Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Evenbalance can be very annoying. Somehow they believe that the hackers, the people who disassemble games in SoftICE, wouldn't figure that one out. ::)

I was just playing with the trial version of ProcessGuard when PunkBuster bombs out with a cryptic message. At the very least, they should tell me in plain language that PG has to be completely uninstalled. Any normal person will assume that disabling PG temporarily will suffice. ???

It is still worse that this exposes weakness and weirdness in PunkBuster. Apparantly, they are afraid of PG's ability to block the reading of a process. Surely it must be possible to detect that you are beeing blocked, and THEN complain about "blocked OS privileges" ? Then the player could simply grant the neccessary access.

Using the above trick, PB does not complain at all when PG is blocking. It does two things:

1. Attempt to specifically open PG's service, DCSPGSRV.
2. Verify that it is able to install and start a bogus service.

I think this is pretty bad. They go after Diamond instead of going after the problem. >:(

-{ Quote: "Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Evenbalance can be very annoying. Somehow they believe that the hackers, the people who disassemble games in SoftICE, wouldn't figure that one out. ::)

I was just playing with the trial version of ProcessGuard when PunkBuster bombs out with a cryptic message. At the very least, they should tell me in plain language that PG has to be completely uninstalled. Any normal person will assume that disabling PG temporarily will suffice. ???

It is still worse that this exposes weakness and weirdness in PunkBuster. Apparantly, they are afraid of PG's ability to block the reading of a process. Surely it must be possible to detect that you are beeing blocked, and THEN complain about "blocked OS privileges" ? Then the player could simply grant the neccessary access.

Using the above trick, PB does not complain at all when PG is blocking. It does two things:

1. Attempt to specifically open PG's service, DCSPGSRV.
2. Verify that it is able to install and start a bogus service.

I think this is pretty bad. They go after Diamond instead of going after the problem. >:(" }-

will that hinder PG from performing it's functions?

-{ Quote: "Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.
" }-

ROFL. Thanks for the info. If this works I wonder how much the other anticheat measures they have is worth :D

Very interesting, i was hoping someone would come up with such a workaround. Il will re install PG and test.

-{ Quote: "I think this is pretty bad. They go after Diamond instead of going after the problem." }-
I didn't think it'd take long for somebody to come up with another bypass trick. ProcessGuard has (unintentionally) highlighted the fact that the current implementation of the Punkbuster protection system suffers from a seemingly fundamental flaw - its security can be bypassed simply by blocking process access, something which any kernel driver programmer can do. However as you have noted, rather than fixing the problem they have gone after programs like ProcessGuard, blocking users if they detect that they have ProcessGuard. They will probably keep being confronted with these bypass tricks until the problem itself is addressed, and we're talking about a system where they can implement server-side protection as well. Blocking users from playing your game simply because you have a particular security system is clearly not acceptable in this day and age where security is so important, and users should not be expected to uninstall security programs just to play games, just as for example they shouldn't be expected to be logged in as an Administrator just to play a game (installation is of course a different matter).

Best regards,
Wayne

I sent a ticket into Punk Buster and the reply I got shows that they are not trying to fix the problem in any shape, form, or fashion.

Punk Buster clearly does not care about their customers and are quite flip and arrogant about it.

My Ticket Question:
Why am I not allowed to own and run Process Guard on my system? This is a legit security software program. Now for no reason after a decade of playing games and NEVER cheating I am not allowed to play on line games that have punk buster installed?

The solution is not to Blacklist security software that finds flaws in your software. I should not have to choose between having a secure computer and playing a game on line. You need to take a look at how to work around this because myself and many other are caught up in this crap and we should not have to be. We paid good money for some of these games and being told we have to remove other software from our computer thats sole purpose is not meant to cheat in games is not right.


The Response from Punk Buster(Stuart Dunsmore):
Process guard works, and that is the problem. Using it, you can deny PB access to check your system for hacks. You can even deny PB access to see if PG is running, so we have to take it the next step, and make sure it is not even installed. When you agreed to our EULA, you stated that the benifit of cheat free gaming out weighed system security. You cannot have a secure system, and also allow PB full access to verify your system. They are mutually exclusive.

