Viruses do sometimes hide from beeing seen. For this they hook the API's, for example those well known RegistryRead API's-
Then how do "Rootkit Revealers" like those from Sysinternals still reveal the Rootkit? (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)
They use a technique that reads the "registry RAW".
It does not use the API, it directly reads from the large registry file, that is organized like a very simple filesystem.
(http://www.codeproject.com/KB/recipes/RegistryDumper/hive.JPG)
I have just seen this interesting code:
Read Registry RAW (http://www.codeproject.com/Articles/24415/How-to-read-dump-compare-registry-hives?display=Print)
Let me add that using this system, larger parts of the registry can be accessed mach faster then using API, because no Rights-Management is used.
Which we do not yet have in PB currently. Is anybody interested to make a translation?
Registry-Inside Format (http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf)