What is Deleting this Registry Key?

For reference:

https://www.wilderssecurity.com/threads/blackfog-privacy.400343/page-10#post-2742871

https://support.microsoft.com/en-us...ndows-security-updates-and-antivirus-software



Could it be CCleaner?

CCleaner > Cleaner > Applications > RegEdit? Something else in CCleaner?

I really need to figure out what is deleting it.

Thanks.

 

Do you run the Registry Cleaner Module in CCleaner? You are not using PrivaZer are you?

 

Krusty I have CCleaner > Cleaner > Applications > Windows > RegEdit ticked and the key is not removed here.

It does sound like a cleaner issue though, you may have ticked some other non-default option.

 

Aren't you using CCenhancer?

 

No.

I do use PrivaZer but I have the Registry cleaning disabled. The problem is though that key is being deleted without running PrivaZer so I can rule that out.

No.

 

Paul, which Windows Explorer options have you enabled?

 

Here is my current setup in case anyone sees something:

https://www.wilderssecurity.com/thr...etup-these-days.111264/page-1566#post-2742424

I could be wrong but I would have thought any of those programs would stop the creation at worst, not delete it.

 

I would not rule PrivaZer completely out. Maybe there is something hidden in the settings you are not seeing, or maybe PrivaZer has something that runs you are not aware of. I would give it an extra look over. Also check to see if PrivaZer has some sort of maintenance process that runs when you are not using it manually.

 

Just the defaults (I think): MS Management Console, MS Search, RegEdit.

CCEnhancer adds many options under Windows, but I have not selected any of them.

 

Paul, these?

But PrivaZer doesn't do anything until I run it. There is no background cleanup in the free version.

 

Agree, but it may be worth uninstalling VS, or SH ...

 

Sorry I thought you meant Applications > Windows ...

I don't have 'Recent Documents' ticked.

 

Does that key belong to Blackfog Privacy?

 

No that is the key we need from M$ to receive updates.

 

You could capture the culprit with Process Monitor and a custom filter. Just capture registry events and set the filter:

Code:

Path contains HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat then Include

 

Thanks stapp. That's a neat trick I didn't know about.

I just ran WD Update and received new definitions, then restarted and sure enough the key was recreated. I've run CCleaner in almost default state and the key is still there, so I'll have to see what happens from there.

Thanks everyone!

 

That sounds like a plan. I'll have to look into that as I've never used Process Monitor. If CCleaner isn't the cause how would I reproduce though?

 

You can set up registry key auditing under Local Security Policy settings to audit what is deleting the key, but it might be a little complicated. Here is a video on how to do it for folders, and files. The difference in enabling auditing for registry hives, or keys is you right click the registry folder (qualitycom), and select Permission to audit the registry key. He selects Properties on the file to enable auditing for the file, but you have to select Permissions and then select Advanced on the registry folder to enable logging for the registry key. Then you can go back, and look at the Security Log in Windows Event Viewer to see if it records what is deleting the key. It should work. https://www.youtube.com/watch?v=gAsXy6_X-L8

 

Maybe use Registry Guard?

 

That would probably do the trick but creating custom rules is over my pay grade.

 

You can install Registry Guard and before launching it you can remove everything in the file "Rules.DB" and insert the rule which i have mentioned in my "quick guide" below:
To monitor the deletion of a the registry key - quick guide:
https://www.wilderssecurity.com/thr...ry-keys-and-values.381740/page-3#post-2742923

 

I had just seen that post.

Thanks @mood . Nearly midnight here so I'm to bed. I might investigate this program further tomorrow.

 

The reg key value referenced is used by AV vendors to certify that their software is compatible with recent changes MS made for the Spectre motigation. If the key value does not exist, Win Update processing will not serve up OS and Microsoft app updates; either automatically or manually.

This reg key value is normally set by AV software vendors but at least in the past could be manually created. My current understanding is if Windows Defender is the active realtime AV, this key is not necessary; Win Updating will be performed unimpeded. So if Windows Defender is your active AV solution and you are able to receive Win Updates, I would not be concerned about the key not being present.

 

I'm on a machine running WD now. The key was present yesterday but it isn't today.

That sounds good but WD (or maybe Malwarebytes?) appears to create it and something is removing it.