Seeing as infinity has already started with the requests...

{QUOTE-> Seeing as infinity has already started with the requests... <-QUOTE}

Good point, and I was about to start one myself. :)

There is a few features I plan on adding very soon, so I do plan on making some updates in the near future, the best time to get the features you want in RegDefend would be now.

Hi Jason, ;)

I have a few Early Suggestions, but bare with me I've only been looking at RegDefend for about 10mins.
________________________________________________________________

1. Could you put in some options for "Connection Settings". ie Direct Connection , Proxy etc.

2. Could the ability of logging the log file to a default text file, with the ability for the user to determind the max size, and the ability to change the default location. (as I don't see this option ATM) Plus maybe an added option from the task tray menu to open the log file.

3. Nothing seems to be logging ATM, even though changes have occured and have been permitted. Could the log, record all activities, allow, always allow, deny, and alway deny. The details are good, could a date/time column also be added.

4. Another tab for user specified "always allow/deny" registery changes, rather than just using the application permissions override, under the main tab, with the same right-click options.

5. The second button in the application permissions override doesn't display the entire text, and the tooltip only displays "tip"

6. Currently the "X" close button on the GUI actually closes the program, could it just minimize instead. With the Close/Exit function only in the system tray, and under file, which would prevent accidently closure and the lose of protection.

7. I really like the user database idea, for protecting keys.

8. These are really tic 'e tac things: A monochrome scheme would be nice for the GUI. Sorry, but I don't like the icon ... I don't really have an idea to suggest, but maybe just the ghost image, larger without the black frame/background and text.
_________________________________________________________________

Overall, it looks great Jason, Good Job. I know it's early and you will perfect/tweak it over time. Definitely a keeper.

Thanks

Steve

One more suggestion to add:

Maybe a built in Registry Backup tool and restore function.

Steve

ps. Here are a couple icon ideas (see attachment) ~the artwork isn't mine, I borrowed a few from DeviantART, only to illustrate some examples~ I know this isn't any where near a priority. ;)

I would definitely want to be able to resize the windows, I tend to resize app windows so I can see most of the information on the screen at once
The way v1 is I can resize the main window to fill up most of my 1400x1050 screen but I cannot make the registry key portion big enough to be useful

It would be good to have an export/import feature, that would kickstart people sharing settings on the forums and also provide an easy way to save the settings across machine rebuilds

You need to be able to lock down the interface so that malware can't automatically manipulate the settings (just like PG... cough)

Be ultra-secure when you generate the hash for the application, see here (http://www.wilderssecurity.com/showpost.php?p=377876&postcount=166)
At the very least you are in a better position than me to provide some constructive criticism on whether this is worthwhile....

How do you deal with the "by proxy" applications like rundll and msiexec ?
It might be useful to have a "trusted install" mode that still records all the changes, if you do this then it would be good to have a default option for the trusted mode to automatically turn off again in N minutes (and potentially persist across reboots)

Alerting would be good to be done in the various ways I suggested for PG (which I'm sure you can remember) with using the standard eventlog as being the most useful addition and also having syslog for off host logging

The Log window could usefully show the "before" value as well as the "new" value with an option to revert back to the old one or roll forward again to the new one

It would be useful to define a program to jump to when you double click on a registry key in the registry items window and also in the log window (regedit or reghance or one of the myriad of others)

A useful enhancement would be to alert on suspicious activities
One obvious example would be a process attempting to perform registry operations very frequently reading included (multiple times a second). This would potentially identify poorly coded applications as well as malware which isn't a bad thing to be aware of. You would probably need to have different thresholds for reads and modifications to lessen the false positives out of the box
Another example more malware oriented would be if an application was performing the same operation on a key very frequently, even if the key wasn't being monitored


Date columns in the app permissions override window to show when added/changed and the same for the registry items windows.
Having this information is very useful from a forensic POV

I'm sure I'll come up with more after I actually have a play with the program...

Regards

Edit: Dog managed to get in 2 posts while I was typing all that in :-)

One potentially very useful feature would be the ability to have the program optionally, but if enabled automatically phone home to get a centrally maintained block list

This could be applied prior to the local definitions so that any local allow rules override any central deny rules

I'm sure I don't need to enumerate why this would be a good thing

[Edit:
This might be similar to the "additional" TeaTimer functionality
The rules would have to be very specific seeing as they would be targeting specific and presumably prolific or very nasty new threats....

It might also be good to be able to selectively enable/disable the central rules to allow problems to be worked around and if the local ruleset already covers what has been added centrally the local administrator could save a millisecond or two's CPU
]

One more.

You can only add/view select keys/values to protect with RegDefend ... it would be nice to have the ability to protect any key/value. Say for example; (as was mentioned in the License Thread) to protect your license key from being read by malware or any other program but the particular application/program to which value is linked, unless permission is granted by the user. What's the reason/limitation to adding protection to any key in the registry?

Sorry if this is a silly question, my knowledge in this area is limited? So, I'm just feeling my way along. ;) :)

Thanks

Steve

Ps. Nice Suggestions gottadoit. ;)

Hi,

My suggestion is to improve the GUI. I will throw away my personal taste for now about the graphical elements, but come on: it is barely usable. The key list which should show the most information is using up only 20% of the screen. You have to scroll it around to see the end of the key names, and when you get to see the values you either see the end of the key names, or the truncated version of them. And in the same time the screen is filled with empty areas, and big buttons with unfortunate placing. Sorry but I can not resist the feeling of non-professionalism when I look at this GUI.

{QUOTE-> What's the reason/limitation to adding protection to any key in the registry? <-QUOTE}OK, I can give an example: Some worms/trojans set in the registry a specific value, which disables the execution of Regedit. This practically disables the usual user from resetting the same value, because that would need the execution of Regedit itself. Maybe you can understand the benefit of blocking this malicious change in the first place. Let me give one more example: a worm could disable the option to boot into Safe Mode itself by changing the registry only. You definitely want to stop that change!
-hojtsy-

Hi Jason,

I would like to be able to kill the program that is trying to startup when it places itself in the registry. Not just be able to block it from writing to the registry. If the trojan starts itself and RegDefender only stops it from writing to the registry the Trojan is still running.

Thanks

{QUOTE-> Hi,

My suggestion is to improve the GUI. I will throw away my personal taste for now about the graphical elements, but come on: it is barely usable. The key list which should show the most information is using up only 20% of the screen. You have to scroll it around to see the end of the key names, and when you get to see the values you either see the end of the key names, or the truncated version of them. And in the same time the screen is filled with empty areas, and big buttons with unfortunate placing. Sorry but I can not resist the feeling of non-professionalism when I look at this GUI.

-hojtsy- <-QUOTE}

You are right, the registry items and rules section needs to be better designed. I will be releasing an update in a few days with this done.

{QUOTE-> Hi Jason,

I would like to be able to kill the program that is trying to startup when it places itself in the registry. Not just be able to block it from writing to the registry. If the trojan starts itself and RegDefender only stops it from writing to the registry the Trojan is still running.

Thanks <-QUOTE}

Do you mean you would want to have a "Kill Process" button on that confirmation dialog?

{QUOTE-> Hi Jason, ;)

I have a few Early Suggestions, but bare with me I've only been looking at RegDefend for about 10mins.
________________________________________________________________

1. Could you put in some options for "Connection Settings". ie Direct Connection , Proxy etc.

2. Could the ability of logging the log file to a default text file, with the ability for the user to determind the max size, and the ability to change the default location. (as I don't see this option ATM) Plus maybe an added option from the task tray menu to open the log file.

3. Nothing seems to be logging ATM, even though changes have occured and have been permitted. Could the log, record all activities, allow, always allow, deny, and alway deny. The details are good, could a date/time column also be added.

4. Another tab for user specified "always allow/deny" registery changes, rather than just using the application permissions override, under the main tab, with the same right-click options.

5. The second button in the application permissions override doesn't display the entire text, and the tooltip only displays "tip"

6. Currently the "X" close button on the GUI actually closes the program, could it just minimize instead. With the Close/Exit function only in the system tray, and under file, which would prevent accidently closure and the lose of protection.

7. I really like the user database idea, for protecting keys.

8. These are really tic 'e tac things: A monochrome scheme would be nice for the GUI. Sorry, but I don't like the icon ... I don't really have an idea to suggest, but maybe just the ghost image, larger without the black frame/background and text.
_________________________________________________________________

Overall, it looks great Jason, Good Job. I know it's early and you will perfect/tweak it over time. Definitely a keeper.

Thanks

Steve <-QUOTE}


I will consider a lot of these for the next version, thanks Steve. :)

{QUOTE-> Do you mean you would want to have a "Kill Process" button on that confirmation dialog? <-QUOTE}

I think a "kill process" button and also the option to delete the offending file would be very handy :).

Regards,
Jade.

When I click the tray icon it opens the GUI minimized, if this is normal, can you give a box to tick for opening maximized. I will be puchasing your product, Jason and eagerly await the updates to this product of great potential.

One option I suggested in another thread is the ability to "spoof" changes (i.e. don't allow changes to go through to the registry, but do return the amended values in reads by that application or related ones only - making it think that the changes were made successfully). This would allow users to review a list of Registry changes made by an application (rather than having to approve/block them on a key-by-key basis) and even run it a few times before deciding to "commit" or "discard" the changes.

One difficulty would be identifying which programs should see the spoofed values. RegDefend ideally would need to check what new executable files were added by an installer and include those in the "spoof-set" (which would take it into uninstaller territory) but an easier alternative short-term could be to prompt the user as to which files/folders should be shown the spoofed values. Separate sets of spoofed values could be kept in the case of multiple installs.

