Witing to registry without being given permission

I'm a new user and was experimenting to get a feel for how RegDefend works. I exported a key from one of the RUN keys to use as a test. I found that if I disable the GUI and doubleclick the .reg file a dialog box (doesn't appear to have come from regdefend) appears indicating that the write attempt failed. However, if the GUI is enabled the .reg file successfully writes to the registery. Is this by design? I would have thought the write attempt would have been blocked in either case without having been given permission to write to the registry?

 

Re: Writing to registry without being given permission

Hmmm...have I asked an unanswerable question or just a dumb one?

 

Re: Writing to registry without being given permission

Would you mind uploading the REGFILE you are using so I can try it locally here? I have no problems in regards to what you have tried to do, ie I get correct alerts.

 

It would help if you could post the relevant RD log entries. RD can log without the GUI active. Close the GUI and repeat the first (blocked) attempt. Next, start the GUI and repeat the successful write. Go to the RD log tab, highlight the relevant entries and copy/paste them for review.

 

OK...here's the requested info...hope it helps

I first cleared the log and ran the "test" again. To reiterate, I exported one of the run keys as a test case. While the GUI was active, either minimized in the system tray or full sized, when I doubleclicked on the .reg file it "updated" the registry with nary a peep from regdefend. When I killed the GUI and then doubleclicked the .reg file again, up popped a message that said that the reg file could not be imported and that the data was not successfully written to the registry (or words to that effect).

There was one log entry resulting:

regedit.exe [828] was blocked from setting this value to C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE | 20:28:43 - 16 Aug 2005 | hkey_current_user\software\microsoft\windows\currentversion\run | remotecenter | c:\winnt\regedit.exe | AUTO STARTS


The contents of the .reg file was:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"

 

Hi,

I think this is due to an enhancement added in RegDefend 1.3 . If the GUI is active, it will compare the data that is already in the registry to what wants to be written, if it is EXACTLY the same RegDefend "fakes" a success so that the program thinks the write was successful, even though no write actually occured. In essence there is no difference between "allowing" the write and "faking" the write, since the same data will be contained in the registry. "Faking" it however is quicker and means there is one less registry modification.

When you shutdown the GUI, this "fake sucess" does not occur and instead the program reports an error now, because RegDefend is saying it didn't succeed. If you try deleting the value in the registry each time you do the test, I think you will see the behaviour you are after. Hope that helps.

 

That makes sense...thanks.