Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. guest

    guest Guest

    You're welcome :)
     
  2. guest

    guest Guest

  3. guest

    guest Guest

    By default common startup entries or other important registry keys are protected.

    But installed programs store its settings in registry keys which are not protected.
    For example NoVirusThanks OS Armor is storing its settings in the following registry key:
    "HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev"

    Ticking/unticking options in OS Armor leads to a write to this registry key.
    In the case of Processes with administrator rights, they can also change the settings of OS Armor. For example they can disable specific settings.
    To add an additional protection layer, so that only OS Armor itself is able to modify settings:
    Code:
    File: Rules.DB
    ; NoVirusThanks OS Armor - Protection of the registry key
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
    File: Exclusions.DB
    ; Only Executables of NoVirusThanks OS Armor can modify settings:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmor*.exe] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
     
  4. guest

    guest Guest

    Registry Guard Service v1.6 Released (20 September 2018)
    http://www.novirusthanks.org/products/registry-guard-service/
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @mood Is this free for personal use?
     
  6. guest

    guest Guest

  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :thumb: Thanks, I have used it. Was just wondering if anything had changed.
     
  8. guest

    guest Guest

  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @mood Noob question. To update the service, can I simply stop the service, install over the stop and restart?
     
  10. guest

    guest Guest

    If you have not made any modifications to the configuration (Exclusions.DB, Rules.DB, etc.) then these files can simply be overwritten with the new ones.
    But if there are own modifications, make sure to not simply overwrite these files.

    The files uninstall.bat/install.bat can be used but stopping of the service, replacing old files with new files and starting of the service should be sufficient.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Nevertheless, I must have messed something up in my upgrade to v1.6, because started experiencing mysterious symptoms like bad installs, not being able to change DNS, etc. - in spite of (still) being set to 'Passive' in config.ini.

    Uninstalled for now.
     
  12. guest

    guest Guest

    Confirmed.
    There is something wrong with the Passive Mode.
    Actions are correctly logged with "-=== Passive Mode ===-" but it is also blocking actions. After setting it to Passive Mode it should only log but never block.

    Example:
    Today i wanted to register a context menu, switched Registry Guard Service to Passive Mode but registering of the context menu was prevented and the utility (Detect It Easy) throw an error.
    1) Registry Guard Service_passive_mode_register.png 2) Registry Guard Service_passive_mode_failed.png
    Code:
    -=== Passive Mode ===-
    Operation: Write Value
    Process: [6320]C:\***\DIE\stuff\die.exe
    Key: \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Detect It Easy\command
    Value: (Default)
    New Value Data: "C:\***\DIE\stuff\die.exe" "%1"
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Classes\exefile*] [%VAL%: *]
    
    After stopping of Registry Guard Service the tool was able to correctly modify the registry and the contextmenu is also working.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks for this, I think the issue seems to have crept in with v1.6?

    I didn't think I had done anything wrong when updating to v1.6. I stopped the service, replaced old files with new files and started of the service as you mentioned in #85.
     
  14. guest

    guest Guest

    Yes, the issue was introduced with v1.6.
    = Modifications of protected registry keys while in Passive Mode will simply be reverted.

    After a downgrade to v1.5 i can see that protected registry keys can be modified and it is only logged
    = Passive Mode is working as intended.
     
  15. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I wonder if I should be prepared for any problems with Windows Updates (or built-in update functionality in other common applications such as Microsoft Office) when using the default ruleset...
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new test version:
    https://downloads.novirusthanks.org/files/registry_guard_service_v1.7_test1.zip

    *** Please do not share the download link, we will delete it when we'll release the official version ***

    Here is what has changed:

    + Passive Logging now works as it should (nothing is blocked)
    + Config.ini options are now read in real-time (no need to restart the service)
    + Support saving of unicode strings when saving events to log file
    + Updated kernel-mode drivers both 32 and 64-bits
    + Various performance and logic improvements

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @mood @paulderdash

    Can you confirm me PassiveMode works fine for you on this new build?
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks @novirusthanks for another try at a new version.

    Maybe this one will suit to expectations. The previous releases were a bit hit n miss for the 8.1 units tested on before.
     
  18. guest

    guest Guest

    I have tested it and PassiveMode works now :thumb:
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @novirusthanks, I am not currently using it but ...
    thanks also to @mood for testing. Good to know!
     
  20. guest

    guest Guest

    Registry Guard Service v1.7 is now available on the website.
    Changelog: #91
     
  21. guest

    guest Guest

    @novirusthanks
    While using the latest version i can see constant I/O-access to the file c:\Program Files\NoVirusThanks\RegGuardSvc\Service\Config.ini

    Shouldn't it be sufficient to read the file config.ini only after it has been changed by the user instead of reading it constantly?
    This has already be done for the rules (the user changes the file Rules.DB = now the service is reading the file)
     
  22. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    thanks for the update, it needed to be set as autorun without manual intervention, finally
    not sure how to use it without GUI (just edit rules right?), will try to figure out later on, wonder also if it will conflict with eset, it did stop eset legitimate actions before which made me uninstall it
    so to install:
    1: drop in C:\ the RegGuardSvc folder and go into comman-line (cmd)
    2. sc create RegGuardSvc binPath= "C:\RegGuardSvc\Service\RegGuardSvc.exe" DisplayName= "RegGuardSvc Service" start= auto
    3. sc start RegGuardSvc
     
    Last edited: Jun 19, 2019
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    It never caught on with me no matter how enthusiastic I was at the prospect.

    Anytime I can open my Registry Editor (right click menu BTW) and proceed to DELETE anything be it Key or Value with not so much as a whimper (instead of you have no permission for this action etc) then it's a DUD.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It would have been cool if this tool had a more user friendly GUI. I was looking for a tool to monitor only certain registry keys. SpyShelter also monitors the registry but you can't control it, causing it to give too many useless alerts.
     
  25. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.