Two new keys that need protection...

Discussion in 'Ghost Security Suite (GSS)' started by Edlin, Aug 9, 2005.

Thread Status:
Not open for further replies.
  1. Edlin

    Edlin Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    2
    Protecting the Winlogon\Notify Key

    I found an example of a program that injects a DLL into the Windows Logon process at:

    http://www.codeproject.com/system/winlogon_notification_package.asp

    This is currently being used by Adware programs. I know because it happened to me.

    RegDefend users should think about protecting the WinLogon\Notify key and I am sure, if anyone is interested, that the more seasoned and trusted experts here can describe how.

    David
     
  2. Edlin

    Edlin Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    2
    Protecting the ShellExtensions\Approved Key

    Here is a description of an Adware program that injects a DLL into the Windows Shell process at:

    http://www.smartcomputing.com/edito...es/2005/w1602/44w03.asp&ArticleID=25538&guid=

    This is currently being used by Adware programs. I know because it happened to me.

    RegDefend users should think about protecting the ShellExtensions\Approved key and I am sure, if anyone is interested, that the more seasoned and trusted experts here can describe how.

    David
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Edlin,

    Welcome to Wilders!!!

    I have merged your two threads into one as I think it will be easier if they are combined. I am looking at your posts and will respond shortly ;) ...
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Edlin,

    The first key you reference is already included for protection in the current RegRun Ghost file:

    Entire post: Tested Ghost Groups .gst
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Edlin,

    I have the second key you reference added in a new version of my ghost file (should enter beta testing stage shortly after RegDefend v2.0 is released). In the meanwhile, if anyone wants protection for this key, you can use the following information to add it to RegDefend:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Shell extensions\Approved* | * | Key + Value | Mod Key, Mod Value | Ask User

    HTH...
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Also, thanks to gottadoit, this key needs the following set in order for the "approved" to work:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnforceShellExtensionSecurity = dword:1
    Info found here...
    Without this policy, any shell extension can be executed....
     
  7. dog

    dog Guest

    Hi Kent,

    What are the ramifications of adding the shell extension policy? By adding the entry as it currently doesn't exist ... then doesn't the CLSID for extension need to approved before it can be added? If so how does one achieve this?

    Also I noticed that adding this key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ the entry mirrors itself in one place under HKEY_USERS ... it there are multi-users on a PC ... is this a global condition? Don't the limitations of a limited account prevent this addition anyway? So is it safe assume this would only affect admin privileged accounts.

    TIA,

    Steve
     
Thread Status:
Not open for further replies.