Witing to registry without being given permission

Discussion in 'Ghost Security Suite (GSS)' started by xwray, Aug 13, 2005.

Thread Status:
Not open for further replies.
  1. xwray

    xwray Guest

    I'm a new user and was experimenting to get a feel for how RegDefend works. I exported a key from one of the RUN keys to use as a test. I found that if I disable the GUI and doubleclick the .reg file a dialog box (doesn't appear to have come from regdefend) appears indicating that the write attempt failed. However, if the GUI is enabled the .reg file successfully writes to the registery. Is this by design? I would have thought the write attempt would have been blocked in either case without having been given permission to write to the registry?
     
  2. xwray

    xwray Guest

    Re: Writing to registry without being given permission

    Hmmm...have I asked an unanswerable question or just a dumb one?
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Writing to registry without being given permission

    Would you mind uploading the REGFILE you are using so I can try it locally here? I have no problems in regards to what you have tried to do, ie I get correct alerts.
     
  4. passing thru

    passing thru Guest

    It would help if you could post the relevant RD log entries. RD can log without the GUI active. Close the GUI and repeat the first (blocked) attempt. Next, start the GUI and repeat the successful write. Go to the RD log tab, highlight the relevant entries and copy/paste them for review.
     
  5. xwray

    xwray Guest

    OK...here's the requested info...hope it helps

    I first cleared the log and ran the "test" again. To reiterate, I exported one of the run keys as a test case. While the GUI was active, either minimized in the system tray or full sized, when I doubleclicked on the .reg file it "updated" the registry with nary a peep from regdefend. When I killed the GUI and then doubleclicked the .reg file again, up popped a message that said that the reg file could not be imported and that the data was not successfully written to the registry (or words to that effect).

    There was one log entry resulting:

    regedit.exe [828] was blocked from setting this value to C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE | 20:28:43 - 16 Aug 2005 | hkey_current_user\software\microsoft\windows\currentversion\run | remotecenter | c:\winnt\regedit.exe | AUTO STARTS


    The contents of the .reg file was:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi,

    I think this is due to an enhancement added in RegDefend 1.3 . If the GUI is active, it will compare the data that is already in the registry to what wants to be written, if it is EXACTLY the same RegDefend "fakes" a success so that the program thinks the write was successful, even though no write actually occured. In essence there is no difference between "allowing" the write and "faking" the write, since the same data will be contained in the registry. "Faking" it however is quicker and means there is one less registry modification.

    When you shutdown the GUI, this "fake sucess" does not occur and instead the program reports an error now, because RegDefend is saying it didn't succeed. If you try deleting the value in the registry each time you do the test, I think you will see the behaviour you are after. Hope that helps.
     
  7. xwray

    xwray Guest

    That makes sense...thanks.
     
Thread Status:
Not open for further replies.