What benefits would this offer? Spoofed values could not affect other programs (or Windows itself) so malware could not really run on startup or change Windows settings (though it would think that it did - this would also however affect legitimate software). If malware was able to terminate RegDefend it would lose its Registry settings unless it then rewrote them (could RegDefend block application Registry writes if it was terminated to prevent this? e.g. by altering system hooks so that they needed RegDefend running to function). RegDefend could be used as a registry cleaner - keeping track of what keys were added by every application and thereby allowing users to remove every one if the application was uninstalled.

Jason,
I like P2K's idea of turning RegDefend into a registry sandbox, that would be great if you can do it. It does leave open the issues of what to do with uncommited changes during shutdown, but if the uncommited changes were visible in the log pane after reboot then they could potentially be applied again (easily) with a right click "apply"

To allow this tool to be used as P2K describes and get a list of registry changes make by an application it would be nice to be able to specify "advanced" filter rules for a particular executable (eg: hello.exe filter: Change:HKLM\*;!Change:HKLM\Software\HelloCorp\*; .. )
That way if we have an executable that we are a little unsure of, then we can get prompted for every read and every little change (and see the existing value and the new value), it would be a lot of clicking

And as hojtsy says in post 8 the abilility to allow/deny of specific key+value combinations is somewhat important. That is what I was referring to in my earlier post for centralised blocklists - the ability to target specific suspicious or known malicious behaviours

As bowserman says in #13, a delete file would be good, if any handles to the offending file were forcibly closed first then the delete would most probably be able to happen immediately....

To take an idea from the latest version of Process Explorer (http://www.sysinternals.com) another potentially useful thing to log from a forensic point of view, would be to add a button to the GUI alert to collect and display a stack trace (and module name) from the app thread that is attempting to make the registry modification.

If you did this it would be nice to have an option to also log the module + stack trace to the logfile, this would need to be tightly configured (with a filter pattern) to keep the volumne of information manageable and make sure that the overheads of collecting and storing are acceptable

And just like PG the GUI Alert suffers from the problem that people with single headed systems cannot go an look for information about whether a particular registry change is safe (whilst the Alert is in the way), I'm not sure how you can work around this without providing a way to compromise display of the alert but it would be nice to have a way of getting some information in this situation (nb: I don't have an issue when using a dual headed system)

{QUOTE-> It does leave open the issues of what to do with uncommited changes during shutdown, but if the uncommited changes were visible in the log pane after reboot then they could potentially be applied again (easily) with a right click "apply" <-QUOTE}The best option in my view would be for RegDefend to keep them spoofed/uncommitted so they would only be visible when RegDefend restarts - this would allow testing of applications whose installers insist on an immediate reboot.

The main problem is that the application wouldn't be properly installed (e.g. it would not run on startup since Windows processes would not see the spoofed Run entries, so it would have to be run manually and Explorer changes would not be implemented so right-click menu options and extra buttons would not be present). However the application would see all its (spoofed) registry entries so should otherwise function normally, and Committing the changes should then give a fully functional install.

I would like to make Bowserman's suggestion a little wider :) A link to regedit with the ability to delete the key and a pop up property box of the offending process /executable with the ability to disable, rename or delete it.

Thanks. Pilli

Edit: re. gottadoits suggestion below :) Quarantine & submit

Pilli,
If you are going to have that then Jason might as well have a "submit suspicious executable" button that will shoot the executable off to the list of email addresses configured via the GUI
And a button to auto-submit the executable for scanning to one (or more) configurable online sites would be somewhat nice as well

NB: For the guys at DCS reading this thread, both Pilli's suggestion and this one would also be good to have in PG

Somewhere in your ideas about spoofing and injecting ProcessGuard comes into play preventing the .dll injection :)

It's to me now pls ! ;)

That's mainly user-friendly requests :

- make the window maximized when we load it from the task bar icon (actually the minimized menu bar appears on the left top of my screen)

- a popup should appear when we click "delete group" ! I deleted accidentaly the main group by cliking by mistake on it, I was obliged to reinstall to restore it.

- something need to be done about the GUI, I don't know how exactly thought, it's probably hard to find the better way, but actually (as said by hostjy) the most important window (left bottom) is small and we have to scroll it.
One possible way would be to have a separate application tab, and the allowances would be global, not per group created. Thus you can decrease the height of the group block (may be a combo box ?) and make the most important take all the screen in width ?

- explain somewhere in the help if the protection is still activated or not when RegDefender is closed (if not while not blocking any new values when RD is closed ?)

- in general, the icons for the groups and the registry "folder" could be better may be, the groups are too big I think, but I don't know.

- I absolutly would want to see the icon of the program trying to read/write the registry, and his path. When a warning popups, we want to be able to quickly identify the potential offender (or trusted app), and user-friendly speaking it's better too ;)

- usual requests : make the window remember his size and location, and remember the column header size on the window.

Can't wait to see the next version :)

EDIT : oh and another icon if possible, something making us to feel that something is blocked or protected. The current one is not looking good in the taskbar.

EDIT2 : having the possibility to load rulesets or "packages" would be really nice. Thus we could have many different ones such as IE (including all IE related registry entries targetted by spywares), others ones related to particulars applications (ApplicationX ruleset, etc...), and why not a "paranoid" one ? The users could share their files and everyone could load and import them.

How about the ability to specify a wildcard when adding registry keys (like MJRW), that way we could easily cover all the different users keys in HKU and the ones in hojtsy's list (http://www.wilderssecurity.com/showthread.php?t=32823&page=1)

It would mean that you would have to enumerate the keys to watch at startup time (and add new ones to the watch list as they are created or as new hives are loaded if they match an existing pattern...)

It is nice to be able to specify what to monitor without having to add each key in individually and seeing as there is only a bit of memory overhead for the table of keys there is no real reason not to make the list very long....
HKLM\system\ControlSet*\control\session manager\*

For what its worth I quite like the Tiny Firewall Registry protection hierarchical permission application where you can set a more restrictive permissions as you go further down the registry tree and have the deeper keys override the settings higher up. I don't want to run Tiny everywhere and PG+RegDefender are not too bad a combination instead

I could see this being useful by being able to specify that all *new* executables (ie: being run the first time) could read anywhere but need to prompt before add/change/delete

Once I knew where the app was storing its own values (during the install process) I could then add permissions for that specific part of the tree and lessen the number of prompts for the remainder of the installation

That way I would end up with an application that had tightly specified areas that it could write to and even if something later introduced a trojan dll, it would probably draw attention to itself by writing to a different area in the registry tree (even if that area wasn't being monitored)

Hi Jason'

Yes a kill process option is what I would like. And remember that on reboot so that the process can't start again.

Loki

- "Locked mode" : To install it on users computer or on a computer used by kids, a password lock feature would be very interesting.
When an application tries to read a key and that the group is set on "ask the user", and that RD is password locked, it should ideally be blocked without prompting the user.

- when adding a key to a group, as hojtsy pointed out, it would be great to have a text box to enter the path, first, and secondly, while we are browsing the registry, it is not written where we are (and we have to scroll up to check that we are at the correct place).

RegDefend only informs you that a registry key/value is being modified instead of informing you what the modification is (ie. adding, deleting, modifying/renaming Value name, modifying Value data, etc.).

Would it be possible to give the user this information, instead of just saying it's been modified, which isn't overly informative.

{QUOTE-> RegDefend only informs you that a registry key/value is being modified instead of informing you what the modification is (ie. adding, deleting, modifying/renaming Value name, modifying Value data, etc.). Would it be possible to give the user this information, instead of just saying it's been modified, which isn't overly informative. <-QUOTE}Yes! And show the old and new values too for modifying values.
-hojtsy-

{QUOTE-> Yes! And show the old and new values too for modifying values.
-hojtsy- <-QUOTE}

+1 for this one :)

No one has requested the ability to add comments to registry groups, which are shown in the ask user dialog, so I'll do so here, as a reminder :D

As cited before, it is currently cumbersome to drill down into the hierarchy when adding keys to a group. A few possible helpers might be:
..1) Reopen the registry tree control already expanded to and focused on the last point at which it was used.
..2) Integrate a bookmarking feature.
..3) Add a button to the tree control screen: [Jump to key in cllipboard]
..4) Add a right-click, "Jump To" under "Registry Items and Rules" (helps when you want another key in close proximity).

I'd like to suggest a new popup screen to simplify specifying a range of possibilities for protection under one key. It would allow a user to specify default behavior under that key as: "Allow", "Block" or "Prompt". Behavior for individual values or subkeys could accept the "Default" or could override it. A very rough sketch might look like this:---Add new values [Block] [Allow] [Prompt]
---Add new subkeys [Block] [Allow] [Prompt]

---Modify Values (default) [Block] [Allow] [Prompt]
Existing_value_1 [Block] [Allow] [Prompt] [Default]
Existing_value_2 [Block] [Allow] [Prompt] [Default]

---Modify Subkeys (default) [Block] [Allow] [Prompt]
Existing_subkey_1 [Block] [Allow] [Prompt] [Default]
Existing_subkey_2 [Block] [Allow] [Prompt] [Default]This dialog could popup when the user presses [ADD] after drilling down the registry for a new key. It could also be used to modify those same items when accessed from "Registry Items and Rules". This popup might also be useful if it can be made available from the "Allow/Block Alert popup" when RD has detected a change.

