WinPatrol Registry Proctection

Edit

Bill with the online function you have forgotten the REG_MULTI_SZ (string) as an option

See attached text file, change extention to reg and dubble click

This is the list


HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXE = Reg_String
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Ctf\LangBarAddin
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Shellex\CopyHookHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Shellex\PropertySheetHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\Ctf\LangBarAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GinaDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\nonwindowsapp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\standard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Authentication Packages = Reg_Multi_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa RestrictAnonymous = Reg_Dword
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Security Packages = Reg_Multi_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager BootExecute = Reg_Expand_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ComSpec = Reg_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment Path = Reg_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ExcludeFromKnownDlls = Reg_Multi_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations = Reg_Multi_String
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings

 

Hi, how do I add them in WP Pro? Can you please show some with screenshot?



Thank you.

 

See picture

 

Thank you.
many of these keys have no name. Should I left that blank for them?
Also the value is not given for all. Should I keep them as default?

 

Yes, no name means no fieldname, protect entire key

Yes, no value is generic (current value or any value)

It should cover all autostart keys with no overlap of WinPatrol original staryup programs, borwser helper objects and services.

As mentioned the codecs are not included

 

Hi Kees,

Is there any way to automate the process of incorporating your changes, as here? http://www.winpatrol.com/regoptions.html

Also, are there any downsides to your changes?

Thanks.

 

Thank you kees1958...

 

how is the new registry protection? anyone tested it out yet?

 

i tested againts a trjam and WP didnt burk at all

 

AFAIK the original *Registry guru* here at Wilders had user name "hojtsy". His definitive discourse on registry items to monitor is at . . .

https://www.wilderssecurity.com/showthread.php?p=179721#post179721

Even though that thread is pre-Vista, it is (IMO) "must reading" for folks who are serious about monitoring/protecting the registry.

In addition to hojtsy that thread had participation from a number of registry experts including but NOT limited to Kees1958, Bubba (the one who was a Global mod), Sumire, Paranoid2000 (of Outpost forum fame), Graphic Equaliser (proponent of MJRegistryWatcher), Dmitry Sokolov (proponent of the awesome RegRun apps), & Notok (a Prevx rep in those days - I miss him)

That superb & lengthy thread served as a learning & discussion ground for several security programs that based the scope of their registry scans totally, or in large measure, on that thread.

As a matter of incidental interest, even as far back as 2004 WinPat was monitoring registry items. Therefore, the current big to-do about registry monitoring being something "new" for WP is a bit exaggerated IMO. See HERE and ESPECIALLY HERE AND HERE!!!

 

I will create a reg file next week. It overs the autoruns of Microsoft Autoruns for windows (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ) minus the codes and the protection scotty provides in other areas (Services, Autorun programs, file associations, task scheduler, etc). I also added a few HKCU keys, which can be used for auto start.

There is no downside I know of, I tried to balance between protection and usability.

Regards Kees

 

Thanks in advance for your contribution to the community.

 

You are welcome, just passing through information available on Wilders

I hope the Master-san black belt registry Guru will drop in this thread and provide some reg files for WinPatrol

see pic

 

tony klein

 

Tony Klein's list was the basis for the registry protection component of OnlineArmor. Klein-sensei is a 4th Dan black belt.

 

Hi guys! Thanks for the kind remarks, but let's not exaggerate...

I'm afraid I don't have an up to date and comprehensive list of registry locations worth watching handy, but feel free to borrow from my Collection of Autostart Locations if it helps.

Along the same lines there's of course also Andrew Aronoff's excellent Silent Runners script

For Policies/restrictions here's the MS reference:

Group Policy Settings Reference for Windows and Windows Server

And here's another article:

Group policy for XP home

Good luck!

 

thanks tony

 

Done, download attachement of first post and rename to .reg file dubbleclick to import nd activate

Regards Kees

 

Thanks, Kees. Are these appropriate for all versions of Windows?

 

This one is for XP, I will check on the Vista x64 box of my son (which should fit Windows7 x64 also). I waited for the 18.1 version, will post this tomorrow.

Regards

 

Thanks, Kees.

 

See https://www.wilderssecurity.com/showpost.php?p=1687111&postcount=85

 

Hi Kees,

Thank you for the suggestions. It looks like you have the right idea.
MultiString support is coming soon. Unfortunately, I have a family member with breast cancer who is currently critical so I'm doing most of my work this week out of an ICU waiting room.

I'm also working on documentation for creating scripts but it looks like you have the right idea. The target registry value is referenced in two locations of the script.

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\RegOptions]
This section contains the key followed by the registry value in the key.
So if you see
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Download\\CheckExeSignatures"="yes"

It's monitoring the the key
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Download
for the value
CheckExeSignatures = Yes

If it changes Scotty will either alert the user or change it back to Yes depending on the 2nd section.
[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\RegLock]
In this section the identical entry as above as a DWORD value of 0 or 1.
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Download\\CheckExeSignatures"=dword:00000000
means let the user know if this changes.
If DWORD is set to 1 than the value is locked and Scotty will change it back without bugging anyone.

All the scripts does is populate WinPatrol's own registry location. The script themselves don't change non-WinPatrol registry entries.
WinPatrol will however read the values in the scripts and proceed accordingly. The idea of the scripts is to save folks from having to manually add registry locations that are suggested.

If you're interested in creating a script you can Email it to me for review. I will make scripts available if they contain values that known malware have been changing and are safe for all concerned.

Thanks again,
Bill

 

Dear Bill,

I am very sorry to hear this....

Be assured that we all send your family member, and you and your family, all our best wishes.

Family comes first !

Very best wishes,
Jan

 

Bill,

Thanks for the reply via e-mail also. Wish you all the best. Your users will understand.

I will create a script (covering all 'other' autostart vulnabilities)

Regards Kees