Logon/Logoff Scripts

These keys don't seem to be monitored by default by RegDefend:

Code:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts

I mention this with the suggestion that these keys should be included by default.

 

I should have given this thread a generic title. If the admins would enable my forum account again, I could change it. In any case, here is another one--this time a value--that isn't monitored by default:

Value Default_Search_URL under this key:

Code:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

The value mentioned above has been used by malware:

http://www.google.com/search?q=Default_Search_URL

 

You should be very careful as to what software you let modify or add the following values:

UpperFilters and LowerFilters under the following keys:

Code:

HKEY_LOCAL_MACHINE\System\*controlset*\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}

Code:

HKEY_LOCAL_MACHINE\System\*controlset*\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

 

If you have the AutoRun disabled, you will want to monitor it under this key:

Code:

HKEY_LOCAL_MACHINE\System\*controlset*\Services\Cdrom

 

I have a bunch more to add, but my posts aren't showing up. (Forum guest flood control?) Several of the ones I have to add aren't covered by default, and have been used by malware. Everyone can just figure it out on their own.

Enable my account whenever, please...

 

These keys are under 'Web Browser Protection' 'Defualt' rules,only certain values are monitored coz you get a heck of a lot of pop-ups watching the whole key.

 

Meargh,you forgot some,and as you have'nt mentioned it,i will. These are related to CD/DVD Drives,if modified,can disable your CD/DVD drives. There probably are more,and probably differ slightly between drives/software.


[HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{6BDD1FC5-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

 

The Default_Search_URL value is not watched by default under HKCU, and it has been used by crapware. That is why I mentioned it. It doesn't seem like a value you'd get a lot of legitimate hits on.

 

I'm not sure about ones of like that ,for most users anyhow,coz a lot of anti-malware appz monitor that sort of thing,and they might conflict if something is added. I have added that sortta thing to RD and disabled anything else that polls the registry (i got sick of logs) plus RD's quicker . But for the 'average' user who might want to run both (use RD to monitor stuff the other appz don't) it's tricky to say weather not they should be added by default.

 

If you're going to watch Default_Search_URL under HKLM, you really ought to also watch it under HKCU. The two values do the same thing, except that the latter only applies to the current user. I can't imagine that there is any more penalty or risk in watching Default_Search_URL under HKCU as watching it under HKLM.

 

You guys know how to protect windows context handlers?

 

Hi pasito,there are a few keys to watch,

HKCR\*OpenWithList
HKCR\*shellex\ContextMenuHandlers
HKCR\Directory\Background\shellex\ContextMenuHandlers
HKCR\Directory\shell
HKCR\Directory\shellex\ContextMenuHandlers
HKCR\Drive\shell
HKCR\Drive\shellex\ContextMenuHandlers
HKCR\Folder\shell
HKCR\Folder\shellex\ContextMenuHandlers

To enable\Disable for Current User
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer [Value]-NoViewContextMenu

To enable\Disable for Local Machine
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer [Value]-NoViewContextMenu

[0=Disable/1=Enable]

Not sure if that's all of them (prob not),hope that helps