Two new keys that need protection...

Protecting the Winlogon\Notify Key

I found an example of a program that injects a DLL into the Windows Logon process at:

http://www.codeproject.com/system/winlogon_notification_package.asp

This is currently being used by Adware programs. I know because it happened to me.

RegDefend users should think about protecting the WinLogon\Notify key and I am sure, if anyone is interested, that the more seasoned and trusted experts here can describe how.

David

 

Protecting the ShellExtensions\Approved Key

Here is a description of an Adware program that injects a DLL into the Windows Shell process at:

http://www.smartcomputing.com/edito...es/2005/w1602/44w03.asp&ArticleID=25538&guid=

This is currently being used by Adware programs. I know because it happened to me.

RegDefend users should think about protecting the ShellExtensions\Approved key and I am sure, if anyone is interested, that the more seasoned and trusted experts here can describe how.

David

 

Hi Edlin,

Welcome to Wilders!!!

I have merged your two threads into one as I think it will be easier if they are combined. I am looking at your posts and will respond shortly ...

 

Hi Edlin,

The first key you reference is already included for protection in the current RegRun Ghost file:

Entire post: Tested Ghost Groups .gst

 

Hi Edlin,

I have the second key you reference added in a new version of my ghost file (should enter beta testing stage shortly after RegDefend v2.0 is released). In the meanwhile, if anyone wants protection for this key, you can use the following information to add it to RegDefend:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Shell extensions\Approved* | * | Key + Value | Mod Key, Mod Value | Ask User

HTH...

 

Also, thanks to gottadoit, this key needs the following set in order for the "approved" to work:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnforceShellExtensionSecurity = dword:1
Info found here...
Without this policy, any shell extension can be executed....

 

Hi Kent,

What are the ramifications of adding the shell extension policy? By adding the entry as it currently doesn't exist ... then doesn't the CLSID for extension need to approved before it can be added? If so how does one achieve this?

Also I noticed that adding this key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ the entry mirrors itself in one place under HKEY_USERS ... it there are multi-users on a PC ... is this a global condition? Don't the limitations of a limited account prevent this addition anyway? So is it safe assume this would only affect admin privileged accounts.

TIA,

Steve