Although I think this dialog would save time and would better organize what are now multiple entries, it does create some new questions. For starters, how would the current detail summary for each key (at the bottom of the "Registry Items and Rules" pane) be displayed. With everyone's input I'm sure something would be found, but I think the dialog itself is the first chunk to consider.

EDIT: I just realized I didn't address specification of "read-protect". Perhaps adding buttons labeled "[Hide All Values]" and "[Hide All Subkeys]" which would grey-out (de-activate) the corresponding half of the controls that follow, then adding a "[Hide]" button to individual values and subkeys as well. I'm assuming that read-protected must also imply write-protected (can't update what you can't see).

I would like to echo the opinion that import/export would be a great configuration tool. I'd recommend the format be ascii and that it should be easy to read/edit/merge manually. I think import/export operations should be granular with respect to Registry Groups. Multiple groups in one ascii file sounds fine, so long as unnamed groups remain unaffected. One group per file sounds equally fine. As a convenience when importing a group with existing entries, perhaps RD could ask whether to clear all existing entries before adding the new list.

I suspect there will be an ongoing process of redefining the various forms that protection under one key might take. For that reason, Jason, you may want to design import/export with an eye toward flexibility and/or you may want to wait a while before designing something.

{QUOTE-> {QUOTE-> RegDefend only informs you that a registry key/value is being modified instead of informing you what the modification is (ie. adding, deleting, modifying/renaming Value name, modifying Value data, etc.). Would it be possible to give the user this information, instead of just saying it's been modified, which isn't overly informative. <-QUOTE}Yes! And show the old and new values too for modifying values.
-hojtsy- <-QUOTE}Agreed! These two requests go hand-in-hand.

{QUOTE-> I would like to echo the opinion that import/export would be a great configuration tool. I'd recommend the format be ascii and that it should be easy to read/edit/merge manually. <-QUOTE}Import/Export is the other critical feature for me. I would recommend using Unicode since I believe the Registry already uses this format.

Multiple selection of registry keys to protect, all in one go.

{QUOTE-> Import/Export is the other critical feature for me. I would recommend using Unicode since I believe the Registry already uses this format. <-QUOTE}Agreed, I should have asked for Unicode.

{QUOTE-> Import/Export is the other critical feature for me. I would recommend using Unicode since I believe the Registry already uses this format. <-QUOTE}

RegDefend already stores it in UNICODE, so that aspect is covered. :)

In regards to import/export, could you please refine this a little bit? The way I designed it, was so that people could create new "registry groups" then share them with other people. Basically an "import/export" just by coping and moving a file in your groups directory.

By import and export I was thinking of a file that I could open in a text editor rather than being forced to use your GUI interface, the format would have to be able to represent NULL values (seeing as they can appear in key names) and still be editable with a run of the mill editor

A file like this (or parts of it) could easily be pasted into a forum post because it has a text basis, it is also something that could be kept under version control etc

It would be good to have a command line version of the export and import functionality, it would need to either prompt for a password or have a password passed in on the command line, that way a shortcut or a batch job could allow settings to be easily changed for different uses

It would be nice to be able to specify a different bunch of settings "per user" on the machine as well, this is something that could be done in your interface or by a startup job that runs during login..

I'll have a think about it a bit more, but that was the basic purpose of export and import, the ability to share with others in a readable way and being able to swap and change settings easily

By making the export format able to be easily parsed it means that other things can be done with it that have not yet been anticipated

Thanks

Thanks to gottadoit, the virtues of text-based import/export have been well named. I had not been aware, however, that the current implementation of RD allows groups to be added, removed and backed up as individual files. It may not be perfect, but it's very helpful. Exchanging groups would still be pretty limited, though, unless RD provides a way to move items from one group to another group. Otherwise, any reorganization requires doing the mouse dance through the registry maze.

You may, actually, be close to what I was hoping for if you can add just enough formatting and structure to make a .ghst file editable. For instance, insert a newline between items (plus one blank line if an item spans multiple lines). And while there may be programs that recognize the contents of .ghst files as text, everything I tried displays a .ghst as half-null-text (Notepad, EditPad Lite, Wordpad, Vim). Perhaps some self-identifying characteristic of unicode (or of its ISO?) is missing.

Likewise, thanks to gottadoit for the explanation of text based import/export.

{QUOTE-> Perhaps some self-identifying characteristic of unicode (or of its ISO?) is missing. <-QUOTE}A Byte Order Marker (BOM) is required to crrectly identify a file as being Unicode/UTF.

that is what I meant regarding importing values.

sorry for not making it more clearly.

Inf.

A vote for group and key description.
Jason has already written himself about being able to add a description per group, and I would go further by being able to add description per key in one group, it would be a lot more user friendly to read :

"HKLM\sdfsdf\sdfdsf\df5z4er51ez41r\qdzae | *ALL_VALUES* | protect network config"

do you see my point ? :)

Make the column headers clickable/sortable on the "Add registry item" window.

BTW, why don't you use the standard Windows controls for the UI ? (eg. buttons, lists etc.)

Make a French version of Regdefend...

Atomas31

I think the scope of RegDefend should be expanded to include generic support for protection of file and folders. Surely this wouldn't be too hard to implement since it could use the same/similar hook-based technology used for the registry protection. I'm not totally sure how this hook-based thingy works, but if it's possible to access the path of the file to be modified/read, then generic support would be easy to add since it could just check the path against a list of protected files/folders.

This would make RegDefend (maybe a new name would be in order too :) ) much more desirable as a product IMHO.

Don't get me wrong, RegDefend is a great product which is currently unique in the marketplace, but people who already own a product like Ad-Watch/TeaTimer will probably be reluctant to purchase a new product unless it had something like generic file/folder support as well.

{QUOTE-> but people who already own a product like Ad-Watch/TeaTimer will probably be reluctant to purchase a new product unless it had something like generic file/folder support as well. <-QUOTE}

I don't think Ad-Watch has any protection options incorporated for changes to files and folders. AdAware scanner tests/checks these for spyware, etc., when a user scans with AdAware, but the resident Ad-Watch module only "stops suspicious processes" when it scans memory. I may be wrong, but that's my interpretation of Ad-Watch. :o

{QUOTE-> I don't think Ad-Watch has any protection options incorporated for changes to files and folders. AdAware scanner tests/checks these for spyware, etc., when a user scans with AdAware, but the resident Ad-Watch module only "stops suspicious processes" when it scans memory. I may be wrong, but that's my interpretation of Ad-Watch. :o <-QUOTE}You're right siliconman01, it doesn't protect files/folders. My point was that Ad-Watch has several features, including registry protection (although it's after the fact, and specific), whereas RegDefend only offers protection against the registry. While the registry protection offered by RegDefend is greater than that offered from any other piece of software, people who have Ad-Watch might be reluctant to pay for the extra protection offered by RD when it only does a single job, albeit well.

I don't have the sales figures for RD at hand, but I would hazard a guess that adding generic support for file/folder protection (both read and modification) to RD would make it a much more attractive proposition in the marketplace. While RD is the best at what it does, I think RD is too limited in it's scope to attract widespread appeal.

I don't agree with software becoming bloated and supporting every feature under the sun, like some companies seem to offer. However, I think generic file/folder protection would be a great addition to RD and would not be considered bloat.

Some sort of application verification needs to be included so that someone doesn't replace a "trusted" application with a trojan and neatly sidestep the registry security that we think is in place. As Jason pointed out (a little while ago when I discussed this with him), threats will come from DLL's as much as the main executable, so this suggestion has already had a little bit of feedback

It would be very useful to have an extra button on the alert window to optionally collect and display information about the executable and what piece of code generated the alert. This could show if the code is in the main executable or in a DLL, show the module name and a stack trace. This is nice in that there is no runtime cost and the information can be easily gathered for forensic purposes. If this is done it would be good to also be good to optionally be able to log it to the RD logfile.

On the protection side of things, make this an option to allow verification for applications so if something else is doing this already it can be left off in RegDefend (and avoid any overheads)

If the end-user wants application verification to be on, then allow several levels of verification (with increasing overheads as the checking becomes more comprehensive)

Level #1 - simple executable verification
- executable image checking would be performed once for each PID (ie: running instance of a program) and would be performed on the disk image at the time of the first registry interaction

Level #2 - simple executable and static dll verification
- same as #1 for executable - once per running instance of a program
- statically linked dll's would be checked once for each PID

Level #3 - dynamic executable/dll verification
- potential to create a lot of overhead for little reason
- has potential to be useful at times, especially when dealing with unknown executables
- same as #1 for executable - once per running instance of a program
- same as #2 for static dll's
- on every registry access, check which module the access is coming from and if that dll has not been verified and accepted for this PID then raise an alert

By implementing the level 1 check it would be "better than nothing", the level 2 check is much the same and would help by alerting when programs are updated. The level 3 checking might be useful when ppl are feeling paranoid and/or wondering if something funny is happening

And as I mentioned earlier if you use a hashing scheme that is different to the other tools in common use, then your hash could well provide additional value (and peace of mind) for the overall security on a particular PC

{QUOTE-> You're right siliconman01, it doesn't protect files/folders. My point was that Ad-Watch has several features, including registry protection (although it's after the fact, and specific), whereas RegDefend only offers protection against the registry. While the registry protection offered by RegDefend is greater than that offered from any other piece of software, people who have Ad-Watch might be reluctant to pay for the extra protection offered by RD when it only does a single job, albeit well.

I don't have the sales figures for RD at hand, but I would hazard a guess that adding generic support for file/folder protection (both read and modification) to RD would make it a much more attractive proposition in the marketplace. While RD is the best at what it does, I think RD is too limited in it's scope to attract widespread appeal.

