Registry Guard - Protect registry keys and values

"Run with highest privileges" is needed, even if you login as an administrator:

 

So which reg key you offer to add how did you config it ^^
i think about use same which i saw in comodo if i good remember

 

Registry Guard v1.5 Released (February 11, 2018)
Website

Code:

[11-02-2018] v1.5.0.0

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Executable files are digitally signed with both SHA1 and SHA256 code sign
+ Now the program works fine when Secure Boot is enabled
+ Updated Rules.db with new rules to prevent UAC\DeviceGuard\AppLocker bypasses
+ Updated Rules.db with a new rule to protect LowRiskFileTypes value
+ Bring the application to front if the Desktop icon is clicked and the program is running
+ Fixed display of main window on multi-monitors
+ Ask a confirmation when the program is closed via Tray Icon -> Exit
+ For wildcard rules you can use the asterisk * and the ? character
+ Updated Exclusions.db with new exclusion rules
+ Show "New Value Data" in logged events
+ Fixed parsing of exclusion rules
+ Minor fixes and improvements

 

Because I do this so infrequently, just refresh me on the sequence here ...

Do I just need to run uninstall.bat, registryguard_setup.exe, and then new install.bat?

 

Using of "install.bat/uninstall.bat" is needed for: Registry Guard Service
You shouldn't install Registry Guard if Registry Guard Service is already installed - you shouldn't mix both versions.

But if you want to switch to the "GUI version" (Registry Guard) make sure to use uninstall.bat for uninstalling of the "service version" (Registry Guard Service).

 

Oops, I forgot that there was the service version and GUI version!

I do have the service version, but I think I may switch to GUI version. Any downsides?

 

The GUI needs to be started after each login, and there were problems with it the last time:

 

#47 was me, forgot about that. May check it out again.

 

Does this version support the passive logging of the service version?

 

Only the service version has this feature.

 

I thought that was the case, but "Passive Logging" is stated as a feature on the main web site page:
http://www.novirusthanks.org/products/registry-guard/

 

Must be a failure on the website.
Perhaps it was silently added with v1.5 and it wasn't mentioned in the changelog, but no - No Passive Logging feature:

 

Reference: What is Deleting this Registry Key?

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]
"cadca5fe-87d3-4b96-b7fb-a231484277cc"=dword:00000000

To find out what application is deleting a registry key, we can add the registry key to be monitored to the file Rules.DB:

Code:

[%OPR%: DELETE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]

If any application is trying to delete this registry key it is prevented and the name of the application (including the parent process) is logged:

Code:

Operation: Delete Key
Process: [4512]C:\Windows\regedit.exe
Parent: [6520]C:\Program Files\totalcmd\TOTALCMD64.EXE
Thread Id: 1984
Key: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\QualityCompat
Rule: [%OPR%: DELETE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]

 

Newbie here.

I notice Registry Guard doesn't start with Windows. Does it need to be running stop registry keys being deleted? Will it log which application tried to delete that registry key with having to be manually started?

Thanks.

 

... Didn't help in my case anyway.

 

Important: Is the whole key deleted (including the value) or only the value ("cadca5fe-87d3-4b96-b7fb-a231484277cc")?
If only the value is deleted ("QualityCompat" can be seen on the left side of the registry editor, but the value on the right side is gone) an additional rule must be added:

Code:

[%OPR%: DELETE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]
[%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat] [%VAL%: cadca5fe-87d3-4b96-b7fb-a231484277cc]

But ok, if the whole key is always deleted and Registry Guard wasn't able to detect it then the key was high probably deleted while Registry Guard wasn't running.
Maybe it is deleted right after the user is logging in, or even while booting up the PC.

If only the value is deleted i would do another test with these two rules.
And if there is again no detection then we know for sure that the key/the value is deleted while Registry Guard isn't running (for example: while booting up / before the user has logged in / a program is deleting the key before Registry Guard is launched, etc.) = it can't be monitored (at least with Registry Guard)

"Registry Guard Service" might be a solution (it is automatically started and is "always running", and is started much earlier [before the user has logged in]) but the driver is not co-signed by Microsoft, has no GUI and it must be manually installed/deinstalled.

 

I'm trying this currently. I'm finding it's hindering Event Viewer from loading. Anyone else? Exiting is like opening a dam, the event viewer moves instantly.

Edit: does an exclusion have to be written for this?

 

Do you have any entries in the logfile? If not, then excluding is not needed.

 

No, mood, it is a blank slate. Only time was for HitmanPro, where I then pasted your two exclusions from here. Windows 10 v.1903 64 bit.

Since Event Viewer is opened fairly often, I guess I'll wait a little while and see before taking action, ie: removing Registry Guard. OK, thanks!

 

But i confirm that Registry Guard is slowing down the launch of Event Viewer.
After disabling of the protection the Event Viewer loads instantly, right after enabling of the protection it always needs a long time to load.

 

Oh, good, you confirmed the issue. Maybe the developer will see this sometime and consider the issue? I don't need to look at Event Viewer around the clock so it's definitely not an urgent matter.