Just wanted to get a better understanding why services.exe attempts to modify a registry key on startup and similarly for rundll32

The alert I see is below
services.exe [PID] tried to modify the following registry KEY
This registry item is in the AUTO STARTS Registry Group
Process: c:\windows\system32\services.exe
Registry Key: HKEY_LOCAL_MACHINE\system\controlset003\services
Registry Value:
[] Always perform the following action with this application
[ALLOW] [BLOCK]
- Is this an action that services.exe does by itself or something that it is doing on behalf of another process ?
- What specific action is happening ?

NB: It seems to me that I get this alert when applications try to load a driver...


Similarly for rundll32.exe I get a startup prompt

The second alert I see is below
rundll32.exe [PID] tried to modify the following registry VALUE
with this data
This registry item is in the AUTO STARTS Registry Group
Process: c:\windows\system32\rundll32.exe
Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex
Registry Value: flags
[] Always perform the following action with this application
[ALLOW] [BLOCK]
and also
rundll32.exe [PID] tried to modify the following registry VALUE
with this data
This registry item is in the AUTO STARTS Registry Group
Process: c:\windows\system32\rundll32.exe
Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex
Registry Value: title
[] Always perform the following action with this application
[ALLOW] [BLOCK]
- what is the "with this data" referring to (and yes I have typed in everything in the alert box)
- is this a good/bad/indifferent thing to always allow
- as discussed in the PG thread about the same thing, just knowing that it is rundll32 is fairly useless without the command line parameters and in general applying generic permissions is not particularly secure

The meaning of the runonceex key is in MS KB 310593 (http://support.microsoft.com/kb/310593) and there is a decent explanation of how to use it here (http://gosh.msfnhosting.com/using_runonceex.htm) and here (http://unattended.msfn.org/intermediate/methods/runonceex.htm) (ie: I'm not asking for what it is or what the key is used for ;-) Once of these links makes reference to flags but doesn't say what it is, presumably this is a harmless alert given that it isn't adding new executables to run on startup...

Does anyone have any ideas/explanations for either, I'm not overly worried about either alert its just one of those things that would be good to have an explanation for (might as well keep learning)

Thanks

Jason,
Any comments ?

The first alert was possibly services.exe trying to create a registry key in there when a service/driver was installed. Yes the same issues regarding "processx.exe is the one trying to install it but services.exe is DOING it" applies as for PG.

In the second and third alerts when it says "tried to modify with this data" and there is nothing after "data" it means it was basically setting that string to "nothing".

I think when it comes to these processes which can do "some" registry based work for others all it takes is a little common sense. You must remember that the work they can do is very limited, and that if you get one of these alerts "out of the blue" then it should be something you look into first. If on the other hand it occurs through a direct action you have taken, installing a new application, etc, then if you trust that application you should allow it, but probably not "always".

Jason,
Thanks for the reply, imo it would be beneficial to represent an empty value with something better than just nothing on the screen

How about showing the type of the entry and a value, that at least would always give you something to visually anchor against when looking at the alert box

Hopefully the identification of the process using services.exe is slated for a future version, the same goes for better identification of rundll32 with its many possible command lines..

{QUOTE-> Jason,
Thanks for the reply, imo it would be beneficial to represent an empty value with something better than just nothing on the screen

How about showing the type of the entry and a value, that at least would always give you something to visually anchor against when looking at the alert box

Hopefully the identification of the process using services.exe is slated for a future version, the same goes for better identification of rundll32 with its many possible command lines.. <-QUOTE}

I have updated the "Ask User" screen to show the contents of the registry item "currently" and the proposed change, this includes setting the value (with type information) as well as the type of modification, setting, delete, etc.

Unfortunately working out which process is using services.exe to install a driver/service (which ends up with services.exe performing some registry based work to install the driver/service) isn't exactly something which can be done in a reliable fashion. It's a different vector to "stop" other processes from using services.exe to install a driver/service than it is to show that services.exe is performing registry operations based on that process. You could of course make a "leap" and estimate at the point where you know a process is going off to services.exe to install a driver/service but it isn't exactly accurate (ie does services.exe always perform registry operations when a process communicates with services.exe? no) .

Jason,
Is there anything that you could determine reliably ?
Something like the driver name (and location) for example ?

There is always more than one way to crack a nut....

Thanks