BOClean and RegDefend Question

Discussion in 'Ghost Security Suite (GSS)' started by Trooper, Aug 10, 2005.

Thread Status:
Not open for further replies.
  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Hello All,

    I have a question regarding RegDefend and BOClean. (I have also posted this on the offical BOClean forum as well).

    I have noticed over the past few days that RegDefend has been blocking BOClean from the following.

    boc412.exe [164] was blocked from setting this value to "%1" %* | 01:35:26 - 10 Aug 2005 | HKEY_LOCAL_MACHINE\software\classes\piffile\shell\open\command | | c:\progra~1\nsclean\boclean\boc412.exe

    Specifically, it is stemming from Tony's ghst file.

    So my question is basically, it is ok to allow BOClean to make this change? Im sure we must have some BOClean/RD users here on Wilders. *puppy*

    NOTE:This seems to occur on my machine when I am shutting down, so I have very lil time to accept it.

    I am running Windows XP Pro w/SP2 and all up to date MS security patches.

    Thanks in advance,

    Jag
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jaguar,
    The short answer is yes you could allow it, but you probably don't need to care

    If you have a look at the data in the default value for that key when the machine is running it will probably already be "%1" %*

    If that is the case then there is no change actually being made and BOClean is simply avoiding a read value and an if statement to see if its different prior to writing the value. Programming shortcuts like this are fairly common and nothing to worry about (for trusted software anyhow)

    If the value isn't already the same, there are a few options but if its not causing you an issue and its been like this for a while you could just ignore it

    Regards
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    gottadoit,

    Thanks very much for the feedback. I did check the value previously but failed to mention it in my earlier post. :oops: It is indeed a value of "%1" %*

    I just wanted to check to make sure, as this was/is a fairly recent thing I have noticed on my pc.

    As always, many thanks for your help.

    Regards,

    Jag
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    If the particular rule was set to "ASK USER" then you would receive no BLOCK alert. When the driver needs to ask the user something, it first checks to make sure the value isn't the same, if it is it "pretends" to have written the value, fooling the program to think the operation was successful without actually modifying the registry.

    When the driver does not need to ask the user something, this check is not made, and the block will occur automatically. Hope that clears some things up. :)
     
  5. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Yes it does. Thanks very much Jason. :)
     
Thread Status:
Not open for further replies.