Can RegDefend monitor permission changes to the registry?

I'm having a problem where the permissions for my entire HKCR branch get stripped out and replaced by one entry; Everyone - which has full permissions. There are usually about 5 entries here.

I don't have a virus and keep a very clean and tidy machine.

Is there any way I can use RegDefend to monitor any permissions changes that occur on a particular part of the registry so I can figure out what application is doing this?

Many thanks in advance!

Paul

 

I really don't understand what you mean by stripping out permissions, but if you create a Registry Rule protecting:-

HKEY_LOCAL_MACHINE\SOFTWARE\Classes**

HKEY_CLASSES_ROOT**

making sure to include the wildcard of two '*' , then RD would prevent and/or log any changes made to this tree. That would inform you what app is making the changes to Keys/Values down the whole tree.

 

Hi TopperID, thanks for replying. I tried your suggestion but unfortunately it didn't work.

Here's what I mean by stipping out permissions. If you run 'regedit' and right click on HKEY_CLASSES_ROOT, then select permissions, you will see the list of user objects that have access to HKCR. Normally, HKCR should have the following in the access control list (obviously, each with varying access rights):

Administrators
CREATOR OWNER
SYSTEM
Power Users
Users

My problem is that even with the above configured corretly, after a period of time, all of the permissions entries above will be cleared and replaced with just one entry called "Everyone" which is given full permissions. This can cause problems as the permissions are replaced on all child objects (since they inherit from the root).

I know it's not a malicious program doing this (virus etc) so I thought maybe RegDefend would be able to track permission changes - not just key creations / deletions / reads etc etc.

Does anyone know if RegDefend can monitor changes to registry permissions?

 

Oh, now I uderstand what you mean.

Have you tried creating rules to protect changes to 'policy' ?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies**

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies**

HKEY_USERS\*\Software\Microsoft\Windows\Currentversion\Policies**

HKEY_CURRENT_USER\Software\Policies**

HKEY_LOCAL_MACHINE\SOFTWARE\Policies**

HKEY_USERS\*\Software\Policies**

I'm afraid I really cannot think of anything else that may assist. Perhaps someone else knows the appropriate Keys.

 

Thanks again for replying,

Haven't tried this but got a feeling it wont work... When you change the permissions on a registry branch / key, I don't think any keys (anywhere in the reg) actually get changed; it's just the permissions on them that change - so I don't think RegDefend can get on to it. Will try it out though.

 

I might have expected the permissions to be stored somewhere in the Registry, but I don't know where. There are some hidden Keys at:-

HKEY_LOCAL_MACHINE\SECURITY\Policy**

so that is another possibility.

 

Hi,
RegDefend does not currently intercept permission or ownership changes in the Registry
It will however intercept any changes to the data or to the keys

I agree that it would be a good idea for it to do so (in a later version) once the current AD/RD product has been released. Being able to intercept permissions changes has been discussed with Jason before (I cannot remember if it was in the forum or via email) so it has at least been considered.

Regards

 

But which keys consist the ACL?

/C.