How to protect Startup folder?

I'm wondering if RegDefend can prevent applications to be added to the Startup folder. If yes, what registry key should I add?

Although I have RD, I keep WinPatrol running in the background just to cover this Startup group which apparently is not covered by RD.

One more thing, does RD by default monitor the services group the way WinPatrol does?

 

regaurd is more powerfull then winpatrol becouse not like winpatrol that sniff the registry to check chanches every 30s regdefend monitor the registery all the time without sniffing and take mach less cpu and ram.

when you install regdefend you have by default "Auto Starts protecting Group".
try to turn off winpatrol and install application that whant to add startup run and regdefend will ask you if you what it or not.
try it !!!
enjoy the power ......

 

Here is a screenshot of the default Autostart group. As far as I know Winpatrol has only polling abilities whereas RD blocks any Reg changes before they occurr.
If you disable the RD groups and run RegTest does winpatrol stop test 2 from completing? If not then enable RD and test 2 will be defeated.

Regtest can be found here: http://www.ghostsecurity.com/index.php?page=regtest

 

No. It can't protect startup folders,it's designed specifically to protect the registry and nothing else

Give MJ Registry Watcher a try,it's works by polling the registry which strictly speaking is not as secure as Regdefend but it does monitor both folders and registry keys

http://www.jacobsm.com/mjsoft.htm

regards
Kaupp

 

Actually a combination of the two things would probably be your best bet

The registry contains keys that specify where the startup folders are so you wouldn't want something changing the startup directory

Equally well you don't want something adding entries to the directory so use MJRW to perform polling monitoring of directories and files
You can't argue with the price of MJRW after all...

 

One method of protecting startup folders, for those running XP Pro, is to use Software Restriction Policies. You can create path rules to startup folders, with wildcards, and set the security level to Disallowed.

Nick

 

I think my post was misunderstood. I was not saying that WinPatrol is better than RD. All I said is there is still one startup group not monitored by RD and that’s why I’m still running WinPatrol… not because it’s more powerful but just to cover the startup folders. It’s a waste of resources to run WinPatrol in the background just to protect that folder and that's why I’m asking is it possible to monitor the startup folders by RD.

I already tried Registry Watcher and did not like the GUI besides I want a real-time protection not just polling abilities.

Thanks Nick, that is a good idea to lock the startup folders. But what if there is a legitimate application trying to add something to that folder?

 

Hi UCI_Mech,

To the best of my understanding, ProcessGuard essentially guards the folder since no program that updates the folder can run without PG's permission. I understand that there may be a "hole", in that scripts can be executed by a browser which is why I also run WormGuard. Whether this is entirely sufficient to plug the hole, I do not know.

Of course, it would be nice if either RegDefend or ProcessGuard actually gave alerts when key folders are accessed - sort of a double safety measure - and maybe the authors of the software might consider this capability for future versions.

I am looking forward to reading other comments on this subject.

Rich

 

I use PG too, but let's say you run an application or script which is supposed to do a certain thing for you. When it asks for PG's permission, you will allow it because you ran the application yourself. So if that application was not authentic or it has unannounced bad tasks which include adding something to the startup folder, then neither PG nor RD protected you from this attack.

 

Hi UCI_MECH,

After you set up a path rule for the startup folder, then create a hash rule for the app you want to allow and set it to Unrestricted. Hash rules take precedence over path rules. Take a look here for more specific instructions: Software Restriction Policies for Windows XP Clients. Note that although the usual files (shortcuts, scripts, etc) can still be placed up in the startup folders, they cannot execute. Blocked executions will show up in the application event logs.

Nick

 

I understand what you are saying. It is interesting that it seems (from what I can tell) that the read-only attribute is ignored by Windows system programs. Probably so that it is easy for programmers to modify its contents.

Rich

 

Well, given that you as an user with administrative rights can easily over-write a read-only attribute any other applications will have the same previlage.

I do think that despite it's name, it's a big hole that Regdefend covers only registry startup keys, After all, we are not covering the registry for the sake of doing so, but rather to prevent startups.

As already mentioned PG is not the answer because PG filters on processes, not on specific attempts to create startup methods.

As you probably already know startup folders is not the only file/folder where startups can insert themselves, there are other files autoexec.bat etc..

PrevX is the answer in this case.

 

I am still using Mike Lins free apps http://www.mlin.net
I feel like it is a complement to the other ones I have. The ease just to uncheck an app and it will not autostart and check it again if I want has also been useful some times.

Maybe its not very secure - you tell me.

Best regards

 

This is a worthwhile tip, though it can be very inconvenient when it comes time to add/remove startup shortcuts.

Just FYI, you can use the following environment variable and path to point to the current user startup folder:

 

Sorry if someone said this above but, you should never use the startup FOLDER for launching programs at startup (in my opinion, I don't know why, but it's fine) and just set the security permission on the folder to "Everyone - Deny all"

(the path can be found in the post above mine)

 

Can one use both RegDefend and Startup Monitor without any issues? I too am not crazy about leaving the Startup folder unwatched...

 

if you protect yourself by denying acess to a folder, just be sure that this will alwais be the rigth folder


HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders
>> Startup

HKCU\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders
>> Startup


HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders
>> Common Startup

HKLM\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders
>> Common Startup

(it is already included in the regrun ghost file)

someone migth try to seth those path to nothing .. maybee it'll effectively disable those folder ?

 

Like this.

http://img43.imageshack.us/img43/4015/untitled4jm.jpg

Win2000: Naviage to %homedrive%%homepath%\Start Menu\Programs and right click on startup folder. Right click go to properties. Click security tab, Add or Edit the everyone name and set the permissions to Full controll:deny all.

Windows XP PRO: Go to Control Panel, Folder Options and click the view tab. Uncheck "Use Simple File Sharing (Recommended)" then follow the Win2000 steps.

Windows XP HOME: N/A. :[


http://support.microsoft.com/default.aspx?scid=kb;en-us;304040#XSLTH3125121124120121120120

 

Just FYI: The ACL of the Startup folder(s) can easily be changed back, invisibly and from the command line, using cacls.exe. (In other words, the security measure outlined above can be undone.) This could be done any time a member of the Administrators group is logged in, or using a privilege-escalation method, if any exists.

 

Also, I believe you can change the permissions on the Startup folder(s), under Windows XP Home, using cacls.exe. Not as nice as the GUI, but it actually works better in a lot of cases (since it lets you edit, rather than always replace, ACLs).

I vaguely remembering there being some workaround to get acess to the Security tab under Windows XP Home. Safe Mode? I can't remember...

 

There are several workarounds but the easiest is http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=0