What a wonderful tribute to Process Guard. I love it. Sorry guys I am note a gamer.

Pete

OMG I cant belive I never thought of that.

Thanks a ton,
Will

-{ Quote: "Punk Buster clearly does not care about their customers and are quite flip and arrogant about it." }-
Maybe the problem is that the gamers are not customers of PunkBuster.
There's a disconnect they can abuse.

Counter-Strike: Source has this new proprietary VAC2 anti-cheat system, and I believe it only
requires access to "physical memory" to run. If I understand correctly, this can be used to completely
bypass every other blocking method if they have the programming skills. I've heard ProcessGuard works
with their game.

It's interesting how the gaming world mirrors security issues in other areas. For example:

The people at Alcohol Soft (Daemon Tools) have an option to install their virtual drives as a
service with a user-specified name. That's because some copy-protection company specifically tried
to look for their service, to distinguish a real CD from a hard disk image.

Then there was a rootkit, I think it was called HackerDefender, that specifically targeted
SysInternals' RootkitRevealer .exe filename to hide itself from that program. SysInternals
released a new version which randomly renames it's own executable before running it, as a
counter-counter-measure.

Diamond could do the same if they have reason to believe evil programs are targeting their
service. But maybe they're afraid it would be seen as a hostile move towards PunkBuster if
they still are hoping for a cooperative solution. :)

Isn't there a law in some countries that make a person liable if they leave their computer unsecured and open to exploits that can be used to commit a crime? Wouldn't then Even Balance who makes Punk Buster be endorsing this with it's EULA?

Not only are the denying people access to other software, but they are telling people that in order to enjoy playing games on line (which millions do) you must have an unsecured computer that can easily be hijacked and used for other means.

Perhaps a Class Action Lawsuit is possible for Even Balance. Their policy sticks to hell and back and Process Guard is just open up peoples eyes to what they are doing.

As for the EULA. I may have not bought and paid for Battlefield 2 had I known this was a part of the agreement. But unless that agreement is on the box you have to purchase the software before you get to read it. They have a nice gig going because you can't see what you have gotten into until you have already purchased the product.

And the above fix does not work anymore. Tried it and was denied access to playing last night. I think they tweaked the software to look for more than just the registry entries, but to also look for any signs of installation such as directories.

Might be looking at HKLM\SOFTWARE\Diamond Computer Systems
Funnily enough, all the settings there seem fine to delete once PG is running. Give that a shot.. export all PG reg settings then remove it once its loaded and working. Could also install to a non default folder.. and with protection disabled can you rename the driver and driver filename too ???

-{ Quote: "Not only are the denying people access to other software, but they are telling people that in order to enjoy playing games on line (which millions do) you must have an unsecured computer that can easily be hijacked and used for other means." }- One of the biggest problems is the fact that these games are required to run with Admin privleges which is a major security hole from the start, let alone what PunkBuster is trying to enorce upon it's users.

Pilli

-{ Quote: "Perhaps a Class Action Lawsuit is possible" }-I think the aussies would have to sell a hell of a lot of ProcessGuard to pay for the lawyers ;D

-{ Quote: "And the above fix does not work anymore. Tried it and was denied access to playing last night." }-Are you sure? Works fine with Americas Army.

-{ Quote: "I think they tweaked the software to look for more than just the registry entries, but to also look for any signs of installation such as directories." }-They already tried to attack the true name of the ProcessGuard service, which was supposed to be a
secret. Seems unlikely that they should use even cheaper tricks.

They can't scan your whole hard drive. For starters it would make a lot of noise, and stress your
system. They have a policy of making a non-intrusive PunkBuster, and who would accept a game, that
is connected to the internet, should start reading all your files and directories.

They would have to look for file names in the registry. You can use regedit to set permissions on
the registry, preventing even yourself from reading keys. Besides, there are programs that can block
parts of the registry to specified processes.

