AllowProtectedRenames

Discussion in 'Ghost Security Suite (GSS)' started by Pieter_Arntz, Jun 11, 2005.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I stumbled over the existence of a registry key today, I'd certainly want to get warned about if it gets changed:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    AllowProtectedRenames = 1

    http://msdn.microsoft.com/library/d...g_up_and_restoring_system_state_under_vss.asp
    In laymans terms that means this value has to be set if someone/something wants to delete/replace a file that is protected by sfc.
    In the case I encountered it was wininet.dll

    If it is already covered: great and forget I posted this *puppy*

    Regards,

    Pieter
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Thanks Pieter, good one! :)

    Incidentally, although the way the MS article lists the value is a tad confusing (makes it look like a subkey to "Session Manager"), it is indeed a value...

    Will report this to the team.

    Thanks again!

    Cheers,
     
    Last edited: Jun 11, 2005
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Pieter and Tony for researching this matter. I very much appreciate the combined efforts of the members of this forum. Thanks very much for sharing the results of your individual and combined efforts.

    Rich
     
  4. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    This was something that I was concerned about about 8 months ago when it came to PG vulnerabilities. Nice to see that good solutions are being created by a number of people.

    Thank you for this one. I am adding this one myself until the next files that Tony puts out comes out.

    Starrob
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Please do go ahead and add it. :)

    FYI, since I uploaded my Ghst file I joined the team, and we're currently testing a huge amount of 'new' reg keys and values.

    Now the ones we deem fit for public consumption will probably be added to the default Groups either as part of a new RD build, or as an separate update (not sure about that).

    This means that I will probably not be modifying my existing Ghst file to any large extent, as it, as well as the other groups will eventually be superseded anyway.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Allrighty, I decided to add a few items to my group. Most of these are already being used by malware to disable System Restore, modify firewall settings and the like...



    hkey_local_machine\system\currentcontrolset\control\computername* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_local_machine\software\policies\microsoft\windows\windowsupdate* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\policies\microsoft\windowsfirewall* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows nt\currentversion\systemrestore | DisableSR | None | Mod Value | Ask User

    hkey_current_user\software\policies\microsoft\windows\windowsupdate* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\policies\microsoft\windowsfirewall* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows nt\currentversion\systemrestore | DisableSR | None | Mod Value | Ask User

    hkey_local_machine\system\currentcontrolset\control\session manager | AllowProtectedRenames | None | Mod Value | Ask User (thank you, Pieter! )

    hkey_local_machine\system\controlseto_O\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User

    modified (added wildcard for key):

    hkey_local_machine\system\currentcontrolset\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
     
    Last edited: Jun 11, 2005
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    And:


    hkey_classes_root\.bat | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.cmd | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.exe | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.pif | * | Value | Mod Key, Mod Value | Block
    hkey_classes_root\.txt | * | Value | Mod Key, Mod Value | Ask User

    hkey_classes_root\txtfile\shell\open\command | * | Value | Mod Key, Mod Value | Ask User

    modified:


    hkey_current_user\software\microsoft\command processor | autorun | None | Mod Value | Ask User (reason: the value in question is called 'autorun', and not ' autostart', as I had it, d'uh! )



    All new Ghst file at https://www.wilderssecurity.com/attachment.php?attachmentid=159807
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Thanks again Tony for all of your efforts. :) :cool:

    Regards,

    Jag
     
  9. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Thanks Tony for the update and all your work. It is much appreciated. ;)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    My pleasure! :)
     
  11. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Tony, does this completey replace the original 'Tony' group - ie overwrite your group but adds these as extras?

    One other thing, will this get over the issue with System Restore which I could run without disabling RD (this will ask me now if I want to use)? You certainly work very hard on these additions and can back them up with advice, thanks.
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Yup, this replaces the former "Tony" group.

    As for your SR issue, could you please find the appropriate log entry, do a Ctrl + C on it to copy, and post it here?
     
  13. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thanks replace 'Tony' :) Log for SR not working o_O

    rstrui.exe [3860] was blocked from setting this value to D:\WINDOWS\system32\restore\rstrui.exe -i | 13:23:02 - 29 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | *restore | d:\windows\system32\restore\rstrui.exe | AUTO STARTS
    rstrui.exe [3860] was blocked from deleting a protected value | 13:23:02 - 29 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | *restore | d:\windows\system32\restore\rstrui.exe | AUTO STARTS
    rstrui.exe [1432] was blocked from setting this value to D:\WINDOWS\system32\restore\rstrui.exe -i | 13:23:02 - 29 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | *restore | d:\windows\system32\restore\rstrui.exe | AUTO STARTS
    rstrui.exe [1432] was blocked from deleting a protected value | 13:23:02 - 29 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | *restore | d:\windows\system32\restore\rstrui.exe | AUTO STARTS
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Well, you'll certainly need to allow rstrui.exe (= the System Restore application itself) to do its job.

    So you want to check Allow, not Block.
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    BTW, this is not due to anything in MY group, but it's the HKLM RunOnce key covered in the original Startups group.
     
  16. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I didn't alter any of the rules which is why I wondered as I answer allow if prompted by RD when I know I am doing things etc will look in the rules to see if they are on 'block' (hope I can find them :oops: )

    Edit: I am not sure what happend now I look at the auto starts - so will keep watch if I need to use SR again. :oops: Thanks Tony.
     
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    I'm not sure I have the original Auto starts group here, but your log entry is generated by this rule in Auto starts :

    hkey_local_machine\software\microsoft\windows\currentversion\run* | * | Key + Value | Mod Key, Mod Value | Ask User

    The wildcard for Run* means that keys such as RunOnce, RunServices and so on are also covered.
     
  18. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    oops - I had just used Edit in my post but your post has shown me the way my autos are set. I don't know what happened as I wasn't prompted during the Restore just would not run (I don't use SR a lot but will note if I do use it again)
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Well, it can't be all to hard to find out what happened. Keep us posted! :)
     
  20. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    wee update from me Tony - had to use an SR point today for a quick restore - RD came out and asked me this time and everything worked perfectly :) thanks again for all your help.
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    That's good to know, Robyn. Thanks for keeping us informed! :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.