Disable the PG_MSGProt.exe service?

I have nothing configured within Process Guard to use WM_CLOSE handling. So, I don't need PG_MSGProt.exe, and don't want it using memory and CPU time unnecessarily.

However, I realize that whether or not I need PG_MSGProt.exe personally has no bearing on whether or not Process Guard needs it. Can I hack this service into disabled mode, without wreaking havok? (I realize that Process Guard tries to prevent the service from becoming disabled, but there are of course ways around that.)

 

If you're not using any Close Message Handling protection then yes you should be ok to not use PG_Msgprot.exe. I haven't tried this, but it should work:
- From inside PG, Disable All Protection (it's literally like an On/Off switch)
- Then close PG, so that procguard.exe is no longer running
- Now, terminate PG_Msgprot.exe using a tool such as Task Manager or our own APT.
- Then, rename PG_Msgprot.exe to something else (PG_Msgprot.bak for example)

Try that and see how it goes. Good luck!

 

Thank you, Wayne! I found that I was able to disable the PG_MSGProt.exe service after disabling protection and closing procguard.exe. If I find out that Jason has sneaky code ( ) in there to automatically re-enable the service, I'll rename the file itself as you suggest. The heart of the question was "Is it safe...?" and you answered that.

 

And hopefully no malware-writers will be able to finagle that info into a way in. Pete

 

Well, even with protection enabled, issuing the following command was enough to stop close message interception:

net stop "DiamondCS Process Guard Message Protection"

Try it--issue the above command from Start > Run.

 

This issue has already been submitted in the beta forum.
I admit to haven't try yet if the pb were corrected or not.
It should have been thought for 1.200 version, do you have the last ?

If it's not corrected, may be it will be fixed in the next release.

 

I'm running 1.200. The "net stop" command works with that version.

 

That doesn't sound particularly re-assuring?

Is that only a command you can give at the computer - or can that command somehow be forced from the outside? Pete

 

It is like any other EXE on your system. NET.EXE is a local program.

 

That wasn't the question.

I don't care if I can shut it down by sitting here and typing something on my computer - I would expect to be able to do that.

Can someone in the outside world (who's not physically sitting in front of your computer) do the same thing from outside? Pete

 

But I did answer the question you asked. The command (net stop) uses a local EXE. It can be "forced from the outside" or invoked just like any other EXE on your system could: By way of a malware file you run, or by a remote-access trojan.

You shouldn't be so quick to expect the "net stop" command to work. It can be disabled (for example, KAV won't let you do it).

 

Thanks for mentioning this.

I thought the beta testers were refering to procguard.sys (which can't be stopped, even with net stop, etc). I will add this also to PG_MSGProt.exe so it cannot be stopped unless protection is disabled for v1.250. PG_Msgprot protection isn't THAT vital, compared to the driver, so it isn't that big an issue security wise.

-Jason-