So what are they supposed to do? Listing out your running processes, they can look for
"DCSUserprotect.exe", "pgaccount.exe" and "procguard.exe". Well you can probably rename all those
files. Then you can search and replace those filenames correspondingly in regedit. This is still
nothing more than a bucket of cheap tricks that many 16 year olds would figure out fast enough.

You could possibly even use a program like "PE Explorer" and a hex-editor to modify those
files, to change the internal filenames correspondingly, by looking for strings inside the
executables. That'd be against your license agreement, but the point is that the CHEATERS would have
no quibbles.

Reading all the processes? As Even Balance already pointed out to you, ProcessGuard can protect itself
from beeing read by PunkBuster. Maybe they can detect that they are beeing blocked, but then there
would be no point in banning ProcessGuard in the first place!!

Far more likely is that Even Balance will check to see if the hidden device "procguard" is running.
Then maybe the hackers will write their own blocking kernel-mode program. Or maybe they will simply
crack ProcessGuard's internal file integrity checking and rename that device as well. ;D

You can see for yourself by opening "Device Manager" and clicking "Show hidden devices" under
"View". While you're in there you may see other interesting devices called "StarForce" (only if you
have installed certain games). It's interfering with your CD driver, preventing you from making
backups of your CD's. You can disable those devices here, and that was supposed to be a secret as
well. Of course, this sort of thing is what Even Balance should've made instead of feeding us this BS.

As Wayne-DiamondCS has beein saying all the time, they need to write some kernel-mode protection.
They deny legit customers the right to protect themselves, even if they must know that the hackers
will circumvent the ban anyway.

How perverse, that a Texas company should believe in the logic of gun control. The solution is,
obviously, to get a bigger gun than the bad guys.

One of the biggest problems here is that Punk Buster comes with the game. You purchase the game and install it and there is Punk Buster doing it's install right after.

This is the time that you get slapped with the Even Balance EULA. After you have purchased and installed the initial game. I can't help but wonder how many people would shy away from purchasing some of these game is the Even Balance license agreement was placed on the box where people could see it before they purchased the game.

To quote another from a different forum:
"EB's EULA is full of disclaimers and redirects and conditional rhetoric. As are most EULAs. But the whole "we're gonna sit on our hands because we don't HAVE to do anything."

The rub is this: EB has no competition. None. Whatsoever. The burden of proof in this case is to develop an alternative for anti cheat; address the issue with PG and see what happens or uninstall PG.

I don't know what reading license agreements will do for me after I make the purchase. Other than make me aware that I got rooked. If they published EULAs before the release, then people could see what they're getting into. Comes a time when a hefty class-action suit may force that issue.

...and in this case had I read the EULA prior to making the purchase, I would have never bought the game"

Does this still work ? just woundering.

Running PunkBuster with ProcessGuard
Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Amazing that works - thank you.

Now got Punkbuster and ProcessGuard running together, no probs.

Doesn't say much for PunkBuster security!!

If this works, I will reinstall PG. DOes this "fix" disable any of PG's protection though?

Could this be made sticky?

i dont have that file ??

-{ Quote: "Does this still work ? just woundering.

Running PunkBuster with ProcessGuard
Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot." }-


Doesn't work for me.

Eh, scratch that, it does :)

Special Request: Bearing in mind the recent fuss over Sony and First 4 Internet, is it possible to implement the same technology to hide PG from every application on the computer its installed on? This would simply be the icing on the cake as far as security is concerned as what malware cannot see, it cannot kill. It will also prevent malware from getting the upper hand on process guard.

I shall be looking to try and implement this myself for PG and Alcohol Soft but if Wayne can build this in it will be EXCELLENT :D

Has anyone found that punkbuster is disconnecting them despite doing the change suggested earlier in this post?

It works, just have to change a few settings, look at the Alerts log to know what to change. Been playing BF2 for hours with PG installed without being kicked once.