I don't agree with software becoming bloated and supporting every feature under the sun, like some companies seem to offer. However, I think generic file/folder protection would be a great addition to RD and would not be considered bloat. <-QUOTE}

I agree 100%. On my test machine (virtual PC) I have an example where a certain Peer to Peer installation application attempts to install a bunch of malware into the start group run keys in the registry. Regdefend does a wonderful job stopping all of these attempts because it intercepts the attempt before it happens, unlike other so-called "real time" applications that don't catch them until it's too late.

The problem is, this installation file also installs a couple of items into the Start Menu "Startup" folder - and this is NOT protected by Regdefend. Now here's the trick: when you reboot the machine, during the start-up one of these Startup menu items is able to add an entry to "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
BEFORE Regdefend has had a chance to initialize and catch it! This surprised me but make sense I guess.

So I agree, it would be very nice if Regdefend could protect at least the Startup folders. And generic file/folder protection would be a fantastic addition to Regdefend....

New feature request: Block/alert any attempts to add hidden registry keys to the registry. I understand that Regdefend already will block hidden registry keys, but only if they are being added to registry locations that Regdefend is protecting.
What I'm asking for, is to generically block/alert for all hidden registry key attempts anywhere.

{QUOTE-> New feature request: Block/alert any attempts to add hidden registry keys to the registry. I understand that Regdefend already will block hidden registry keys, but only if they are being added to registry locations that Regdefend is protecting.
What I'm asking for, is to generically block/alert for all hidden registry key attempts anywhere. <-QUOTE}

jimmytop,
This request should already be covered by what Jason has (kind of pre-) announced
Jason has already said that he is implementing regular expressions in one of the up and coming point releases
So as long as a NULL vallue can be represented in a pattern (and there is no reason to believe that Jason would turn a blind eye to this) it will be able to be monitored

A pattern like .*\000.* would catch a key with a NULL in it (where .* is zero or more of any character and \000 is a NULL)

NB: I'm sure that some apps also embed newlines or cr's into names as well...

{QUOTE-> jimmytop,
This request should already be covered by what Jason has (kind of pre-) announced
Jason has already said that he is implementing regular expressions in one of the up and coming point releases
So as long as a NULL vallue can be represented in a pattern (and there is no reason to believe that Jason would turn a blind eye to this) it will be able to be monitored

A pattern like .*\000.* would catch a key with a NULL in it (where .* is zero or more of any character and \000 is a NULL)

NB: I'm sure that some apps also embed newlines or cr's into names as well... <-QUOTE}

I am thinking of implementing a "global option" to watch keys for NULLs. All other characters will show up as certain things and be visible in most editors.

Also, only * and ? will be supported as wildcards.

{QUOTE-> I am thinking of implementing a "global option" to watch keys for NULLs. All other characters will show up as certain things and be visible in most editors.

Also, only * and ? will be supported as wildcards. <-QUOTE}

Jason,
Thanks for the reply to clear that up

How will we represent arbitrary characters in the pattern?
The most obvious not easily typable one being a NULL (which would be potentially covered by the option for a global rule)
Other obvious ones that are potentially hard to type into a dialog box like carriage return or linefeed or ^H (backspace)

I can most easily envisage a use for rules like this when targeting specific malware with specific definitions

Thanks

{QUOTE-> I am thinking of implementing a "global option" to watch keys for NULLs. All other characters will show up as certain things and be visible in most editors.

Also, only * and ? will be supported as wildcards. <-QUOTE}

Does that also mean it could watch for keys without nulls? In other words, could I block any attempt to add a key that contains the word "180solutions" anywhere in the registry? So instead of watching just a particular registry location for ANY change, it will also block a particular registry entry in ANY location? That would be great!

I'd like to see better handling of rundll32 as mentioned in this thread (http://www.wilderssecurity.com/showthread.php?t=71590) (for regdefend) and at least a few comments from the process guard thread (http://www.wilderssecurity.com/showthread.php?t=59185) on the same topic also apply

I'm not sure if services.exe also needs to be treated as a special case from a registry point of view or even if it can be as that might need an integrated processguard + regdefend pair so that the process interacting with services.exe is identified .... care to comment jason ?

jimmytop,
That would indeed be one of the reasons to allow wildcards, but...
You need to take into account the overheads that you will get when you have a number of patterns defined, and also the fact that if everyone does this then the pattern you are looking for will be changed by the company being targeted...

Wildcards are more useful when you are targeting specific entries for one or more users and/or the location in the tree is not fixed to specific values.
With a wildcard you get a simple pattern that is easy to maintain and hopefully have a comment against (as suggested previously) to make the ruleset easier to understand (and debug if issues arise)

Jason hasn't stated what scope each wildcard character will be able to cover, so we don't know what it would mean if we specified HKEY_LOCAL_MACHINE\SOFTWARE\*\*69equations*
Would this mean that any number of sub-key levels under SOFTWARE would be checked or just one ?

It would of course be very useful to be able to specify both cases, when we have specific sub-keys that change then we just want * to match a sub-key, for generic catch-all patterns we want something that doesn't require tight specifications...

We don't know which of the set below would match the expression above
HKEY_LOCAL_MACHINE\SOFTWARE\69equations\fred\aa a REG_DWORD with value 1
HKEY_LOCAL_MACHINE\SOFTWARE\mircosoft\69equations a REG_SZ with value "macrosoft"
HKEY_LOCAL_MACHINE\SOFTWARE\mircosoft\borednow\69equations a REG_SZ with value "macrosoft"
HKEY_LOCAL_MACHINE\SOFTWARE\fred\nerk\{NULL}69equations\hideme a REG_DWORD with value 48494445
HKEY_LOCAL_MACHINE\SOFTWARE\sparky\init a REG_SZ with value "69equations"

I need to add a way to specify "just this one specific subkey" as you mentioned. Probably another wildcard will handle that. At the moment it would apply to all subdirectories if the last character was a "*"

Assigning different data to a value must surely be considered a registry modification. However, if a program refreshes a value every minute by repeatedly writing the same data to it, that doesn't really modify anything. Currently, RD will issue an alert on each inconsequential refresh.

I've had no persistent problems, but even one alert can be vexing. Today, RD told me that services.exe was trying to change HKLM\...policies\disablecad. Since I didn't do it, I wanted to know the who/what/why of any spontaneous change in security policy. I still don't know why it happened, but after switching computers and researching the internet I discovered that the "modification" was just "refreshing" the policy already in place (require Ctrl-Alt-Delete before login).

Since a consistent user complaint about registry monitors is the unwanted and/or confusing alerts, I think there should, at least, be an option to "ignore modifications that result in no change". With or without that option, I'd be in favor of changing the default behavior.

Thanks

{QUOTE-> Assigning different data to a value must surely be considered a registry modification. However, if a program refreshes a value every minute by repeatedly writing the same data to it, that doesn't really modify anything. Currently, RD will issue an alert on each inconsequential refresh.

I've had no persistent problems, but even one alert can be vexing. Today, RD told me that services.exe was trying to change HKLM\...policies\disablecad. Since I didn't do it, I wanted to know the who/what/why of any spontaneous change in security policy. I still don't know why it happened, but after switching computers and researching the internet I discovered that the "modification" was just "refreshing" the policy already in place (require Ctrl-Alt-Delete before login).

Since a consistent user complaint about registry monitors is the unwanted and/or confusing alerts, I think there should, at least, be an option to "ignore modifications that result in no change". With or without that option, I'd be in favor of changing the default behavior.

Thanks <-QUOTE}

That is a good point. I might apply that to some registry values like DWORDs, etc. Doing it on strings would increase the resource cost but I still need to test it.

{QUOTE-> That is a good point. I might apply that to some registry values like DWORDs, etc. Doing it on strings would increase the resource cost but I still need to test it. <-QUOTE}

Jason,
Please make it an optional global (on or off globally) with the ability to switch it on or off for particular keys/applications

An unwanted alert might be annoying, but I want to be able to know if an app is dumb enough to set registry values once a minute with the same value, if you make the global default to not show unchanged values then you have it working well out of the box with the ability for customisation

As I mentioned earlier it would be good to have a trigger for non-monitored keys so that we could generate an alert if something is rapidly overwriting the contents of a key (as some trojan's already do in order to keep their changes in place in spite of polling registry monitors...)

The other thing that would be good would be to order the text in the alert box so it can be read "like a story", at the moment I could read the text aloud and it wouldn't make sense to a listener until after I got to the end.

That would save us from having to look up and down at the alert box to see what the actual alert means, this part of the interface should really make things so plain they are really obvious and almost jump out of the screen

NB: That is a common sense, "is it well written" test, that I was exposed to by an IT technical writer about 10 years ago; not that it really helped me all that much because I'm not exactly a prolific documentation producer...

{QUOTE-> That is a good point. I might apply that to some registry values like DWORDs, etc. Doing it on strings would increase the resource cost but I still need to test it. <-QUOTE}I guess that means you can't query the registry from inside a hook function's callback. Perhaps a separate process could relay the existing data to RD?

IMHO, avoiding false positives and needless anxiety on the part of the user usually tends to trump resource issues. As a possible example of the cost, MJRW (on my system) reports using 168K of memory to save 1,691 registry values. I think it's reasonable to use 3%-5% more memory when enforcing an extensive set of rules. Preferable, at least, to making users decide whether RD is warning them of a real change or just interrupting them with a trick question that looks important. An additional benefit is that alerts will be able to show users both "before data" and "after data".

