Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. guest

    guest Guest

    But it also protects against installing of new services/drivers [%KEY%: *\SYSTEM\ControlSet*\Services\*]
    Or against fiddling around in the registry, changing of explorer-settings, (and the newest "Double Agent" PoC) which might affect your currently running shadow-session.

    For SD-users it is not really needed. After a reboot all changes are gone, so there is already "registry-protection".
     
    Last edited by a moderator: Mar 30, 2017
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Maybe we could exclude our trusted apps in SD or even after updating do a commit.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I haven't noticed anything in my logs for my security software except those I have exclusions for now like MBAM and CCleaner. You might be right about SD changing reg entries back with Reguard service running. I don't know.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Fine, but again, a simple reboot would vanish those changes right? Am I missing something here?
    (Sometimes slow to understand here, lol)
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I think what he is trying to say is if you reboot with reg guard running, reg guard might stop shadow defender's changing the keys back?
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I have a question about the logs and the exclusions DB file. Do the logs only show what has been blocked? Also I am still getting stuff for malwarbytes. This time it is shutting down ransomeware protection. Also some stuff in the logs about Tinywall.

    Ok now the DB file. This is including the ones NVT asked me to add above. If I have the controlset* do I need the other two [%KEY%: *\SYSTEM\ControlSet001 and controlset002 ?

    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\CDPUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\DevicesFlowUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MessagingService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OneSyncSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\PimIndexMaintenanceSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\WpnUserService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\CCleaner\CCleaner64.exe] [%KEY%: *\Software\Microsoft\Windows\CurrentVersion\Run] [%VAL%: CCleaner Monitoring]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet001\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet002\Services\MBAMWebProtection] [%VAL%: ImagePath]
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Thanks @boredog , perhaps you're right on what he's trying to say.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I haven't checked to see if that happens or not yet. If it does happen it should be logged by Reg Guard. And you are right, when in shadow mode you shouldn't really need Reg Guard running anyway.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I noticed I have this in my excluded DB. [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_5fc3f78] [%VAL%: ImagePath]

    does there have to be a wildcard added to the DB exclusion? Appears the name of the UserData changes along with a coupls other that were a part of the exclusions list.
    The one listed today is
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_775e7
    Value: ImagePath
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @mood

    Can you retry now? I updated the zip file:
    http://www.novirusthanks.org/products/registry-guard-service/

    Should work now:

    Code:
    Date/Time: 30/03/2017 23:06:45
    Operation: Write Value
    Process: [2508]C:\Windows\regedit.exe
    Parent: [2208]C:\Windows\explorer.exe
    Thread Id: 3068
    Key: \REGISTRY\USER\**********\Software\Microsoft\Windows\CurrentVersion\Run
    Value: Nuovo valore #1
    New Value Data:
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]
    
    @boredog

    Yes, if a string changes frequently you should use wildcards, example:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_*] [%VAL%: ImagePath]
    
    Yes.

    Please post what is in the logs so we can help.

    No, you can remove these two rules from the Exclusions.DB file:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet001\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet002\Services\MBAMWebProtection] [%VAL%: ImagePath]
    
    Because you have this:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MBAMWebProtection] [%VAL%: ImagePath]
    
     
    Last edited: Mar 30, 2017
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thank You Andreas.
     
  12. guest

    guest Guest

    Correct. Users of Shadow Defender don't really need it, because all changes are gone after a reboot.
     
  13. guest

    guest Guest

  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Well yesterday I was trying Ramdisk again and tried installed a program in it and bang, really messed with my computer. I had to restore image from before reguard so now back to the drawing board. I had already created a exclusion rule for the ransomware part of Malwarbytes since looking how they are created.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks again @mood (and @novirusthanks). I have now included all blocks as exclusions so the log file is clean on reboot.

    So I am up and running.

    Will keep monitoring the logs.
     
  16. guest

    guest Guest

    To be sure that Registry Guard Service doesn't prevent the correct installation of programs, i disable it.
    After the installation of programs i enable it again.

    Some applications change/create services or are changing registry keys while these applications are running, so exclusions have to be made.
    And some applications have an option: "Automatically start with Windows" and changing this option leads to a block from, so this must be excluded too.
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Yup had done that. It looks like a no no to try install an app in the ramdisk itself. All is well again.
     
  18. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    109
    Sadly Registry Guard Service doesn't works with Windows XP SP3. :(

    The service is running (no problems with the installation) but none of the default rules are applied.

    For example, I can create new values as I want in the registry key :
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Tested with version 1.3.0.0 of Registry Guard Service.
     
  19. guest

    guest Guest

    Because Registry Guard Service is now fully working on my system, i noticed that after starting a scan with HitmanPro the following was blocked:
    Code:
    Operation: Write Value
    Process: [616]C:\Windows\System32\services.exe
    [...]
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hitmanpro37
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]
    This application is creating/starting a service, so excluding the security application itself might be not enough, additional exlusions are needed.
    In the case of HitmanPro:
    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\HitmanPro\HitmanPro.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\hitmanpro*] [%VAL%: ImagePath]
    
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Indeed I have also excluded via that second entry.

    But I have not seen any blocks for other security softs, other than having to exclude this:

    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files (x86)\Blue Ridge Networks\AppGuard\LicQueryApp.exe] [%KEY%: *] [%VAL%: *]

    Are exclusions for all security softs necessary?
     
    Last edited: Apr 7, 2017
  21. guest

    guest Guest

    Not really. If a security app never writes to the registry after it has been installed, then it doesn't need to be exluded.
    To be sure, that Registry Guard Service doesn't conflict with another security app, if it wants to write to the registry (sometime) then it can be excluded in advance.
    But it's not a must.
    Or you can exclude applications only after you see blocks in the log-file. That's also sufficient.
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @genieautravail

    Yes, Registry Guard Service (and the GUI version) works only on Vista+ OS.

    @mood

    Thanks for the help :D
     
  23. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    can just use this tool to log specific exe registry access not blocking?
    if so can someone write the rule for me.
    thanks
     
  24. guest

    guest Guest

    If it is enabled, it is strictly blocking. After being turned off, it is not blocking and not logging.
    But adding such functionality (logging without blocking) could be useful, to see registry access from programs in the log-file without actually blocking it.

    @novirusthanks
    Suggestion: Let the user activate Registry Guard Service without actually blocking programs. Maybe with an additional option like "OnlyLogging = y" or something similar.
    Now the user can install/deinstall programs, and can do other things and is able to see all blocked registry-access in the logfile, but no registry-access was actually blocked (only logged).
     
  25. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    I was going to suggest the same so +1 :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.