Can't believe this.
Updated PG to the latest version and I've tried to rename the registry key per the first guys post, however the registry wont let me.
I'm signed in as administrator and I did it ok with the last version of PG.
I've tried changing the permissions but get the same message that I'm not allowed to change the registry key.
Anyone got any suggestions?
I'm kicked off my BF2 server because of this. :(

Thanks...

JJ 8)

-{ Quote: "
I've tried changing the permissions but get the same message that I'm not allowed to change the registry key.
Anyone got any suggestions?" }-Try using regedt32 rather than regedit for this change - regedt32 allows you to change permissions on keys (via Security/Permissions). It does however lack the search feature of regedit.

Make sure you also delete the registry entry from the previous version of Process Guard or all kinds of silliness will ensue.

Yeah, did that.
I had to boot into safe mode to change that registry entry.

-{ Quote: "Try using regedt32 rather than regedit for this change - regedt32 allows you to change permissions on keys (via Security/Permissions). It does however lack the search feature of regedit." }-
In Windows XP and above regedit32.exe simply points to regedit.exe.

So they are the same. :)

Does this tweak still work with the newest version of PG? Haven't installed the newest version yet and won't if I will be unable to game again.

Yes, but make sure you remove the old registry entry or you will have conflicts. I Admin and play on PB enabled BF2 and CoD:UO servers with no problems.

I've made this thread a sticky for now as threads and emails about it keep popping up ;)

i have a full version PG 3.150 which installed on my pc.
i haven't got any problem for using PG before but now i have a big problem:
when i started running some program i got a msg form that program: " You must uninstall PG to run this application ". i re-installed PG but i still got that msg.
btw, if i uninstall PG then i don't get an any msg, but i don't want to uninstall PG.
i saw:
-{ Quote: "LACD.exe is associated with gaming (World of Warcraft?) So it's probably a punkbuster problem. Take a look at this thread: http://www.wilderssecurity.com/showthread.php?t=90067

HTH Pilli" }-
and i tried:
-{ Quote: "Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.
" }-
but not successed . can any1 solve this prob ?
thx for support!

-{ Quote: "...when i started running some program i got a msg form that program:..." }-How about saying what exactly this program was, rather than requiring everyone else here to guess?

-{ Quote: "How about saying what exactly this program was, rather than requiring everyone else here to guess?" }-
what do u mean ???
that program which i was saying , LACD_client.exe.
i'm playing WOW on private server and must run LACD_client.exe first to connect this server. when i run, i got that msg: " you must uninstall PG to connect this server ".

-{ Quote: "what do u mean ???
that program which i was saying , LACD_client.exe." }-Apologies - I based my reply on the email notification of your post which did not include your quote blocks, hence did not mention LACD.

If the workaround no longer functions, then that suggests that PunkBuster have updated their software to counter it. Given that you mention a private server, the best option would be to contact the admin and ask them not to require PunkBuster.

Actually, World of Warcraft uses Warden and not Punkbuster. They're two entirely different programs, IIRC. Warden being created by Blizzard and for use solely with their products. Did you try putting the program into the protection tab and giving it read rights?

Are you using a custom program to connect a third party server (i.e. non-Blizzard server)? If so, the program could be using a custom protection rather than PunkBuster or Warden. You might want to check the server's website and/or forums and see if there's a way to use the program without uninstalling ProcessGuard. If it's for vanilla WoW, I'd post to Blizzard's official forums to see if you could use WoW without uninstalling ProcessGuard.

-{ Quote: "Are you using a custom program to connect a third party server (i.e. non-Blizzard server)? If so, the program could be using a custom protection rather than PunkBuster or Warden. You might want to check the server's website and/or forums and see if there's a way to use the program without uninstalling ProcessGuard. If it's for vanilla WoW, I'd post to Blizzard's official forums to see if you could use WoW without uninstalling ProcessGuard." }-
thx for support
yes, i'm using LACD_client.exe program to connect PRIVATE WOW SERVER ( its same free WOW server , not official WOW ). LACD program like Warden which uses to detect and prevents hack program. But LACD can be blocked from reading hack programs by ProcessGuard ( for older LACD ) and now LACD was updated to newest version. when i execute it then i got that msg what i said above. i don't want to use any hack program but i really need ProcessGuard to prevent trojan,.. I've said with administrator of that wow server but he said:"no way, u must remove PG if u want to play wow on my server "
so i asked some1 on this forum if who can solve this then answer me or PM me via mail: kurapika2002@msn.com
btw srry for my bad english.

