Just installed RegDefend...

Hi all,

I installed RegDefend about 2 minutes ago, and already I love it...

In fact it was by coincidence: I used to use SpyBot's TeaTimer to watch my registry plus some other things, but after installing the latest beta, the allow/block dialog turned out to miss the check boxes (a 120 DPI issue), thus rendrering it useless.

I then decided to allow MSAS to watch over me instead, but it was far too slow (?): I was trying to unpack a particularly nasty little b*gger, when LnS alerted me that so and so wanted to phone out.
I ran Hijack This and discovered it had added itself to the Run key, as well as to ShellServiceObjectDelayLoad without MSAS crying wolf...

That did it!

I just added Derek's RegRun entries, and must say I love the application, especially it's configurability.

As I said, it's been installed for only a couple of minutes, and I really haven't had the time to look at it in detail, but I did notice this key missing:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

I may have overlooked it, but I do believe it isn't there, and if so, you want to add it...

Anyway, I just wanted to post, because I'm really enthusiastic about the application.

It's only early days, but should I happpen to find additional keys/values that may be worth watching, I'll be sure to post here.

 

Hi Tony,

Yes, RegDefend is an excellent product. I always recommend it as a companion to ProcessGuard.

Since you added the RegRun extensions, I thought I would make you aware of some pending issues regarding these extensions:

https://www.wilderssecurity.com/showthread.php?t=67729

If you are not running multiple accounts with fast switching, this shouldn't affect you.

Cya around,

Rich

 

Thanks for the heads up, Rich.

I'm the only user of this computer, so this won't be bothering me...

 

IM sent Ton

 

Hoi Jan.

 

Jan just PM'd me to clobber me over the head and correct me: the post was by puff-m-d, not by Derek...

Sorry to all...

 

Hi Tony,

No apology necessary ... It can be hard to learn names on the forums sometimes and with me I think a little alzhiemers is starting to set in as I make the same kind of mistakes ...

 

I already have a question...

I added the BHO reg key to the IE.ghst file (through the user GUI, I hasten to add).

Wanting to test something, I deleted the subkey for my FlashGet browser plugin, but RegDefend didn't alert me.

I then reinstalled FlashGet in its entirety, the subkey was put back, but again RD remained silent.

I refuse to believe RD goofed up, so what did I do wrong?

Attaching my edited IE.ghst as txt...

 

BTW this is the (exported) subkey I subsequently removed, remerged, removed, remerged, without RD jumping into action:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

~grin~ Hey Ton,

LOL, no, my very dear old friend, no "clobbers over heads"
You are much too dear to me, and to sooo many others !!!
If you only knew how many mistakes I make....
The support, info, help, friendship you give to so many people !!!!!
Only a very BIG THANK YOU can express it
I am most definitely sure that ALL RegDefend users will absolutely give you a warm welcome !!!

Most warmest regards,
Groetjes, Jan.

 

Hi Tony,

Here is what that key should like like....

 

Seeing as puff-m-d beat me to it, I might just point out that rules can be copied using control-C and pasted into the forum post as text...

In this case :

hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects* | * | Key + Value | Mod Key, Mod Value | Ask User

 

Ah, I seem to be missing the * under "Registry Value"....

Could that be it? Let's see how we can get that there...

 

To do that, you will have to enter the key over again and delete the old one.

 

No difference... I deleted the key, and nothing happened...

 

Screenshot

 

Whoops: Wildcards: Key AND value....


Let me see...

 

Well, it really makes no difference: I can delete and re-add subkeys there all day long, but no joy...

 

Tony,
Can you do a control-C on your rule and a control-C on a log entry if you get one please
Check and make sure you specified wildcards on the Key...

With the rule I pasted above when I try and create a new Key I get an Alert and this Log entry

Code:

regedit.exe [576] was allowed to CREATE a registry key | 04:12:20 - 24 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\new key #1 | | c:\windows\regedit.exe | RD STANDARD [50] - HKLM
regedit.exe [576] was allowed to set this value to testing | 04:12:39 - 24 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\new key #1 | | c:\windows\regedit.exe | RD STANDARD [50] - HKLM

Edit: Looking at the pic above there is still a * missing at the end of the key

 

You need an * placed on the end of the key to give you a wild card for the keys....

 

So without the * a subkey there can be deleted or added at will?

Does that really make sense?

 

What if you wanted to only monitor values for the one key and not look at the subkeys?

 

Aaargh! it works!

I guess I just didn't understand I had to add the asterisk manually....


Thanks heaps!

 

I just assumed that by monitoring the main key everything in it would be watched as well

 

Jason has it where you have total control over what you want to monitor. It takes a little time to learn it, but it really is not too hard. It just takes a little playing with it to learn it. When I did the RegRun entries, I had to do a lot of playing around to figure it all out ....