BTW, today I've had three more RD alerts about services.exe "not changing" a value under HKLM...\system\policy. Nice to know MS is on the job! ???

Seeing as 1.2 isn't out yet, it would be really nice if the timestamp for the registry entry was shown (as is done in Sysinternals Rootkit Revealer)

Pic available on the Rootkit Revealer page as you might expect
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

It is potentially quite useful to know if the key involved was created recently or during the windows install... if getting the information is expensive then it could always be relegated to the display additional information option/button

FWIW, the option I was asking about for frequently changed (or polled) registry values to be able to be alerted on has been touched on in the March 25th entry in a blog by Mark Russinovich (of Sysinternals fame) (http://www.sysinternals.com/blog/), the blog is fairly new and ppl interested in regdefend may well be interested in the post

Thanks

Jason, love the program! ;D

I read through the suggestions and I agree that you need a new/better icon.

Contact Jairo Boudewyn (jairo[at]jairoboudewyn[dot]com)

He is a talented iconist who designs beautiful freeware icons.

Check out his work: http://weboso.deviantart.com/gallery/

Next suggestion(s)

#1 Provide a view that shows all of the groups "merged" together so we can see an overview of all the settings combined (with an extra column showing what group the setting is part of); and of course allow editing & group re-assignment in the overview/list mode

#2 Display the comment for each Registry Key in the Alert



not everybody needs to be familiar with

Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run



the comment could make this intelligible and by putting it above the key name - the explanation would be the first thing read

Information: Auto Start programs that run for ALL Users during login
Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
#3 Create a "stealth" mode so that regdefend is not so easy to identify
Stealthing for both the driver and user interface binary would be nice
3 states should cater to different paranoia levels for most people



default to non-stealth
randomise driver name & chg file size
randomise driver name, UI name + change filesize and icon's
NB: If someone is using ProcessGuard (or similar) with RegDefend then the stealthing is probably more for peace of mind, but does make it a little harder to target...

{QUOTE-> Next suggestion(s)

#1 Provide a view that shows all of the groups "merged" together so we can see an overview of all the settings combined (with an extra column showing what group the setting is part of); and of course allow editing & group re-assignment in the overview/list mode

#2 Display the comment for each Registry Key in the Alert



not everybody needs to be familiar with

Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run



the comment could make this intelligible and by putting it above the key name - the explanation would be the first thing read

Information: Auto Start programs that run for ALL Users during login
Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
#3 Create a "stealth" mode so that regdefend is not so easy to identify
Stealthing for both the driver and user interface binary would be nice
3 states should cater to different paranoia levels for most people



default to non-stealth
randomise driver name & chg file size
randomise driver name, UI name + change filesize and icon's
NB: If someone is using ProcessGuard (or similar) with RegDefend then the stealthing is probably more for peace of mind, but does make it a little harder to target... <-QUOTE}

Some good ideas there. I was planning on adding the information about a registry group/key in a future version since it would be helpful to people who aren't aware about the registry keys/values actual properties.

{QUOTE-> Some good ideas there. I was planning on adding the information about a registry group/key in a future version since it would be helpful to people who aren't aware about the registry keys/values actual properties. <-QUOTE}

Jason,
To be perfectly honest I don't want to have to remember the esoterics of the Registry either.... I don't mind learning about it and have (or make a reference) to go with the alerts but I have enough other things to do and remember without having to clutter my memory with inconsequentials that I don't need very often

Its nice to hear that you are going to add the information/comment field I think it will expand the usability of the program a lot more than you might expect !!! It is just a small extension to your suggestion earlier in this thread in post 28 (http://www.wilderssecurity.com/showpost.php?p=381821&postcount=28) so you should take full credit for the idea.

One thing I didn't suggest in the stealthing mode is to re-pack the executables and driver so simple signatures cannot be used to find the file on disk and maybe allow the files to go into the system32 dir so that they are anonymised... (not sure why this went missing for the earlier post, I typed it in at one point and must have deleted it when I reworded the post)

Thanks

NB: As briefly discussed in this thread (http://www.wilderssecurity.com/showthread.php?t=71590) on rundll32 and services.exe

I'd really like to see rundll32.exe handled in a better way in a not too distant version, displaying the command line parameters is not *that* hard a thing to do after all... to do it properly and add them into the app side of things would take a bit more work but the first step should be quick and simple...

services.exe also could do with better handling, but as you mentioned that is a much harder task to do properly; I'd like to see what compromise you eventually reach to provide information without getting it wrong too often...
Personally I'd be happy with an extra button in the dialog that could provide an "educated best guess" as to what program caused services.exe to make the call and the driver name if you could get it

Hi,

As a newbie to RD, I may be speaking out of ignorance, for which I am sorry.

My suggestion is one based on experience with many end users who simply forget to do simple things, which in turn, crash installs and systems.

Using programs like Ad-Watch and TeaTimer is great (though architectually less affective than RD's techniques) but have a flaw. When legitimate software, drivers, and patches are applied, updates to the registry are often needed. Failure to allow these changes can crash the OS, making the system a paperweight.

When Windows Update takes place, RD, Ad-Watch, and TeaTimer should not be running, so to allow the necessary changes to take place. The flaw is a User Interface issue, where the user must be reminded that the actions they are taking with reason, needs to complete without hinderence.

My suggestion is:

Offer other options, besides Allow/Block. Offer these:
1) 'Suspend RegDefend for next 5 minutes' (put your own time in)
2) 'Suspend RegDefend until next Reboot'
3) 'Suspend RegDefend thru next Reboot + 5 minutes' (put your own time in)
4) 'Suspend RegDefend thru next Reboot + 1 (more reboot)'
5) 'Suspend RegDefend until manually enabled (reminded at reboot)'

This would allow for legitimate software/hardware/hotfix changes to take place, but re-enable RD after an appropriate time. So, if the end user attempts to run Windows Update, during the installation phase a warning is issued that changes are attempted. A response can be, 'Yes, allow these changes, as they are intended, until . . .'

Warnings can be issued regarding the 'Suspend' modes, as well as recommended/suggested/common uses of the 'Suspend' modes.

examples:
Method 1) Simple software installs
Method 2) Complex software installs, hardware (driver) installs
Method 3) Most Windows Updates, complex hardware (driver) installs
Method 4) Windows Service Packs, followed by Windows Updates
Method 5) Advanced Technician mode

When the timeout has been exceeded, a warning message could be displayed reminding the user to Enable protection or continue suspended, until . . .

This could be secured by a password to stop bots from having an ability to bypass RD. (Could even be like many 'registration systems' that produce several highly distorted characters, graphically, which the user needs to enter manually.) Anyway, it can be secured against simple bypass mechanisms.

This improvement would allow me to recommend RegDefend to my customers, knowing that their forgetfulness is not likely to cause a dead system.

The suspend message I suggested is open to debate, so please chime in with other methods. I only intend this to be a starter of ideas.


By the way, I really like the idea of a 'report only' mode for RegDefend. This would allow investigative use of RegDefend to isolate malware changes. Couple this with VMware or VirtualPC, and you have a powerful means of researching what programs do and how to protect against them in the future.

Anyway, just some ideas.

Thanks
Ron Metzger

The suspend option isn't a bad one and the reminder's wouldn't go astray

Also a reference to the suggestion for highlighting rules that cannot be reached due to other rules with higher precedence, see thread (http://www.wilderssecurity.com/showthread.php?t=74851)

And a reference to checking/verifying the RD group files to stop them being deleted or replaced (or added to) without some notification, see thread (http://www.wilderssecurity.com/showthread.php?t=74424)

Allow more control on logging and acceptance of events :

ie: another 2 option boxes ( 3 and 4 )
1. When the following access occurs
2. Perform this action
3. Log this event
4. Security

Where "3" log this event allows

[] Log to RD Logfile on Block
[] Log to RD Logfile on access [ie: when there is an alert]
[] Do not log event

and

[] visual alert in systray
[] no visual alert in systray

And "4" Security allows

[] allow operator to decide on action
[] require Human Interaction verification
[] require admin password before allowing
[] require H.I verifcation and admin password before allowing

and also for when the GUI is not running

[] block if action is "Ask" and UI is not running & Log the event
[] allow ONCE if action is "Ask" and UI is not running & Log event & Alert when UI is next started (with HI verification)
[] allow and ADD APO (permissions override) rule for this application to referenced keys [Learning mode of sorts] & Log the events and additions to the ruleset

This would allow :



frequent events to be intentionally ignored without logging overhead
important events to make the tray icon red (or visibly different)
the logging of acceptance of important events
the really important keys to be locked away from change
and stop simple sendkeys attacks pressing the Allow button
an easy way to "learn" during shutdown/reboots to avoid hard to diagnose hanging/startup problems
BTW:
Version 1.2 has a much nicer feel to it or alternately I've just gotten used to it :-)
I'd still like to see the UI do more microsoft app like things (right click, copy and paste, the ability to rename and edit etc) but I'm willing to give it a try now

I would like to be able to right-click the icon in the system tray and enable/disable the protection.

RegDefend only displays the first line of a REG_MULTI_SZ Value on the alert for Current and Proposed Value Data. This means only changes to the first line will be displayed in the alert, otherwise the Current and Proposed Value Data will be the same, which is not very useful.

Please can you display more than the first line of a REG_MULTI-SZ on the alert. I would be happy if all lines were displayed on the same line in the alert, separated by a space (or some other separator character)

Didn't see this suggestion (probably missed it)

Can we have an 'Edit Rule' ability

{QUOTE-> Didn't see this suggestion (probably missed it)

Can we have an 'Edit Rule' ability <-QUOTE}

Likewise... :)

I already posted this elsewhere, but I guess this is the appropriate place:

Every time I launch IE, RD warns me that IE is trying to delete the (nonexisting) Googldcclient reg value in the HKCU Run key.

Now I understand that if I allow it to always do that, that gives IE a "wild card" to in the future delete/modify ANY other reg value it chooses.

I have a similar case every time I launch Copernic (another nonexistent run value to delete...) See screenshot.

It would be really nice if in the future this could be fine-tuned so that one can allow a given application to edit/delete one or more specific reg values but nothing else.

Also, support for 120 DPI settings would be nice. There seems to be an issue there: Look at the top screenshot: "Copernic Agent is trying to delete the following..." and then nothing.

Not sure what else I'm missing there...

And, like others, I'd welcome an option to temporarily disable RD.

{QUOTE-> It would be really nice if in the future this could be fine-tuned so that one can allow a given application to edit/delete one or more specific reg values but nothing else. <-QUOTE}

Update: I'm happy to report that Gottadoit just explained to me the finer details of the "Application Permissions Override" principle in combination with the Groups sort order, and that does take care of that one! :D

Excellent! ;D

I had the Googledcclient one when launching IE and wasn't sure what to do but allowed once not all of the time. If this happens again what is the best action to take? please. Sorry to post this in the wishlist :-[

Have a look here, where Gottadoit explains the groups sort order/APO principle...

http://www.wilderssecurity.com/showthread.php?p=467275

Create a new group called for example "AP Specific". This is then (following the alphabet) automatically placed on top, and rules created therein apparently therefore prevail over what's beneath...

Here's a screenshot of my AP S group

Thank you Tony - I made a mistake in my post - I blocked once not allowed in case it was something I needed.

I will study your link and your screenshot as I am very keen to learn about the way RD works. Screenshots are very useful especially when I am in learning mode. ;)

I just want to add that, as that googledcclient value isn't there, you'll need to enter it manually, then "always allow" IE to modify it when the RD dialogue box pops up.

Just a small thing, but would be nice if you could teach RD to remember window size. :)

{QUOTE-> Just a small thing, but would be nice if you could teach RD to remember window size. :) <-QUOTE}Hi Tony, ;)

Resize the window the way you would like, then close (X button) RegDefend and then open/start it (GUI) again ... and it will retain the size.

Steve

Hi Steve. :)

I know this will probably surprise you no end, but I have actually tried resizing the window. In fact, I (need to) do it every time I launch the application's GUI...

Apparently the change simply isn't registering. It's only RD that's doing it too. I even tried the old hack of pressing Ctrl while closing the window, but that won't do the trick either.

Will try a few other things. Thanks!

That's strange for sure. :-\

Here's a bit of stretch but do you want to try my GUI Size HKEY_LOCAL_MACHINE\SOFTWARE\GHOST SECURITY\REGDEFEND ... and set the Dword Values ... for mainwnd_h = 2c4 / _w = 3e8 / _x = e / _y = b

Thanks, I was just about to ask you for an export of that key. :)

Will give it a try...

{QUOTE-> Thanks, I was just about to ask you for an export of that key. :)

Will give it a try... <-QUOTE}

As a matter of fact, could I still ask you for an export of the relevant values of that key, please? I prefer seeing them in a regfile.

Will have to go off to work now, but will get back to you later on this.

Thanks again! :)

Here it's is :)

With regards to the wishlist for RD - I really am learning about the way the defence works but worry that by adding rules etc I will lessen the protection instead of securing my computer ??? If possible extra rules sets for specific applications which the experts know are safe to include be made available for someone like me who is trying to learn the right way to add to the AP set of rules :-[ most likely I am the only one to worry but I am reading the posts here to try and learn ??? Tony's screenshot was great for me - thanks.
I am not sure if I should have extra rules for things like Outpost Pro and my AV which overrides one rule when I run it ???

{QUOTE-> With regards to the wishlist for RD - I really am learning about the way the defence works but worry that by adding rules etc I will lessen the protection instead of securing my computer ??? If possible extra rules sets for specific applications which the experts know are safe to include be made available for someone like me who is trying to learn the right way to add to the AP set of rules :-[ most likely I am the only one to worry but I am reading the posts here to try and learn ??? Tony's screenshot was great for me - thanks.
I am not sure if I should have extra rules for things like Outpost Pro and my AV which overrides one rule when I run it ??? <-QUOTE}

Robyn,
In order to *not* lessen your security you should have an extra group for each application. So to use Tony's entries as the example he has 2 application overrides covering different keys so for greater security he could have created 2 groups



one called "AP iexplore" with the entry in it for IE and a program override for IE (so that it doesn't prompt)
another called "AP copernicagent" with the specific rules for just the agent and the program override for copernicagent.exe
By making sure that you don't put Program Overrides in a group with shared keys and by making the keys very specific you shouldn't be lessening your security by making additions.

Have a think about what you are going to add before you do it, do you think that other programs might also use the same key? Use google and see what comes back for the key in question as that is often helpful

If more than one program is using the key then you might need to be adding extra executables to the APO list or putting up with extra alerts

Thank you for helping me to understand a little more about the settings in RD.
To date I have only added the googled one and it is actually in it's own new rule box as I hadn't added anything else (because I wasn't sure :-[ )

I don't mind being alerted if ths is the way I will learn which keys are required ect and then when I am confindent to make the rule to override. I know AVG will come out and want to override when I run the quick test on my way to a full test. I had let this add itself to the 'always allow' when I first installed but then I worried that this would open a hole in my secuirty so now I just let it ask :-[

I may be best to watch which key I am prompted about and the create a rule for my AVG key to make sure it is only confined to this one trigger and will not do anything to lessen my protection in any other way. I have so mcuh to learn about RD but I am keen to learn as I know I really do need this monitor.

I read as many posts as I can and hope to be as confident in rules and keys as the others are.

{QUOTE-> So to use Tony's entries as the example he has 2 application overrides covering different keys so for greater security he could have created 2 groups <-QUOTE}

In theory I agree wholeheartedly. However, as I appear to have a number of applications each repeatedly trying to modify/delete a particular value, I was trying to save space by putting them into one group.

Also, in my opinion, by fine tuning the rules as I did by allowing one particular trusted application to modify one particular reg value only, without using any wild cards, it shouldn't impair security.

In the example I illustrated with a screenshot, as far as I can see the only thing that could possibly happen is that IE and Copernic could accidentally modify/delete each others specified startups, which you have to admit is pretty unlikely...

However, I do realize these specific rules need careful thought, and I AM regularly checking my log for unforseen side effects.

If my reasoning is somehow flawed, please don't hesitate to point it out, as I've been overlooking the obvious before... ;)

{QUOTE-> Here it's is :) <-QUOTE}

Thanks! :D I merged the relevant part of the regfile, Regedit shows the changes to have been effectuated, but unfortunately, RD still won't open maximized. It reverts back every time...

No huge issue really, unless of course you insist on letting it bother you... ;)

{QUOTE-> In theory I agree wholeheartedly. However, as I appear to have a number of applications each repeatedly trying to modify/delete a particular value, I was trying to save space by putting them into one group.

Also, in my opinion, by fine tuning the rules as I did by allowing one particular trusted application to modify one particular reg value only, without using any wild cards, it shouldn't impair security.

In the example I illustrated with a screenshot, as far as I can see the only thing that could possibly happen is that IE and Copernic could accidentally modify/delete each others specified startups, which you have to admit is pretty unlikely...

However, I do realize these specific rules need careful thought, and I AM regularly checking my log for unforseen side effects.

If my reasoning is somehow flawed, please don't hesitate to point it out, as I've been overlooking the obvious before... ;) <-QUOTE}
Tony,
There is nothing much wrong with your reasoning that I can see, I was offering Robyn more generic advice for APO's and just using you as the example

In the case of IE I might be more inclined to partition it off simply because of its potential to be a file dropper with ActiveX and the many and varied IE exploits mean that there is always some level of risk

Regards

{QUOTE-> There is nothing much wrong with your reasoning that I can see, I was offering Robyn more generic advice for APO's and just using you as the example <-QUOTE}

Thanks for reassuring me! ;D

{QUOTE-> In the case of IE I might be more inclined to partition it off simply because of its potential to be a file dropper with ActiveX and the many and varied IE exploits mean that there is always some level of risk <-QUOTE}

That makes a lot of sense. I think I'll create a separate group for IE.

Thanks again! :)

I was thinking of an option to temporarily disable groups while installing "trusted" software or Windows updates in order to avoid being confronted with countless dialog boxes, but STILL monitor changes to covered keys and values.

That way you can check the log afterwards and see what has been happening

{QUOTE-> I was thinking of an option to temporarily disable groups while installing "trusted" software or Windows updates in order to avoid being confronted with countless dialog boxes, but STILL monitor changes to covered keys and values.

That way you can check the log afterwards and see what has been happening <-QUOTE}
Tony,
Jason has indicated in this (http://www.wilderssecurity.com/showpost.php?p=468270&postcount=3) thread that this feature is on its way in the next release.

The need is also there when you are getting bombarded by alerts, closing the RD GUI will result in all "Ask User" items being blocked and avoid the issue but its not always what you would want

You can currently manually disable all the groups (prior to the install) by clicking on the tick box for each group, but its not particularly user friendly

Ah excellent! :)

I know about being able to copy a bunch of registry items using Ctrl + C.
Now what would be practical is actually being able to use Ctrl + X on one or a bunch of items, then paste them into another group.

Makes the business of sorting a lot easier.

