0

Something created thousands of weird entries in my registry (Windows 10) in HKEY_CURRENT_USER. Virtually all of them consist of 4 characters and have no sub-keys and there are more than 20.000 of them. (I wrote a PowerShell script to analyze this, but Get-ChildItem seems to cap out at 20.000.)

I noticed it when I searched my registry for something and the search process nearly froze my computer. So all the normal entries seem to be there, but there are lots of weird ones?

They look like this:

enter image description here

I'm new to PowerShell script, but I managed to write one that filters the weird ones. So the upper ones are the first 20 entries not matching ^[A-Za-z0-9 _]+$, the lower entries are the (only) 19 entries matching ^[A-Za-z0-9 _]+$.

=== Apply filter: NOT ^[A-Za-z0-9 _]+$

Count:  19981
HKEY_CURRENT_USER\☺  ---  False
HKEY_CURRENT_USER\☺►♦¶  ---  False
HKEY_CURRENT_USER\☺►♦'  ---  False
HKEY_CURRENT_USER\☺►♦2  ---  False
HKEY_CURRENT_USER\☺►♦9  ---  False
HKEY_CURRENT_USER\☺►♦@  ---  False
HKEY_CURRENT_USER\☺►♦O  ---  False
HKEY_CURRENT_USER\☺►♦p  ---  False
HKEY_CURRENT_USER\☺►♦V  ---  False
HKEY_CURRENT_USER\☺►♦w  ---  False
HKEY_CURRENT_USER\☺►♦]  ---  False
HKEY_CURRENT_USER\☺►♦~  ---  False
HKEY_CURRENT_USER\☺►♦¥  ---  False
HKEY_CURRENT_USER\☺►♦¬  ---  False
HKEY_CURRENT_USER\☺►♦³  ---  False
HKEY_CURRENT_USER\☺►♦º  ---  False
HKEY_CURRENT_USER\☺►♦ç  ---  False
HKEY_CURRENT_USER\☺►♦Ñ  ---  False
HKEY_CURRENT_USER\☺►♦Ø  ---  False
HKEY_CURRENT_USER\☺►♦Œ  ---  False


=== Apply filter:  ^[A-Za-z0-9 _]+$ False

Count:  19
HKEY_CURRENT_USER\   ---  True
HKEY_CURRENT_USER\6  ---  True
HKEY_CURRENT_USER\AppEvents  ---  True
HKEY_CURRENT_USER\CLSID  ---  True
HKEY_CURRENT_USER\Console  ---  True
HKEY_CURRENT_USER\Control Panel  ---  True
HKEY_CURRENT_USER\Environment  ---  True
HKEY_CURRENT_USER\EUDC  ---  True
HKEY_CURRENT_USER\hQ  ---  True
HKEY_CURRENT_USER\Keyboard Layout  ---  True
HKEY_CURRENT_USER\Microsoft  ---  True
HKEY_CURRENT_USER\Network  ---  True
HKEY_CURRENT_USER\Printers  ---  True
HKEY_CURRENT_USER\SOFTWARE  ---  True
HKEY_CURRENT_USER\System  ---  True
HKEY_CURRENT_USER\Uninstall  ---  True
HKEY_CURRENT_USER\WXP  ---  True
HKEY_CURRENT_USER\x  ---  True
HKEY_CURRENT_USER\Volatile Environment  ---  True

I want to get rid of the weird entries and I guess with some small changes my PowerShell script can do this. I can post this script here, but at the moment I don't think it is relevant.

So my main question is: Should I do this and how? (What precautions should I take?)

Bonus question: What could've caused this? How can I prevent this? (Similar question)

Improve this question
4
  • 1
    Run several deep antivirus scans on the computer, with your antivirus but also with Malwarebytes. Test Windows integrity by running Dism /Online /Cleanup-Image /RestoreHealth and then sfc /scannow.
    – harrymc
    Commented Nov 13, 2022 at 18:56
  • @harrymc Thx for the advice. I did it and found nothing out of the ordinary
    – Sentry
    Commented Nov 13, 2022 at 19:39
  • 1
    This doesn't mean that the product that did this isn't still there. I suggest to, before removing these entries (or any other registry modifications), to take good backups and to create a System Restore point, to be able to undo such deletes (whether done manually or by your script). Run also CCleaner and see if it has something to say about these dummy entries.
    – harrymc
    Commented Nov 13, 2022 at 20:33
  • @harrymc Yes, I was thinking about a script that runs daily or hourly that counts the number of entries there, so I can detect if that happens again
    – Sentry
    Commented Nov 14, 2022 at 12:39

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .