Extra RegDefend Ghost File Entries

Discussion in 'Ghost Security Suite (GSS)' started by puff-m-d, Mar 1, 2005.

Thread Status:
Not open for further replies.
  1. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Tony

    I notice you have some entries for things that end in \shell\open\command
    ...why not do a entry like this :

    HKCR\o_Ofile\shell\open\command*
    and
    HKLM\software\o_Ofile\shell\open\command*

    Hope it helps. not sure where I got those from, but they save a bit of time :)
     
    Last edited by a moderator: Jun 1, 2005
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Jag and Robyn,
    It would be helpful if you could cut and paste the entry from your Log tab when discussing problems like this

    I also get the message (from svchost.exe) and had a look at the particular svchost at the time the alert was showing to see what services it was running (it can be done with tasklist /svc or using process explorer)
    The service involved is stisvc and the service is called "Windows Image Acquisition"

    Here is my log entry from RD
    But the more interesting part was with the alert and the fact that it showed that this was a DELETE operation against something that didn't exist. Unfortunately the log entry doesn't show the return code from the operation after it was allowed to happen as that would have provided a hint that it didn't matter that much

    Once you realise this, its fairly obvious why a block doesn't cause a problem. Presumably the WIA component can run as a startup or as a service and the service is trying to make sure it only runs once....

    NB: Using tasklist to see the service name
    Code:
    [font=Courier New]C:\>tasklist /fi "pid eq 1932" /svc
    
     Image Name				   PID Services
     ========================= ====== =============================================
     svchost.exe				 1932 stisvc[/font] 
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    gottadoit,

    The msg I got was simliar. I received it upon opening MS Paint.

    svchost.exe [324] was allowed to delete a protected value | 16:28:42 - 31 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | stillimagemonitor | c:\windows\system32\svchost.exe | AUTO STARTS
     
    Last edited: Jun 1, 2005
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Jag,
    As you can see it is the same alert entry, when Paint starts up it must be causing that service to auto-start
     
  5. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Very strange indeed. :doubt:
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Sorry about the delay...

    Well, the team has actually been using wildcards for these in the Test groups, but I opted to select a few of the most vital file extensions there myself.

    It's a matter of preference.

    BTW, I added a few items to my group. Most of these are already being used by malware to disable System Restore, modify firewall settings and the like...

    hkey_local_machine\system\currentcontrolset\control\computername* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\policies\microsoft\windows\windowsupdate* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\policies\microsoft\windowsfirewall* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows nt\currentversion\systemrestore | DisableSR | None | Mod Value | Ask User

    hkey_current_user\software\policies\microsoft\windows\windowsupdate* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\policies\microsoft\windowsfirewall* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows nt\currentversion\systemrestore | DisableSR | None | Mod Value | Ask User

    hkey_local_machine\system\currentcontrolset\control\session manager | AllowProtectedRenames | None | Mod Value | Ask User (thank you, Pieter! )

    hkey_local_machine\system\controlseto_O\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User

    modified (added wildcard for key):

    hkey_local_machine\system\currentcontrolset\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
     
    Last edited: Jun 11, 2005
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    And:

    hkey_classes_root\.bat | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.cmd | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.exe | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.pif | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.txt | * | Value | Mod Key, Mod Value | Ask User
    hkey_classes_root\txtfile\shell\open\command | * | Value | Mod Key, Mod Value | Ask User

    modified:

    hkey_current_user\software\microsoft\command processor | autorun | None | Mod Value | Ask User (reason: the value in question is called 'autorun', and not ' autostart', as I had it, d'uh! )

    New Ghst file at https://www.wilderssecurity.com/attachment.php?attachmentid=159807
     
  8. tayasimggg

    tayasimggg Registered Member

    Joined:
    May 3, 2005
    Posts:
    102
    Location:
    israel
    you can use my key to improve regdefend without seeing me complain.
    i dont care about how beta users feel about me.
    you can learn a lot about the registry from my files.
    now that youv'e closed that thread, your'e probably feeling much better.
    :D

    all i did was try to contribute as much as i could, and i really didn't expect to have to wage wars against some users.
    if you don't like my files, DON'T use them! you don't have to bitch about it to me. as for those who really needed my help i always tried to do my best.

    your loss guys...
     
    Last edited: Jun 11, 2005
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Hi Tay,

    Thanks for the offer.

    In fact we'd really prefer everyone who's created a Ghst file to upload it separately, as opposed to combining everything from everyone into one batch, the way you've been doing.

    That way one keeps all groups separated, and each one can then be separately disabled, tested, edited and so on.

    All the best! :)
     
    Last edited: Jun 11, 2005
  10. tayasimggg

    tayasimggg Registered Member

    Joined:
    May 3, 2005
    Posts:
    102
    Location:
    israel
    yes the best
     
  11. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    So without anymore temper raising, can I ask what each of you use as .ghst files. Per say, I know Tay uses his version 1.2 and all the .ghst in there, but what do the rest of you use. Don't be scared to say you use Tay's files as well :D .

    dja2k
     
  12. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Hehe, i'm not scared. I appreciate everyone who gives freely to any community. I'm using some of 1.2 and Tay's new files. No offense to any ghost file developer but I think perhaps (maybe it only appears) that Tay is "boldly going where no gst writer has gone before" because of the way he names his files and what he states it's designed to do.

