Logon/Logoff Scripts

Discussion in 'Ghost Security Suite (GSS)' started by meargh, Dec 8, 2005.

Thread Status:
Not open for further replies.
  1. meargh

    meargh Guest

    These keys don't seem to be monitored by default by RegDefend:

    Code:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts
    I mention this with the suggestion that these keys should be included by default.
     
  2. meargh

    meargh Guest

    I should have given this thread a generic title. If the admins would enable my forum account again, I could change it. In any case, here is another one--this time a value--that isn't monitored by default:

    Value Default_Search_URL under this key:

    Code:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    The value mentioned above has been used by malware:

    http://www.google.com/search?q=Default_Search_URL
     
  3. meargh

    meargh Guest

    You should be very careful as to what software you let modify or add the following values:

    UpperFilters and LowerFilters under the following keys:

    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}
    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
     
  4. meargh

    meargh Guest

    If you have the AutoRun disabled, you will want to monitor it under this key:

    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Cdrom
     
  5. meargh

    meargh Guest

    I have a bunch more to add, but my posts aren't showing up. (Forum guest flood control?) Several of the ones I have to add aren't covered by default, and have been used by malware. Everyone can just figure it out on their own.

    Enable my account whenever, please...
     
  6. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    These keys are under 'Web Browser Protection' 'Defualt' rules,only certain values are monitored coz you get a heck of a lot of pop-ups watching the whole key.
     
  7. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Meargh,you forgot some,and as you have'nt mentioned it,i will. These are related to CD/DVD Drives,if modified,can disable your CD/DVD drives. There probably are more,and probably differ slightly between drives/software.


    [HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

    [HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

    [HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{6BDD1FC5-810F-11D0-BEC7-08002BE2092F}]

    [HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
     
  8. meargh

    meargh Guest

    The Default_Search_URL value is not watched by default under HKCU, and it has been used by crapware. That is why I mentioned it. It doesn't seem like a value you'd get a lot of legitimate hits on.
     
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I'm not sure about ones of like that :doubt: ,for most users anyhow,coz a lot of anti-malware appz monitor that sort of thing,and they might conflict if something is added. I have added that sortta thing to RD and disabled anything else that polls the registry (i got sick of logs) plus RD's quicker ;) . But for the 'average' user who might want to run both (use RD to monitor stuff the other appz don't) it's tricky to say weather not they should be added by default.
     
  10. nameless1

    nameless1 Guest

    If you're going to watch Default_Search_URL under HKLM, you really ought to also watch it under HKCU. The two values do the same thing, except that the latter only applies to the current user. I can't imagine that there is any more penalty or risk in watching Default_Search_URL under HKCU as watching it under HKLM.
     
  11. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    You guys know how to protect windows context handlers?
     
  12. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi pasito,there are a few keys to watch,

    HKCR\*OpenWithList
    HKCR\*shellex\ContextMenuHandlers
    HKCR\Directory\Background\shellex\ContextMenuHandlers
    HKCR\Directory\shell
    HKCR\Directory\shellex\ContextMenuHandlers
    HKCR\Drive\shell
    HKCR\Drive\shellex\ContextMenuHandlers
    HKCR\Folder\shell
    HKCR\Folder\shellex\ContextMenuHandlers

    To enable\Disable for Current User
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer [Value]-NoViewContextMenu

    To enable\Disable for Local Machine
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer [Value]-NoViewContextMenu

    [0=Disable/1=Enable]

    Not sure if that's all of them o_O (prob not),hope that helps :D
     
Thread Status:
Not open for further replies.