services.exe and rundll32.exe prompts at startup

Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Mar 19, 2005.

Thread Status:
Not open for further replies.
  1. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Just wanted to get a better understanding why services.exe attempts to modify a registry key on startup and similarly for rundll32

    The alert I see is below
    Code:
     services.exe [PID] tried to modify the following registry KEY
        This registry item is in the AUTO STARTS Registry Group
     Process: c:\windows\system32\services.exe
     Registry Key:  HKEY_LOCAL_MACHINE\system\controlset003\services
     Registry Value: 
    	[]  Always perform the following action with this application
      [ALLOW]			 [BLOCK]
    - Is this an action that services.exe does by itself or something that it is doing on behalf of another process ?
    - What specific action is happening ?

    NB: It seems to me that I get this alert when applications try to load a driver...


    Similarly for rundll32.exe I get a startup prompt

    The second alert I see is below
    Code:
     rundll32.exe [PID] tried to modify the following registry VALUE
    		   with this data
         This registry item is in the AUTO STARTS Registry Group
      Process: c:\windows\system32\rundll32.exe
      Registry Key:  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex
      Registry Value: flags
     	[]  Always perform the following action with this application
       [ALLOW]			 [BLOCK]
    and also
    Code:
     rundll32.exe [PID] tried to modify the following registry VALUE
     		   with this data
          This registry item is in the AUTO STARTS Registry Group
       Process: c:\windows\system32\rundll32.exe
       Registry Key:  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex
       Registry Value: title
      	[]  Always perform the following action with this application
        [ALLOW]			 [BLOCK]
    - what is the "with this data" referring to (and yes I have typed in everything in the alert box)
    - is this a good/bad/indifferent thing to always allow
    - as discussed in the PG thread about the same thing, just knowing that it is rundll32 is fairly useless without the command line parameters and in general applying generic permissions is not particularly secure

    The meaning of the runonceex key is in MS KB 310593 and there is a decent explanation of how to use it here and here (ie: I'm not asking for what it is or what the key is used for ;-) Once of these links makes reference to flags but doesn't say what it is, presumably this is a harmless alert given that it isn't adding new executables to run on startup...

    Does anyone have any ideas/explanations for either, I'm not overly worried about either alert its just one of those things that would be good to have an explanation for (might as well keep learning)

    Thanks
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Any comments ?
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The first alert was possibly services.exe trying to create a registry key in there when a service/driver was installed. Yes the same issues regarding "processx.exe is the one trying to install it but services.exe is DOING it" applies as for PG.

    In the second and third alerts when it says "tried to modify with this data" and there is nothing after "data" it means it was basically setting that string to "nothing".

    I think when it comes to these processes which can do "some" registry based work for others all it takes is a little common sense. You must remember that the work they can do is very limited, and that if you get one of these alerts "out of the blue" then it should be something you look into first. If on the other hand it occurs through a direct action you have taken, installing a new application, etc, then if you trust that application you should allow it, but probably not "always".
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Thanks for the reply, imo it would be beneficial to represent an empty value with something better than just nothing on the screen

    How about showing the type of the entry and a value, that at least would always give you something to visually anchor against when looking at the alert box

    Hopefully the identification of the process using services.exe is slated for a future version, the same goes for better identification of rundll32 with its many possible command lines..
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I have updated the "Ask User" screen to show the contents of the registry item "currently" and the proposed change, this includes setting the value (with type information) as well as the type of modification, setting, delete, etc.

    Unfortunately working out which process is using services.exe to install a driver/service (which ends up with services.exe performing some registry based work to install the driver/service) isn't exactly something which can be done in a reliable fashion. It's a different vector to "stop" other processes from using services.exe to install a driver/service than it is to show that services.exe is performing registry operations based on that process. You could of course make a "leap" and estimate at the point where you know a process is going off to services.exe to install a driver/service but it isn't exactly accurate (ie does services.exe always perform registry operations when a process communicates with services.exe? no) .
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Is there anything that you could determine reliably ?
    Something like the driver name (and location) for example ?

    There is always more than one way to crack a nut....

    Thanks
     
Thread Status:
Not open for further replies.