To poll or not to poll.....

Discussion in 'Ghost Security Suite (GSS)' started by Defenestration, Mar 10, 2005.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    When I came across RegDefend I was intrigued with the whole polling/hooking methods used by various registry protectors and did some expirmenting. While nearly all other apps I tested used polling (TeaTimer, SpySweeper, MS Anti-Spyware), RegDefend and Ad-Watch used hooking techniques.

    I wasn't surprised about RD because that's the main selling point of it, but I was a bit about Ad-Watch. The difference between RD and AW is that RD will alert before the change takes place, whereas AW alerts after the fact.
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    So adwatch is hooking but only alerts after the change? That doesn't make much sense to me, if it was hooking it should always block before the change and alert to the user.
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jason,

    Ad-Aware's Ad-Watch does bring up an alert when a change takes place (I just re-tested it again with IE6) and it offers you an "accept" or "block". If you click on "Accept" the change, it then takes place. If you click on "Block", then the change will not take place of course. :)

    snap
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I have the feeling that adwatch would be using usermode hooking since it works on Win9x-XP, I'll have to verify that later though.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Ad-Watch's response to adding a value to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is pretty much instant, but only after RD prompts me to allow/deny. I isolated Ad-Watch with Regmon for a few minutes and did not see it polling.

    Nick
     
  6. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    The way I tested it was to use SysInternal's RegMon to check which apps were polling. Ad-Watch doesn't poll the registry, unless it manages to bypass RegMon's detection somehow.

    Also, from my experiments the change is definitely allowed by Ad-Watch. If you click Accept, it will leave the registry as is. If you click Block, the registry will be reverted to the previous state. However, the change does take place initially.

    I agree it's odd that it does not block the behaviour before the change occurs.

    The only time Ad-Watch will check all the keys it monitors is when it starts and when the protection is enabled.
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I'm pretty sure Ad-Watch is using the Win32 API function RegNotifyChangeKeyValue() to monitor changes.

    This method apparently has a weakness because it cannot detect changes caused by a call to RegRestoreKey(). I haven't checked this though.

    Can RegDefend detect changes caused by a call to RegRestoreKey() ?
     
Thread Status:
Not open for further replies.