Why does this happen

Discussion in 'ProcessGuard' started by jimmytop, Mar 14, 2005.

Thread Status:
Not open for further replies.
  1. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Today I logged into my admin account, opened up the PG gui and looked at the alerts. All of the alerts had timestamp of when I logged into the admin account, but they had happened earlier obviously since some of the stuff my wife only runs from her account and she wasn't around.

    Anyway, there were a ton of alerts about the following:
    "namewithheld.exe was blocked from creating a global keyboard hook"

    But when I go to the Protection tab and click on that item, it already is allowed to install global hooks. So why all the alerts?

    Could it be that my wife, who runs in a Limited User Account, was asked by PG to allow or deny the installation of global hooks? Could it be that the reason there are so many alerts is because she actually did Deny it since she probably didn't know what PG was asking her? But then she got tired of it and hit allow and remember and now that exe has the ability to allow global hooks?

    The app is trusted, so it's no biggie. But do you think that's what happened? Does a limited user get questioned if they want to allow an exe to install a global hook? I know they get execution alerts, but I didn't know they also get global hook alerts.

    Thanks.
     
  2. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Wait, I just realized that PG was in learning mode all day today. So it's been in learning mode when all this happened.

    So what's with all the alerts that say the exe was blocked from installing a global hook if it in fact wasn't blocked?

    When in learning mode, if an app wants to install a global hook is it given that option forever then?

    Thanks again
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    When in learning mode the program will be given any allows it requires. If you feel the need, you can simply untick install global hooks and you will be alerted each time the app thinks it needs hooks. Quite often ignoring the alert you will not notice any effects on the program that requires them, if you do notice strange or erratic behaviour then simply enable global hooks for that app.
    Permit once, Permit Always, Block Once and Block Always can only be applied to executables on the Security list.

    HTH Pilli
     
  4. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Ok, that explains why it is allowed to install global hooks now. But then why did the log have all of those alerts saying it was blocked? I mean, there were at least twenty of them....
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Because the event has to happen for the allow to be added therefore an alert is created, it's a sort of chicken and egg situation :) Once you have run ProcessGuard for a while you will find that the alerts reduce to a very manageable level unless you are contnuously changing programs.

    HTH Pilli
     
  6. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    You misunderstand what I'm saying. There were at least 20 alerts for the SAME ITEM. For the item that I originally posted:

    "namewithheld.exe was blocked from creating a global keyboard hook"

    This exact message was in the alert log 20 or more times. The same executable, the same message. Why? When the executable attempts to install a global hook one time learning mode takes care of it. So why was it in the log over and over and over again?

    Once it's allowed, it shouldn't be blocked anymore. That should happen the first time it asks when it's in learning mode. But yet the log says it was blocked multiple times. This still doesn't make sense.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    It is to do with the way that PG handles services, this was a security feature added to V3.
    I'm afraid I cannot give a detailed technical explanation for this behaviour, hopefully DCS can. :)

    Pilli
     
  8. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Oh ok. If it's normal then I won't obsess about it...lol. I can live without the technical details, I just wanted to be sure it was normal behavior.
    Thanks for your help!
     
  9. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    It could be that the process tries over and over to install the hook. I see similar behavior in some apps that want to read from other services I have protected from read. Some apps try and read from them once and get blocked, while others poll constantly and keep trying over and over. I've also seen simlar behavior in some agressive start up entries that I block with a separate registry protector app. Some times installation apps check to see if their start up entry got installed and trys again if not allowed and I literally get into a fight with the install program blocking it's attempts to install the entry over and over.

    It could the app in question is programed to check and verify that the hook was installed and keeps trying over and over when it detects that it failed. Maybe ProcessGuard appears to notice the multiple attempts and blocks them, but waits on only one prompt for your response.
     
  10. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    That would make sense except remember that PG was in Learning Mode when all of this happened. In Learning Mode, the app need only attempt to install the hook one time and then it is given permission automatically. That's why I was surprised to see all the "blocked" alerts. But it sounds like that is expected behavior from PG....
     
  11. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Oh your right. Maybe Learning Mode is a little... slow! ;)

    Might be by design. I have to admit I never use learning mode at all except for the initial install of PG several versions back so the machine would boot smoothly. I prefer to allow something once and see what it wants to do by what gets blocked, then I decide whether I want to allow those extra abilities to that process. If it works to my satisfaction without those abilities, it never gets what it wants.

    Being a minimalist of sorts I always subscribe to that "less is more" approach.
     
  12. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Trust me, I totally agree. Unfortunately, I have a multi-user machine so my wife and kids are using a limited user account. I can't be there to approve/disapprove things myself so I have had to leave it in learning mode a little longer to pick up the things they are running normally. I'm also diligently keeping an eye on the PG logs to make sure they aren't letting anything by maliciously. That's how I noticed all those blocked alerts.
     
Thread Status:
Not open for further replies.