{QUOTE-> I know about being able to copy a bunch of registry items using Ctrl + C.
Now what would be practical is actually being able to use Ctrl + X on one or a bunch of items, then paste them into another group.

Makes the business of sorting a lot easier. <-QUOTE}

+5 from here

{QUOTE-> You can currently manually disable all the groups (prior to the install) by clicking on the tick box for each group, but its not particularly user friendly <-QUOTE}

I agree, but if I'm correct, once you disable the groups, RD will not monitor them either.

What I'd like is an option for RD to CONTINUE monitoring and logging events pertaining to those groups once disabled, just not blocking or alerting.

{QUOTE-> I was thinking of an option to temporarily disable groups while installing "trusted" software or Windows updates in order to avoid being confronted with countless dialog boxes, but STILL monitor changes to covered keys and values. <-QUOTE}If when you disable any\all groups....you could then go into the Monitoring tab of RegDefend....select the Filtering you desire....and Start a New Capture. Indirectly it will show "covered keys and values" by monitoring any\all registry actions....while you are "installing "trusted" software or Windows updates" :-\

You're absolutely right, and to be honest sofar I have given that RD feature any time at all...

Still, it would be nice if logging of normally monitored keys and values went on even after the group in question has been disabled.

{QUOTE-> You're absolutely right, and to be honest sofar I have given that RD feature any time at all... <-QUOTE}

Very nice! I just entered the PID for the BOClean executable and followed it around for a bit. Some more complex filtering would be nice (excluding/including appps, Regex)
Can't entirely do away with regmon just yet....

Quick question: is this being logged to file? If not, that would be a useful feature.

{QUOTE-> Quick question: is this being logged to file? If not, that would be a useful feature. <-QUOTE}Yes....it's being logged and are saved\updated according to date as a .dat file....2005_05_30_capture0.dat. They are placed in Program Files\Regdefend\Monitor folder and can be viewed with a txt editor.

Ah thanks! :) Will play with it some more!

You can also change the base name of the file if you monitor more than once a day....but retain the .dat extension.

I'll stop with my OT in this Wishlist thread :-X

Thanks! :)

BTW, attaching a screenshot of the Regmon filter. The parameters are chosen haphazardly, it's just in order to show the possibilities.

That would be a great feature for RD as well

{QUOTE-> ha ha ha ironical.
I was made my folder read only and write deny in purpose.
I do not care about the log it is a bug the log can not be control. <-QUOTE}

Yes. I think there should be an option to limit the size of the log. It get huge fast faster than even firewall logs, because many software poll the registry multiple times and unlike most firewall logs it by default records even allowed events!

I really think there should also be an option to turn off logging for allowed events. It's not too helpful anyway most of the time, I'm looking for blocked events not allowed.

Talking about logging, it gets irriating for all the 'ballon tips' to keep appearing for actions that I want blocked. Sure I could turn off the balloon tips but it just means missing all other alerts that I want to see.

Please add an option to "block silently" so that it never appears in the logs or balloon tips. I don't really miss this feature as much in Processguard, because processes dont tend to be as persistant as attempts to read registry.

Since I'm on my wish list here's another.

I read a while ago some of the wishlists for registry sandboxing, faking registry keys etc, in the wishlist thread and my first thought was "typical overcomplicated crap for geeks that has zero chance of getting implemented"

Then yesterday I ran software X, that has this irriating habit of putting itself into the autostart key without asking.

Normally with a polling startup monitor, it isn't a problem, since a second later, i can remove it with a second click. But with RD, when I block it , the program refuses to start at all.

Weird, but in this case, a polling program is superior to RD's "proactive" defense.

I'm not sure if it's technically viable for RD to actual "fake" the registry key created, or actually allow it temporarily, then removing it. I doubt it, but it doesn;t hurt to ask.

Just a simple request. Could it be possible to change the color of the task bar icon if one or more groups are disabled. Perhaps yellow if one or more are disabled and red if they are all disabled. This would also be handy if the new global disable option is included in the next release.

the first thing charm me and made me install and try regdefend software is the "ghost animation" it make me think i will be like a ghost in the network immune from any harm. it is definitely a new technology.
buy I experience certain dissapointment when you remove the "ghost" from flying. when I have the ghost I feel more in love with the software.
can you please give the option back to see the ghost??
it make user the curiosity and great will to use regdefend.
:o

Hey,
i would like a new interface/design on RegDefend...
I think the interface now is hard to understand and not very trustible to have a GHOST as logo :O ...
Interface and Easy of use is more important than effectiveness to get credit and awards ;)

I'm kinda of a Novice user and i find it a little bit hard to manage it :O
I don't 100% understand the warnings,
what is deleted and what is added..
Confusing :S...

Give it a thought ;)
This is by far the best Registry Monitor ;D

I just got a new 19 inch ViewSonic LCD and my desktop looks great...except for the....RegDefend icon in the task bar, Would you consider redoing the icon to make it a bit more attractive? Icon should never have letters....

I know I know.....jsut a suggestion.

Currently RegDefend only protects when it is up and running. For complete protection, even when it is not running, it should also have the ability to poll keys/values when RegDefend starts. This way it can detect when something has changed even when it is not running.

Because this could potentially slow down RegDefend when starting up, it should be possible to enable/disable this feature on a rule-by-rule basis.

The way it would work is that when RegDefend exits, any rule which has this option enabled would have it's keys/values/data stored. When RegDefend re-starts, it would check all keys/values/data that were stored against the current state of the registry. Any changes would then be flagged by RegDefend, with the ability to restore the original data. The only difference with this type of alert is that it wouldn't be possible to detect the process which made the modification.

With this suggestion implemented, there would be no gaps in RegDefends monitoring, as is currently the case.

{QUOTE-> Currently RegDefend only protects when it is up and running.
<-QUOTE}

Er what? Of course a program (drivers included) has to be running to function. If it's not running it can't protect.

Or are you talking about the GUI portion?

When I shut the GUI portion, it tells me it is still protecting the system.

I did not see this request, so please ignore if it was made previously. On second thought don't ignore it, revisit the idea since more than one person thinks it useful.

The ability to GLOBALLY enable/disable all groups from a right-click context menu of the systray icon. This would be particularly useful when applying the Microsoft updates and patches, which are coming in bunches lately. I think the last round had 6 updates/patches plus the Malicious Software Tool update, and each had 1 or 2 alerts we have to deal with thus extending the total time it took to apply all updates/patches.

Hello, As a security program I would expect to see password protection for the Ghost Security Suite even a device similar to that used in PG would be ok

Thankyou. Pippa

Been using RegDefend for a week or so and have a suggestion.

Once in a while, I disable the protection (when doing an image backup for example.) It would be nice if the tray icon would be different whenever RD is disabled. Would make it much simpler to tell what the current state of protection is at that moment. As it is now, I have to bring up the main interface to be able to tell... :)

{QUOTE-> Been using RegDefend for a week or so and have a suggestion.

Once in a while, I disable the protection (when doing an image backup for example.) It would be nice if the tray icon would be different whenever RD is disabled. Would make it much simpler to tell what the current state of protection is at that moment. As it is now, I have to bring up the main interface to be able to tell... :) <-QUOTE}

Good idea. I sometimes forget to turn it back on too. A different indicator would make it easier to remember.

One of the thing i find a bid sad is that higly efficient and specialised protection are often seen as "geek only toys" and are not that acessible to the majority of home users.

So well i had am evaluating RD for near a week now and are some of the idea that are comming to my mind.

1) Instalation mode.

Well ... RD temporaily deploy a process creation hook. Then silently allow every registry operation from this process and his childs. Even if this seam to be rude, it has it's usefullness.

For example if you are installing a program ( let say office 2003 ) in wich you have a complete confidence, you migth just just keep clicking on the allow button or even worst, choose the alwais allow.

In the first case the user just get anoyed and in the second case the user build a list of rubish rules full of useless files such as setup.exe ans install.exe
or allow potentially dangerous entry.

This instalation mode migth be a first step to implement a one click mode. Eg:

========================================================
RegDefend has intercepted a registry acess that may be dangerous if you do not trust this program:

[] I am currently installing it, allow instalation
[] I have changed important setting for this program, allow the change
[] None of the above, try blocking it for this time (default)

-- This program change those registry entry each time it is run:
[] Alwais allow, i trust the program
[] Alwais refuse ( you can change later)

(Note: To have more control over wich key are allowed chose
Friendly or Advanced Alert)
------------------------------------------------------[MORE>>]----------
=========================================================


If you choose one of the two first, you can click on the [more] button
wich show this dialog:

=========================================================

I Grant this program the rigths to:

[] Autostart with window.
[] Install background services. (?) <- explanation of what is a service
[] Change Network settings. ( Only for trusted firewall, proxy server etc )
[] Interract with Internet Explorer
[] Change the way files and folders work ( rigth click menu etc. )

==========================================================

of course those "rigths group" are generated from the current categories,
so if a user add new categories, those rigths will change dynamicly.



In summary. When an alert occurs, the user will have three choices
"1 Click Wizard"
"Friendly Alert"
"Advanced Alert"

The "1 click wizard" will act by temporairly consider the running process as "always allow" (as well as any child process ). This "always allow" rigth is granted on every rules of a particular group (autostart, network setting, etc).
Once the process end (or a maximum time has elapsed) this rigth is resset and the user will have to redo the confirmation. This mode is perfect for
1) Novices user who do not have extensive registry knowledge
2) Advanced user who trust completely a program and do not want to be annoyed by 100000 alerts. While maintening a clean Non-obstructed application rules list.



this is all for #1... ;)

now #2)

Show disabled items in Global Registry rules
rigth now you cannot know if a rule is enabled or disabled unless you check its category and then check if the category is disabled. Having a red folder icon for the disabled rules would be handy.

