UI suggestion and how does RD handle different paths to the same key ?

Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Apr 10, 2005.

Thread Status:
Not open for further replies.
  1. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Given that you mentioned that RD will stop at the first rule in the first group that matches, I was wondering if it was relevant that certain keys have more than one access path ( HKCU mapping back into HKU, HKCR being under HKLM etc)

    For a concrete example, the 2 paths below are the same and seeing as I was adding this key in to be monitored (thought I'd try the existing user interface at least once...)
    I was wondering which rule would match or if the fact that they are the same key means that the first one would always match...
    Code:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\	*ALL VALUES*
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\   *ALL VALUES*
    And that leads to the next enhancement request :
    flag entries that cannot be reached with the current configuration in red
    show any groups with non-effective rules in red as well to highlight this

    This would flag synonyms to the same path so that unintentional double-ups are not confusing
    This would also cover entries that appear in more than one group
    Seeing as this could be done at group load time (and key add/change time) there wouldn't be any additional runtime overhead during normal operations

    It might also be useful to flag the entries in each group with some sort of number so that entries in the log window could be associated back to the group and rule that triggered the log entry
    I haven't ever seen anything appear in my "LOG" window so I'm hoping that this information isn't already there...
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    To know about these sorts of "double ups" you need to understand sort of how the registry is contructed. HKEY_CLASSES_ROOT comprises a mixing of the HKLM\software\classes and HKCU\software\classes, so if you added a HKEY_CLASSES_ROOT key, both the HKCM and HCKU would be "covered" whilst if you added just the HKCU, it would only monitor the HKCU part. I hope that makes sense. :)
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    To make sure I understood your answer properly, you are saying that the example will match on the first entry because they are the same key

    It would be good to make a visible change to the tray icon as well if some entries are being ignored due to overlaps, that would be a quick way of highlighting that something had changed and that the configuration isn't ideal....
     
Thread Status:
Not open for further replies.