Can RegDefend monitor permission changes to the registry?

Discussion in 'Ghost Security Suite (GSS)' started by readysound, Nov 16, 2007.

Thread Status:
Not open for further replies.
  1. readysound

    readysound Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    3
    I'm having a problem where the permissions for my entire HKCR branch get stripped out and replaced by one entry; Everyone - which has full permissions. There are usually about 5 entries here.

    I don't have a virus and keep a very clean and tidy machine.

    Is there any way I can use RegDefend to monitor any permissions changes that occur on a particular part of the registry so I can figure out what application is doing this?

    Many thanks in advance!

    Paul
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I really don't understand what you mean by stripping out permissions, but if you create a Registry Rule protecting:-

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes**

    HKEY_CLASSES_ROOT**

    making sure to include the wildcard of two '*' , then RD would prevent and/or log any changes made to this tree. That would inform you what app is making the changes to Keys/Values down the whole tree.
     
  3. readysound

    readysound Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    3
    Hi TopperID, thanks for replying. I tried your suggestion but unfortunately it didn't work.

    Here's what I mean by stipping out permissions. If you run 'regedit' and right click on HKEY_CLASSES_ROOT, then select permissions, you will see the list of user objects that have access to HKCR. Normally, HKCR should have the following in the access control list (obviously, each with varying access rights):

    Administrators
    CREATOR OWNER
    SYSTEM
    Power Users
    Users

    My problem is that even with the above configured corretly, after a period of time, all of the permissions entries above will be cleared and replaced with just one entry called "Everyone" which is given full permissions. This can cause problems as the permissions are replaced on all child objects (since they inherit from the root).

    I know it's not a malicious program doing this (virus etc) so I thought maybe RegDefend would be able to track permission changes - not just key creations / deletions / reads etc etc.

    Does anyone know if RegDefend can monitor changes to registry permissions?
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Oh, now I uderstand what you mean.

    Have you tried creating rules to protect changes to 'policy' ?

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies**

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies**

    HKEY_USERS\*\Software\Microsoft\Windows\Currentversion\Policies**

    HKEY_CURRENT_USER\Software\Policies**

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies**

    HKEY_USERS\*\Software\Policies**

    I'm afraid I really cannot think of anything else that may assist. Perhaps someone else knows the appropriate Keys.
     
  5. readysound

    readysound Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    3
    Thanks again for replying,

    Haven't tried this but got a feeling it wont work... When you change the permissions on a registry branch / key, I don't think any keys (anywhere in the reg) actually get changed; it's just the permissions on them that change - so I don't think RegDefend can get on to it. Will try it out though.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I might have expected the permissions to be stored somewhere in the Registry, but I don't know where. There are some hidden Keys at:-

    HKEY_LOCAL_MACHINE\SECURITY\Policy**

    so that is another possibility.
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Hi,
    RegDefend does not currently intercept permission or ownership changes in the Registry
    It will however intercept any changes to the data or to the keys

    I agree that it would be a good idea for it to do so (in a later version) once the current AD/RD product has been released. Being able to intercept permissions changes has been discussed with Jason before (I cannot remember if it was in the forum or via email) so it has at least been considered.

    Regards
     
  8. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    But which keys consist the ACL?

    /C.
     
Thread Status:
Not open for further replies.