Suspect may store text-based information using value type REG_BINARY. This technique however does not hide data, as tool like hex editors automatically interpret binary data into readable format (usually ASCII). Using different encoding technique to store data, such as using Unicode instead of ASCII does not improve stealthiness, if suspect only uses common English characters. For instance ASNI ASCII for "pass" is 0x70 0x61 0x73 0x73. While Unicode (16-bit) encoding translate into 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 (Windows stores 16-bit characters in little-endian format). Examiner could easily find the word "pass" using tools that features text finding using different encoding format. Suspect may substitute the 0x00 with random binary numbers to improve stealthiness. However, forensic examiner could still analyse the suspicious text at different intervals (e.g. even or odd characters position) and derive possible meaningful information from the incident context.

A better way to hide data is to encode text-based information into binary format in hexadecimal notation and stored the binary form in registry values as string using type REG_SZ. For instance, storing string 70 61 73 73 (hexadecimal notation for "pass" in ASCII) in the REG_SZ registry value. Thus, only the suspect knows how to decode it. However, this technique requires a simple piece of code to encode the text before storing it into the registry, and to decode the binary data to its readable form when retrieving it. It is not-trivial for forensic examiner to find such hidden data as the binary data (encoded text in hexadecimal form) is stored as it is in the registry, and binary data is common in registry.

Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly long registry value (regardless of type) not only hides its own presence, but also subsequently created values (regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide information.

This vulnerability allows malware to hide malicious code in "autorun" entries such as the infamous HKLM\Software\Microsoft \Windows\CurrentVersion\Run. Any program or components specified in this key will be automatically run during system startup. Windows will still execute these hidden entries successfully at startup (Wesemann, 2005).

Some common malware scanners are not able to detect such maliciously crafted registry values (Gregg, 2005). Fortunately, Windows console registry tool (reg.exe) can display overly long registry values. For instance, to detect values in registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run, the instruction is reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run.