Extra RegDefend Ghost File Entries

Discussion in 'Ghost Security Suite (GSS)' started by puff-m-d, Mar 1, 2005.

Thread Status:
Not open for further replies.
  1. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Re: RegRun Entries

    I have just posted an updated version that hopefully will solve the hanging problems that a few people were having. I had included some extra values on a key to be checked and it seems that one of the values was causing a hang up. I modified that key check to only check the important values and nothing extra. It has been running flawlessly here although I never had the problem at all and could not duplicate it. I used the info from posters to fine tune that one key check. Hopefully it will run fine now ;) ...
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: RegRun Entries

    Thanks Puff. I have updated my list. Thanks again for all of your efforts.

    Rich
     
  3. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    Re: RegRun Entries

    Puff, your update has resolved the hanging problem I reported in another thread. Who'd have thought that a * would have caused the problem?

    Thanks for your efforts.
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Re: RegRun Entries

    You are most welcome as always ;) ...
    I am glad to hear it helped you. Hopefully it will solve the others problems as well ;) ...
     
  5. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Re: RegRun Entries

    I have just downloaded RegRun Gold security Suite and came to the forum to see if there was any guidance on configuring before I installed and have just found this post.

    I know it will probably make more sense to me when I install the software but I would appreciate it if someone would explain if I can use this .txt (changed to whichever extension) when using the trial version or do I only use this when I have purchased? Thanks I have only discovered the suite and really do like its features.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: RegRun Entries

    Hi Robyn, you are getting Regrun and RegDefend mixed up, RegDefend is kernal based protection that can also monitor keys that Regrun checks through a text file provided by puff-m-d.

    Hope this helps...

    Cheers :D
     
  7. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Re: RegRun Entries

    Thanks Blackspear - I am really mixed up as I know see RegRun has RegGuard and not defend :oops: there are so many features in the suite I think I will take this one step by step to configure. Thankfully I will not be wondering if I have lost a bit now ;)
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: RegRun Entries

    No worries Robyn, I'm sure someone will be able to walk you through it in another forum here at Wilders, or on the Regrun Forum.

    Cheers :D
     
  9. tlu

    tlu Guest

    Re: RegRun Entries

    A good overview of the autostart locations for the various Windows versions by the respected German computer magazine c't can be found on http://www.heise.de/security/artikel/print/49573 .

    I don't use RegDefend right now due to the problems mentioned in https://www.wilderssecurity.com/showthread.php?t=76033 , so I'm not sure if the registry entries in above article are completely covered in the default ghost file or in puff-m-d's file. Nevertheless, it may be a useful overview for some forum participants here.
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: RegRun Entries

    I don't know if this is a stupid idea or not but I have regdefend set to monitor all keys in the entire registry

    it is set to alert on change keys or change values and normally the only time it pops up after I have allowed all the usuual ones I want to always be able to change etc is when installing new software

    Am I doing something wrong or dangerous as it doesn't seem to affect my computer at all and I have had none of the problems experienced by other people with shutdowns or whatever hanging

    To my way of thinking, that will protect me against a lot more than specific keys

    Obviously though, you would need to be aware of what is adding to or altering keys and values to know what to allow or disallow
     
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Re: RegRun Entries

    dvk01,
    Out of interest, how did you structure it and what rules did you put in there for the global matching ?
    Did you make one new group with each hive and a bunch of programs having APO's with global access across the registry ?

    NB: If discussion continues on this it could usefully be another thread so that other ppl can find it easily
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: RegRun Entries

    well unless I have done something wrong all I did was make a new group and call it additional protection
    and then added the main 4 reg keys

    HKLM,HKCU, HK_classes root & Hkey_users and set to warn on modify reg keys or values

    I am assumimg that by adding the main keys it automatically includes all subkeys in the groups
     
  13. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: RegRun Entries

    Interesting Cause I have been thinking on the same and I thought the alerts would drive me crazy lol...apparently not (only in the beginning) so that is something I'll definately will do, if everything turns out to be ok :D

    take care
     
  14. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: RegRun Entries

    Actually unless a key has a wildcard * at the end of it, only the immediate key will be "protected".