-{ Quote: "I've said with administrator of that wow server but he said: "no way, u must remove PG if u want to play wow on my server"" }-
It is completely unacceptable being told to remove or disable a security program simply to run a GAME. Do not put up with it - inform your administrator that such a response is a security risk.

What a load of crap...let's see how many games they can play when their system gets compromised....I think a list of games should be created in which this is a problem so that way people might be able to avoid buying the games and wasting their money....

Well PunkBuster is still blocking ProcessGuard...I EMPLORE ALL THE HACKERS TO HACK THE CRAP OUT OF PUNK BUSTER AND BREAK INTO ALL PUNK BUSTER RAN GAMES, ROOT THEIR SYSTEM AND MAKE THEM ACT AS BOTS.

Maybe then EVENBALANCE will listen to allow ProcessGuard!

Hi tempnexus, This is a securiy related site, we do not condone hacking in any way or for any reason.

Putting pressure on Evenbalance is a way forward but this should be done in a correct and lawful manner, if enough people complain, hopefully the company will see the light and address the problems.

Pilli

ProcessGuard--the Punk that Busted PunkBuster. ;D

Tested the workaround with the free multiplayer standalone of FEAR (FEAR Combat) and it still works perfectly.

-{ Quote: "I've said with administrator of that wow server but he said: "no way, u must remove PG if u want to play wow on my server" " }-

The above quote was using a private WoWserver which are in no way affiliated with Blizzard. Blizzard in fact will take legal action against people hosting private servers so the view of that admin is in no way connected with blizzards.

I use Proccss Guard while playing WoW on official servers to protect myself from keyloggers and never have I been notified to stop using it since I give the wow.exe full access so it doesnt effect the warden anti-cheat system. On the other hand I know people are using process guard to stop warden accessing the process`s of the cheat software. It`s become a tool they are using along with rootkits to become undetectable and it`s working. So I can see why PunkBuster see it as a something that dont want running on their clients computers.

-{ Quote: "Yes, but make sure you remove the old registry entry or you will have conflicts. I Admin and play on PB enabled BF2 and CoD:UO servers with no problems." }-

What is the old entrys?

-{ Quote: "What is the old entrys?" }-

Yep, senior members/experts, please help us out here! :-[

I followed the instructions (as far as I understood them) and proceeded as follows:

1. Safe Mode'ed
2. regedit, exported the original DCSPGSRV
3. killed the original in the registry
4. renamed DCSPGSRV to DCSPGSRVCYCLOP in the exported file and merged it back with the registry.

Thus my PB issue so far seems to be resolved (online games run fine), BUT:

- I noticed, that the imported thread (or what is it called?) does not have subfolders. I remember there were two of them, when I was intiating the export. But, later on, when I rebooted, one of them appeared again. And now, this whole registry thread looks as below.

http://hallelujah.wolfenstein.ru/PGregistry.jpg

Please advise if this is eventful.



And yet two more questions: (1) should anything else be deleted from the registry? (2) above someone mentioned that PG should be reinstalled after this DCSPGSRV manipulation: is this really so? why?

P.S.: pls note that I'm only trying out PG, and this is a free version.

Thank you very much in advance!!!
Yours truly.

-{ Quote: "What is the old entrys?" }-The old entries are the entries that were changed in the first place. You are reading a section that talks about changing those entries back so that one may uninstall the old version and upgrade to a new version of PG.

-{ Quote: "...(2) above someone mentioned that PG should be reinstalled after this DCSPGSRV manipulation: is this really so? why?" }-Read it again. They were talking about upgrading to a newer version.