Registry Guard Service

Giving this another shot, protection disabled - passive logging only.

 

Registry Guard set to Passive Logging. Had occasion to reinstall Norton. Nothing logged. IDK

Code:

[Settings]
ProtectionEnabled= n
LogToFile= y
LogToWindowsEventViewer= n
LogPath=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Logs
RulesFile=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Rules.db
ExclusionsFile=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Exclusions.db
DeleteLogsOlderThanNDays=30
PassiveMode= y

 

@bjm_

For Passive Logging to work correctly you need to also enable protection:

ProtectionEnabled= n
->
ProtectionEnabled= y

Then it should work fine.

About Norton, I added some exclusions rules on Exclusions.db for Norton, Avira, AVG, Malwarebytes, and others.

To test it open regedit and try to create a new string value on HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

You should see a blocked event in the .log file.

Please let me know.

 

How is Passive Logging = Passive? if I need Protection enabled?
Passive Logging sounded like OSArmor Passive Logging?

Code:

-=== Passive Mode ===-
Date/Time: 6/29/2022 6:52:04 PM
Operation: Write Value
Process: [484]C:\Windows\regedit.exe
Parent: [7792]C:\Windows\explorer.exe
Thread Id: 8340
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: New Value #1
New Value Data: 0x1111
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

 

How to setup Active Mode?

Code:

[Settings]
ProtectionEnabled= y
LogToFile= y
LogToWindowsEventViewer= n
LogPath=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Logs
RulesFile=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Rules.db
ExclusionsFile=C:\Program Files\NoVirusThanks\RegistryGuardSvc\Exclusions.db
DeleteLogsOlderThanNDays=30
PassiveMode= n

How to setup to see block event?
Are these block events?

Code:

Date/Time: 6/29/2022 7:03:02 PM
Operation: Write Value
Process: [7448]C:\Windows\regedit.exe
Parent: [7792]C:\Windows\explorer.exe
Thread Id: 7580
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1
Value: New Value #1
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]


Date/Time: 6/29/2022 7:14:01 PM
Operation: Write Value
Process: [9308]C:\Windows\regedit.exe
Parent: [7792]C:\Windows\explorer.exe
Thread Id: 6576
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1
Value: (Default)
New Value Data: 11111
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

 

Yes they are blocked events, just press F5 on Regedit and you will not see them.

Here is a more detailed explaination:

1) Protection is enabled and passive mode is disabled:

Code:

ProtectionEnabled = y
PassiveMode = n

The above will make Registry Guard block the action if it matches Rules.db rules, example blocked event:

Code:

Date/Time: 6/30/2022 1:09:40 AM
Operation: Write Value
Process: [2528]C:\Windows\regedit.exe
Parent: [1132]C:\Windows\explorer.exe
Thread Id: 3660
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: New Value #1
New Value Data:
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

* On Regedit make sure to press F5 (refresh) else you will always see the value you created (it has been blocked by Registry Guard so after the F5 you should not see it on Regedit).

2) Protection is disabled and passive mode is enabled:

Code:

ProtectionEnabled = n
PassiveMode = y

The above will disable protection, passive mode will not be fulfilled because protection is disabled.

3) Protection is enabled and passive mode is enabled:

Code:

ProtectionEnabled = y
PassiveMode = y

The above will enable Passive Mode (aka Passive Logging) so events are not blocked but just logged, example:

Code:

-=== Passive Mode ===-
Date/Time: 6/30/2022 1:12:19 AM
Operation: Write Value
Process: [2528]C:\Windows\regedit.exe
Parent: [1132]C:\Windows\explorer.exe
Thread Id: 3660
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: New Value #1
New Value Data:
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

* Notice that when Passive Mode is enabled you will always see this line before any event:

-=== Passive Mode ===-

That means the event was not blocked but just logged.

Important:

If you use the Configurator GUI, make sure to always click the button "Save & Close" after you modified the settings/checkboxes.

So it will save the changes to the Config.ini file.

Let me know if it works fine for you.

 

F5 hint helps. Passive Mode = Passive Logging helps. Realizing an active event is the absence of passive notation helps. Realizing there are pre-set exclusions rules helps. I'll have to chew on this awhile. IDK if/how I'll use Registry Guard. Thanks

Code:

Date/Time: 6/29/2022 7:39:23 PM
Operation: Write Value
Process: [8292]C:\Windows\regedit.exe
Parent: [8140]C:\Windows\explorer.exe
Thread Id: 3468
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: New Value #1
New Value Data: 0x0
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

-=== Passive Mode ===-
Date/Time: 6/29/2022 7:39:56 PM
Operation: Write Value
Process: [8292]C:\Windows\regedit.exe
Parent: [8140]C:\Windows\explorer.exe
Thread Id: 3468
Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: New Value #1
New Value Data: 0x0
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

 

Had forgotten, thanks - I was wondering if the absence of log entries was correct!

Will see how it goes. Essentially I just want to use Registry Guard as a passive monitor for now.

 

Had protection enabled, and passive logging ticked. Slowed my Macrium backups to a crawl.

Didn't really do any troubleshooting, but uninstalled.
Speeds back to normal now.
May do a bit more investigative work in future.