    So if you wanted to "protect" the whole registry you would add
    HKLM* with a value of *
    HKU* with a value of *

    etc

    By specifing only HKEY_LOCAL_MACHINE\ , it means any values in that key AND any direct key based actions (create a new subkey in HKLM\, modify a subkey, etc) will be alerted on.

    I might just mention, it isn't that great an idea to protect the whole registry, it can lead to issues with core processes which require access being blocked.
     
    Last edited: May 11, 2005
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: RegRun Entries

    So that is why I only got alerts when something tried to create new keys then
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands

    Attached Files:

  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    Hmm. Just realized that a couple of those wild cards don't really make sense, but at least they won't hurt either... ;)
     
  18. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Re: RegRun Entries

    Thanks for the info.
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    You're very welcome. :)
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Re: RegRun Entries

    In the first post, I have attached a new Ghost file. This file hopefully will fix any problems people may have been experiencing with multiple accounts and fast user switching. I have also added an entry that will detect for any changes in BHO's. Have fun and enjoy ;) ...
     
  21. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: RegRun Entries

    Working great. Thanks a lot!

    Rich
     
  22. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Re: RegRun Entries

    Puff,

    Are there any other recommended settings to add to RD in order to get max protection of your registry besides the ones you posted?

    Thanks,

    Jag
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    Well the possibilities are endless, really...

    Personally, I'm not planning to protect myself against absolutely everything, but a couple of things come to mind:

    Here are a number of addtional homepage/searchpage related keys and values that you could opt to have RD protect. Not all of them are there by default, and in that case they need to be added manually.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Default_Page_URL"
    "Local Page"
    "Start Page_bak"
    "HOMEOldSP"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Default_Page_URL"
    "Local Page"
    "Start Page_bak"
    "HOMEOldSP"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"=
    "CustomizeSearch"=
    "Default_Search_URL"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"
    "Search Page"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
    "Search Page"
    "Search Bar"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl] (key*)

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
    "Search Page"
    "Search Bar"
    "Use Custom Search URL"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] (Key*/values)

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL] (Key* and values)


    There are also a large number of additional restrictions you could have RD protect you from being set. I'll see whether I can look into that later.


    And here again are the few additional items from my List of Startup Locations which I posted about before:

    hkey_current_user\software\microsoft\command processor* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_local_machine\software\microsoft\command processor* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_local_machine\software\microsoft\windows nt\currentversion\accessibility\utility manager* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options* | * | Key + Value | Mod Key, Mod Value | Ask User

    I especially recommend adding Image File Execution Options, as it's increasingly popular with the latest generation of spyware/malware

    But, as I say, the possibilities are truly endless, and I'm sure that others will have lots more to contribute...
     
    Last edited: May 29, 2005
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    Allrighty, here are a bunch of additions locations where restrictions can be set, and you may want to add these. As said before, many of those subkeys won't be there by default, so you'll need to add them manually.

    hkey_current_user\software\microsoft\windows\currentversion\policies\Network | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows\currentversion\policies\ActiveDesktop | * | Value | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows\currentversion\policies\WinOldApp | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_current_user\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_current_user\Software\Microsoft \Windows\CurrentVersion\Policies\Uninstall* | * | Key + Value | Mod Key, Mod Value | Ask User

    hkey_local_machine\software\microsoft\windows\currentversion\policies\Network | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows\currentversion\policies\ActiveDesktop | * | Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows\currentversion\policies\WinOldApp | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions* | * | Key + Value | Mod Key, Mod Value | Ask User
     
  25. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Re: RegRun Entries

    Tony, glad to see I had every one of your post 73 (covered by *)
    Don't know about the ones in post 74.

    Keep them coming though, I like plagiarising these as I don't really know anything about the registry except what makes sense when I see it :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.