Registry Guard Service

You're welcome

 

Registry Guard Service v1.5 Released (13 July 2017)
http://www.novirusthanks.org/products/registry-guard-service/

 

By default common startup entries or other important registry keys are protected.

But installed programs store its settings in registry keys which are not protected.
For example NoVirusThanks OS Armor is storing its settings in the following registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev"

Ticking/unticking options in OS Armor leads to a write to this registry key.
In the case of Processes with administrator rights, they can also change the settings of OS Armor. For example they can disable specific settings.
To add an additional protection layer, so that only OS Armor itself is able to modify settings:

Code:

File: Rules.DB
; NoVirusThanks OS Armor - Protection of the registry key
[%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]

File: Exclusions.DB
; Only Executables of NoVirusThanks OS Armor can modify settings:
[%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmor*.exe] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]

 

Registry Guard Service v1.6 Released (20 September 2018)
http://www.novirusthanks.org/products/registry-guard-service/

 

@mood Is this free for personal use?

 

Companies and Businesses must buy a license subscription.
But it is free for personal use.

 

Thanks, I have used it. Was just wondering if anything had changed.

 

@mood Noob question. To update the service, can I simply stop the service, install over the stop and restart?

 

If you have not made any modifications to the configuration (Exclusions.DB, Rules.DB, etc.) then these files can simply be overwritten with the new ones.
But if there are own modifications, make sure to not simply overwrite these files.

The files uninstall.bat/install.bat can be used but stopping of the service, replacing old files with new files and starting of the service should be sufficient.

 

Nevertheless, I must have messed something up in my upgrade to v1.6, because started experiencing mysterious symptoms like bad installs, not being able to change DNS, etc. - in spite of (still) being set to 'Passive' in config.ini.

Uninstalled for now.

 

Confirmed.
There is something wrong with the Passive Mode.
Actions are correctly logged with "-=== Passive Mode ===-" but it is also blocking actions. After setting it to Passive Mode it should only log but never block.

Example:
Today i wanted to register a context menu, switched Registry Guard Service to Passive Mode but registering of the context menu was prevented and the utility (Detect It Easy) throw an error.

Code:

-=== Passive Mode ===-
Operation: Write Value
Process: [6320]C:\***\DIE\stuff\die.exe
Key: \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Detect It Easy\command
Value: (Default)
New Value Data: "C:\***\DIE\stuff\die.exe" "%1"
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Classes\exefile*] [%VAL%: *]

After stopping of Registry Guard Service the tool was able to correctly modify the registry and the contextmenu is also working.

 

Thanks for this, I think the issue seems to have crept in with v1.6?

I didn't think I had done anything wrong when updating to v1.6. I stopped the service, replaced old files with new files and started of the service as you mentioned in #85.

 

Yes, the issue was introduced with v1.6.
= Modifications of protected registry keys while in Passive Mode will simply be reverted.

After a downgrade to v1.5 i can see that protected registry keys can be modified and it is only logged
= Passive Mode is working as intended.

 

I wonder if I should be prepared for any problems with Windows Updates (or built-in update functionality in other common applications such as Microsoft Office) when using the default ruleset...

 

Here is a new test version:
https://downloads.novirusthanks.org/files/registry_guard_service_v1.7_test1.zip

*** Please do not share the download link, we will delete it when we'll release the official version ***

Here is what has changed:

+ Passive Logging now works as it should (nothing is blocked)
+ Config.ini options are now read in real-time (no need to restart the service)
+ Support saving of unicode strings when saving events to log file
+ Updated kernel-mode drivers both 32 and 64-bits
+ Various performance and logic improvements

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@mood @paulderdash

Can you confirm me PassiveMode works fine for you on this new build?

 

Thanks @novirusthanks for another try at a new version.

Maybe this one will suit to expectations. The previous releases were a bit hit n miss for the 8.1 units tested on before.

 

I have tested it and PassiveMode works now

 

Thanks @novirusthanks, I am not currently using it but ...

thanks also to @mood for testing. Good to know!

 

Registry Guard Service v1.7 is now available on the website.
Changelog: #91