This is related to kareldjag's earlier test on "hidden keys". I did some further testing with SysInternal's Reghide, and think I've isolated a problem. After explaining the rules, I'll describe/interpret the results. If you're in a hurry, scan ABBREVIATIONS, then read THE TEST, steps 1 & 2. ABBREVIATIONS: .. KEY-Software = HKLM\SOFTWARE\ .. KEY-SysInternal = HKLM\SOFTWARE\System Internals\ .. KEY-Untouchable = HKLM\SOFTWARE\System Internals\Can't touch me!\ .. VAL-HiddenValue = HKLM\SOFTWARE\System Internals\Can't touch me!\\hidden value RULES: ....1) To make RD alert on every action taken by Reghide, I had to first run Reghide so it would create the keys upon which to base RD's test rules. With Reghide displaying "Try and open the key...", those keys now exist. ..2) My new rule group contains three rules, each of which "Ask User" on "modification" of either a Key or a Value. ....2A) On Reg-Keys ---- for -- KEY-Software ....2B) On Reg-Keys ---- for -- KEY-SysInternal ....2C) On Reg-Values -- for -- KEY-Untouchable ..3) After creating the rules and exiting Reghide, I deleted KEY-SysInternal which was an artifact of Reghide. NOTE: RD displays KEY-Untouchable and allows me to select it when creating rule 2C. There may, however, still be a subtle difference between RD's representation of this key's name and the key's actual name. THE TEST: ..1) After starting Reghide and clicking on "OK", RD's first alert is triggered by the insertion of KEY-SysInternal which is correct (rule 2A). This is the alert shown in kareldjag's original test, but Reghide hasn't done anything tricky yet. ..2) After clicking Allow, RD alerts again on insertion of VAL-HiddenValue which is a proper alert (rule 2C). However, this happens after Reghide inserted KEY-Untouchable which should have triggered an alert but did not (rule 2B). ..3) After clicking Allow, RegHide invites me to investigate its handiwork. When I tell Reghide I'm done looking it deletes KEY-Untouchable. RD alerts this deletion correctly (rule 2B). It's a bit odd, though, because when KEY-Untouchable was inserted, I got no alert. [[NOTE: If I manually insert a new subkey (with a normal name) under KEY-SysInternal, RD does alert it correctly, so the rule does work for both insert and delete.]] ..4) After Reghide finished I manually deleted KEY-SysInternal (again). RD correctly alerted the deletion (rule 2A). Exactly what causes the missing alert in step 2 (assuming I'm correct) is a question for Jason. In either case, I'm also hoping that any use of "trick names" (ie. what you see is not what you get) will be considered "potentially suspicious enough" to merit a global option for alerts regardless of where in the registry the activity takes place.