak "encryption" with a different weak "encryption"—except this was never encryption in the first place. With the final release, the original encoding algorithm will be back in place. After all, the original encoding is what carries the implicit social contract.

Raymond Chen's Web site, The Old New Thing, and identically titled book (Addison-Wesley 2007) deal with Windows history and Win32 programming. He sometimes encodes information by translating it into German (poorly).