Also, the possibility to disable a single rule in a group would be usefull.
Then two virtual group can be handy
"all enabled" and "all disabled"


now #3)

Export blocked writes to a .reg file.

Well... every registry acess that regdefend has blocked will be exported as a .reg file so you can easliy troubleshoot any RD related problems.

.reg files are way easier to read than any other form of log. And if anything goes wrong, you takes the .reg, you removes key you do not want, you do a siple double click and Voilà ! it's just like if regdefend haven't blocked anything wrong.

I see this step as the ultimate need to install RegDefend in enterprise network (that ... and well remote management... and a little message such as "a registry acess has been blocked, please contact your IT departement if a program cease to work properly" )


and lastly (for tonigth) #4)

a [More Option] button in advanced alert wich bring a dialog with two listItems and a textBox


=====================================================
______________________ _______________ __________
| Block this Program v| | This time v| | 15 (min) |
____________________ _______________ ¯¯¯¯¯¯¯¯¯
| Allow this Program | | Alwais |
| Disable the Rule | | This Session |
| Disable the Group | | For X min |
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯

The textbox is alwais disabled unless you chose "For X min" option
=====================================================


Basicly when you allow a program for a rule
There is multiple reason:

One of them is that the prgram should be allowed
Another reason is that you are testing a rule wich you are now finding anoying (such as some Tony's "zT_ Reinforcement for toolbar default guard" )

This More Option dialog bring more control to the one who need to deal with the alerts... all for the best user experience i think.

Hi
I want an offline help (in chm format) and the possibility to download the full last minor release.


Thanks.

{QUOTE-> 1) Instalation mode. <-QUOTE}

I second this idea and think that Pho3NiX - JC's thoughts for a possible implementation are very good. Please consider Pho3NiX - JC's idea.

Also would be an excellent idea for Process Guard...

Sorry Jason, you brought this request on yourself because of a better way of doing this in AppDefend. :P

I would love to have the ability to turn off logging for the Application Rules. Somewhat similar to being able to select an entry in the AppDefend Configuration and then turn off logging for the various items. The benefit of this would be to cut/slow down the alerts tab from filling up with entries that a user has allowed/permitted.

Right, I beg you to implement Pho3nix's proposal too. A quick enable/disable option with a right-click on the icon in the taskbar, and a different icon (as HUN suggested) have my vote too.

-RE

yep, to disable a section .. a right click on the description (Autostart/driver protection/...) would be perfect cause that little "V" in the upper right corner is too small and too many clicks away to achieve it.

The AppDefend price in a China such consumption level quite low
country is quite expensive on the other hand, whether or not aims at
Chinese the user to reduce some price Tartan?

If the price reduced, was adding on had Chinese edition, then
AppDefend and the RegDefend such outstanding software will be able to
have more users in China.

Above suggested the hope can accept, thanks! !

Hello,

RegDefend is an excelent program for starters. Well done :)


What I really think RegDefend needs is a more large and complex security rules list. Out of the box it only covers a few things.

Hi Pasito, I do know that Tony Klein, Nick S and Gottadoit are doing some work toawrds an extended ruleset, though whether it is going to be for all users or just experts I am not sure. Hopefully an extended normal user ruleset will emerge as well.

Pilli :)

a really simple feature:

feature #1:

Rigth click on any rule > show in regedit

-----------------------------
If the wildcard is at the end like
Service/*
then going to /service is fine

----------------------------
If the wildcard is in the middle then its a bit tricky

blah/*controlset*/abc/def/
maybee regdefend can show a window with all the possibility

blah/currentcontrolset/abc/def/
blah/controlset001/abc/def/
blah/controlset002/abc/def/

(if that last part is not implemented, we'll survive ;) )



feature #2:

see img:
http://www.ghostsecurity.com/images/regdefend_03_large.jpg

the bottom rigth area is where we configure each rule.

However when no rule is selected, that area is empty wich is both ugly and a waiste of screenspace. At the same time you'll see that the enumeration of rule rigth over it is kinda squeesed.

My solution would be give the rule enumeration the whole space and when we select a rule shrink it as it is now.


Of course there's more drastic changes that can be made is you really wish to optimise the screen estate. you'll notice for example that the whole left panes wich show group is almost empty, especially at the bottom wich is exactly where you need the most spaces to display things.

just a quick idea that came in my mind: the whole import/export, enable
can go rigth under the groups in the left pane wich may almost double the space to read the rules. i'm not sure about group name / description that can stay to the top.

well in conclusion ... you have alot of space to play with
some part are overpopulated where other are almost empty
Rigth now RD is a great product but the rule editing have to be done in fullscreen unfortunately

and don't forget about the reg jump ;)

Why are alerts windows modal? If you forgot to disable RD before the install of some trusted app, and it happens to play with zillions keys, you cannot disable RD because you're bombed with modal alerts...

-RE

The option to disable AD or RD should also be added to the alert options.

It would be nice to have the icon in taskbar to change colors, blink or do something when regdefend is disabled. Sometimes I disable RD when installing trusted applications and forget that it's diabled because the ghost is still looking at me.

Seems like a way to really simplify all the rules for various applications is to just add a "trusted applications" group that does not have it's registry access controlled.

For example, if I am running Spybot S&D for the first time, with no pre-existing rules to allow Spybot registry access, when I try to Immunize, I would get the first alert from Regdefend but instead of just Allow/Deny/Remember, there would also be an option to "Add to Trusted Applications". I would click that button and from that point forward Regdefend would no longer control registry access for Spybot S&D. It would still know if the file changed, and alert again then, but otherwise give Spybot free reign. It's a trusted application right? Then let it do it's thing. This would take care of Teatimer and SDHelper functionality as well - if I want to use them, no problem it's a trusted app so they just work.

Then instead of having umpteen different rules in the ruleset for all these different trusted apps, and having to add new rules whenever a new trusted application needs access, just let us put trusted applications in "Trusted Applications" and let them do what they need to do.

i think that if you need to close regdefend while it is popping up endless alerts you can just click "exit" from the RD icon in the systray..

i had to do that once, recently.. i was responsible for the problem.. i had regedit "disabled" in the app-rules, and so, when i clicked "always allow", the "alway allow" rule for "regedit" could not be created..

i think that it would be good to be able to disable "balloon-alerts" that popup when regkeys are blocked.. when i have create a rule to permanently block a regkey, i don't want to see a balloon-alert every time that it is blocked by RD..

Hello,

Alert Warning Notifications

Following on from a previous posting about my request in this forum I would like to ask if the Regdefend Alerts could be changed from the DEFAULT Friendly to Advanced. The user should have the option to choose in the settings GUI what alert they would prefer - this would be fairly easy to impliment. I for one would like to have Advanced Alert as default, giving me all options immediately available to deal with a specific alert. Apologies if this has been mentioned elsewhere on this thread, but could not see any mention of it.

Overall, there should be MORE options available to a user to customise GSS/AppDefend/RegDefend to suit themselves in the settings GUI, the current settings are very basic. Other than that GSS is an excellent security app. ;)

Richie

Well this is a simple request.

Alwais allow an applucation to delete a registry key / value if that registry key does not exist.

Alwais allow to modify registry key if before is the same as after

There are a couple of application that try to remove themself from startup each time they start and i see creating a rule just for that is a waiste.

Hello, Jason, Pilli, et al,


There is one thing that I like about Ghost Regdefend, and one thing I do not like about it. They are: Set it and forget it.

The problem is this. When I disable Regdefend it tends to stay disabled. Sometimes for days, possibly even weeks. You are probably thinking, it you don't want it disabled then go to the controls and restart it in the Normal mode. Well, I do...whenever it occurs to me to check it. Do you see where I am going with this? The tray icon does NOT indicate when regdefend is disabled.

BTW, Regdefend might do well to redefine the term "Exit" in the tray icon menu to "Quiet Mode", since I believe that is more descriptive of the function of "Exit" Oh, I know, you could say that you are exiting from the interactive mode, but I still think Quiet Mode is more understandible.

Back to my original point regarding the happy ghost, where one would expect to see a dead ghost tray icon. It would be all to easy for you to say, 'HandsOff is just stupid, he shouldn't be turning off regdefend in the first place.' Well, be that as it may, it would be hard to deny that a Regdefend user is needlessly put at risk when he does not realize that his super-primo defender is on vacation! Also, and maybe I am not doing something right, but it is my experience that after I disable regdefend, after eventually shutting down, and restarting Windows I see the same 'Happy Ghost' tray icon. While this is not inconsistent with what I said earlier it highlights the problem. It is very easy to go for long periods of time...days even...before discovering that Regdefend is not.

Other than that, it seems to be the best tool of its type that I have used. In the spirit of continuous improvement, I will strive to find faults in it, but it seems to do the job, what can I say? Nice program!


-HandsOff

Hiya HandOff this is a long wanted feature and about everyone know about it.
It will be implemented when Jason revise the GUI. Wich is suposed to be done after the backed is stable and running. If i have to make a guess Next beta will have the popup alerter as a driver and an optinal exe configuration tool. Wich basicly may means no more tray icon. times will tell.

Ah, so here is my post, my notification link did not work...

f3x, thanks for your response, and I'm glad that it is a priority. I'm curious about a pop-up alerter as a replacement for the status icon. If it worked perfectly it would still lack the abili