    As a security app junkie, I usually opt for the "cutting edge" in security. Tony's files, Puff's Regrun files or "additional protection" does not say much and is not thought provoking as "protect winsock" "application firewall" and "ninja shield" I have no idea if these are really that worthwhile to protect (or redundant) but it seems he's willing to explore a road less travelled in security avenues.

    If anything, he sure knows how to market and provoke curiousity.
     
  13. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    I got em all running, Default, Toni, Tay, Regrun, no problems. I haven't tried the ninja(p2) or folder three(p3) from Tay yet but will look them over. I did disable ZT_Rise Windows Privacy Level and ZT_Reinforcement for Toolbar Guard because of the huge log they create but once I'm finished tweaking I think that will be tolerable. No, make that, I deleted ZT_Rise Windows Privacy Level. Even disabled the little varmint wouldn't shut up so I shot it. Look at it later when I have the time.
    Anyway, so far so good.
     
  14. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Nice to hear that you people have all of them side by side - The way it should be. Anyways, I have almost the same as you, I am running Tay's P1 , Tony's, and Puff's Regrun Entries. I have the application firewall off from Tay's P1 due to me using Process Guard for that and I don't need all them popups.

    dja2k

    ***EDIT***After I rebooted, which I hadn't all day. Windows was block because it said couldn't read registration info. Quickly I went into safe mode and deleted the entry from Tay show windows information. I guess that entry didn't work in my situation. Also Tony's Entry messes up some exe files in my current setup. It doesn't let certain Nero stuff run and crashes all over the place. And I am not trying to point any fingers or anything, but I didn't pick point the problem to Tony's file.
     
    Last edited: Jun 13, 2005
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    The rules you're possibly referring to only prevent malware from changing the default file association for exefiles, causing exefiles to stop working in the first place.

    Please copy and post the relevant log entries, or I won't really be able to comment.

    Thanks!
     
  16. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Sorry tony, don't want to offend you, but there isn't any log file, nothing gets logged. As soon as I checkmark and turn on your file - Nero goes bad and it causes everything to cause delay and or freeze. Don't know why, maybe something in there is causing something I have running to go bad. And I know you might say its not your file, but I did test out all possiblilities and yours is the one causeing the trouble here, but don't worry about it. I ain't blaming you and its okay we all have different setups.

    dja2k
     
  17. passing thru

    passing thru Guest

    FWIW, I have had no problems running Nero with Tony's custom file. The only other custom file I run is my own, based on Sysinternal's Autoruns watch list. I have the default RD "Auto Starts" group disabled.
     
  18. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    OKAY! Sorry for even mentioning anything. Next time I won't say nothing about any problem or bugs or anything. I thought I just mentioned the problem I had and didn't mean to offend anyone. Sorry Tony, your list is great and all of you who have posted your own lists, thanks too.

    dja2k
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Please do tell us about any problems and bugs

    we need to know

    We might not always be able to fix them in every computer as everybody's computer has different programs and settings and what workks for one won't always work for everybody

    As far as I can tell Tony and the Ghost team work on the lowest denominator and err on the side of caution and only include entries taht should be safe in the vast majority of computers, It is impossible to test or guarantee that NO computer will ever be affected by an entry but our utmost is tried to make all ghost files as safe as possible

    the only way we know if a problem occurs with certain configurations is by you telling us so please continue to do so

    Please bear in mind that Tony and several others don't have English as a first language so so sometimes what comes over isn't what is intended

    It is difficult to track down the cause without a log file but I'm sure Tony & others will work with you to try and find the cause of the problem
     
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Okay thanks for the heads up on that situation. Anyways, I am going to do a clean install of windows xp because I have other problems that have nothing to do with regdefend. I just wanted to ask, is it better to install regdefend from the start before installing all the software I need or vise versa. I know I am going to get popups either way, but which one is better?

    dja2k
     
  21. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If it was me I would put regdefend on as one of the first items.

    That way I would at least see what software is attempting to write to what part of teh registry

    If you stick to the "approved" & tested ghst files initially then apart from the odd badly written program there shouldn't be much in the way of alerts and any that do happen can be checked as the keys that they cover are not often used by legitimate programs

    If you use tays set then yes you will alerted about everything installing and taht would be a pain
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    My personal opinion would be to install RegDefend soon after you have installed all your other clean virus free software....normal programs and Security\Privacy Programs. Just with the default ghst files of RegDefend you'll be bothered even with normal programs. Once you have it all settled down....then install RegDefend IMHO.

    Also....even tho you are starting over....I hope you'll consider starting a new trouble thread if Nero pops up with a problem after you re-install RegDefend. I noticed you were having problems with Nero back a few days ago in this post....and at that time you were questioning Tay's ver 1.2 ghst files :doubt:
     
  23. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    To conform with the new policy for posting ghost files, I have deleted mine from the first post, and now have posted it to this thread (in post # 2) for your perusal and testing. From this point on, any changes and/or updates will be posted there for approval. Thanks to everyone for all the support that I have received and I hope you like my new ghost file.
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Puff, again an excellent Job!!
     
  25. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi Infinity,

    Thanks for the kind words ;) , as it makes the effort worthwhile :cool: ...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.