problem getting rule to work

Hi all,

I was playing with a rule to restrict access to the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key and cannot get it to work. The rule is isolated in its own group and all other groups are disabled. I get no alerts when I add keys or modify values using regedit. The APO list is empty. Am I missing something obvious in the wildcards?

Thanks,

Nick

 

Nick,
Have you tried monitoring whilst you make your changes ?

And something you might find useful is to do a copy on the rule (^C) that copies the rule as text for easy pasting into a post and it allows other people to easily paste it in to try it out...

 

Nick,
Looks like an unintended RD feature...
If I use the actual location rather than the link (currentcontrolset) I get the alert

Try this rule, it gives an alert for me

Code:

hkey_local_machine\system\controlset*\control\safeboot* | * | Key + Value | Mod Key, Mod Value | Ask User

The alert I got was

Code:

regedit.exe [2668] was allowed to set this value to cmd.exi | 14:56:45 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST
regedit.exe [2668] was allowed to set this value to cmd.exe | 14:56:50 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST

 

You'll need to add both (currentcontrolset and controlset), simply because malware could use both.

 

Hi gottadoit,

Works here too . I see what you mean.

Thanks,

Nick