Jump to content
Glenn8D

How to Block/Notify of Registry RUN areas changes?

Recommended Posts

I am looking for a way to at least be notified of when a app/prog modifies the window registry, specifically the ~15 startup/auto-run areas of the registry.
Hoping Malwarebytes premium has an option to do this.
Yes many tools show you what is ALREADY in Run areas on Startup/Logon, but none that notify or block entry into those registry areas BEFORE or when they are created/modified. Tools such as Sysinternals Suite’s autoruns and Ccleaner (both recommended) show current RUN items, But do not block or notify.
This should be windows innately ability: notify or block reg modifications.
Yes I have windows UAC set to max, but it only notifies of a app/prog wanting to run and once given permission it doesn’t monitor the Allowed app/prog's other activities; including and specifically adding/modifying autorun reg areas.:

Startup (user) - the current user's Startup folder in the Start Menu.
Startup (common) - the common (all users) Startup folder in the Start Menu.
HKLM / Run - the Run registry key located in HKEY_LOCAL_MACHINE. These apply for all users.
HKCU / Run - the Run registry key located in HKEY_CURRENT_USER. These apply for the current user only.
HKLM / RunOnce
HKLM / RunOnceEx
HKCU / RunOnce
HKCU / Windows NT\CurrentVersion\Windows\RUN
HKCU /Windows NT\CurrentVersion\Windows\Load
HKLM / Policies\Explorer\Run
HKCU /Policies\Explorer\Run
HKCU / Control Panel\Desktop
HKLM / Active Setup\Installed Components\ (Active-X)
HKLM / Windows NT\CurrentVersion\Winlogon
HKLM / CurrentVersion\ShellServiceObjectDelayLoad
Added Service; usually SvcHost.exe Runned (Owner Process)

Thanks for your time and consideration.

Share this post


Link to post
Share on other sites

Greetings and welcome :)

There are several tools available, and depending on whether or not you want any additional features, there are some more robust options as well such as HIPS and software firewalls that include this functionality.  I found a good discussion at Wilders which is a trusted resource for good info and discussions on various security tools and applications.  They discuss many prominent and lesser known programs that provide this functionality.

As for personal recommendations, I used to use TeaTimer which, at least up to version 1.6.2, was built into Spybot Search & Destroy and was free.  This version is still available on the Safer-Networking site and I believe (still checking) TeaTimer may also be included in the free version of Spybot 2.0, however it isn't active by default.  I'm looking into it to see what the status is (downloading as we speak).  I do know that TeaTimer in 1.6 did work at least in Vista x64, however I haven't tested it on Windows 7 or newer operating systems so I don't know if that version will actually work on your system or not, but it most likely will.  If not, then 2.0 certainly will so it just depends on whether or not they actually include TeaTimer as a free component or not and if it still works the same as it did in older versions (many users found the startup monitor too "chatty" and annoying because of all the notifications whenever a new startup item was created, modified or deleted, though some such as myself (and you, obviously, since that's what you're seeking) actually liked it just fine).

You can find more info on Spybot Search & Destroy here including info and download links for both the older free 1.6 build and the newer 2.0 "Home" edition.

There's also WinPatrol, however it only works as a startup manager after the fact unless you purchase a license for the Plus version, though the Plus version likely does offer all of the functionality you desire if you're willing to pay for it.

You can find more info on WinPatrol here along with download links.

Share this post


Link to post
Share on other sites

Wow, thanks for all the advice. So Malwarebytes doesn't have such a feature. :(

I have to install another ~active security suite, and we know that is not recommended, as they tend to fight for the right to party on the same dance floor at the same time!

Maybe a single focused app like TeaTimer, or if all of Spybot S&M :P except reg watch can be disabled, then I'll add it.

Thanks again.

Share this post


Link to post
Share on other sites
9 minutes ago, bmfarukzaman said:

Awesome post . I get some good information from your content. I have followed your guide about “Jacking” method and it’s been working out well. Need to tryout the other methods mentioned in this post. I have read/heard about them before elsewhere but never put together like this on how to do it step-by-step.

HUH? Is this a mis-post that should be aimed at another post?

Share this post


Link to post
Share on other sites
2 hours ago, Glenn8D said:

Wow, thanks for all the advice. So Malwarebytes doesn't have such a feature. :(

I have to install another ~active security suite, and we know that is not recommended, as they tend to fight for the right to party on the same dance floor at the same time!

Maybe a single focused app like TeaTimer, or if all of Spybot S&M :P except reg watch can be disabled, then I'll add it.

Thanks again.

Correct, Malwarebytes doesn't have such a feature, the closest they've got is the somewhat dated StartupLite which is more of a tweaking tool than anything else.  It uses a database of known startup items which are safe to disable and turns them off to improve performance, but it hasn't been updated in a long time and doesn't include any realtime monitoring capabilities.

Generally Malwarebytes gets along with most other tools and suites out there, so regardless of what option you decide on, it should run side-by-side with Malwarebytes in real-time without any issues.

TeaTimer probably is your best bet.  I don't know if it covers all of the loading points you mentioned, but I do know it covers all the major ones such as the RUN keys in the registry as well as the STARTUP folders in the START menu.  I used it for a long time until they came out with their Spybot 2.0 version that included antivirus and all that.  I checked by the way, and 2.0 in fact does not include TeaTimer, so the older version 1.6.2 is the one you'd need to install.  The good news is 1.6.2 is just an on-demand scanner so you can run TeaTimer all by itself without having to have any other active components from Spybot.  WinPatrol, as far as I know, is similar to TeaTimer in that it's focused on startups but it includes additional options and I believe it also includes a database of known bad and known good startups and also includes a startup manager similar to Autoruns and also allows you to manipulate when items launch on boot similar to Startup Delayer.

One more thing you should be aware of is that not all malware uses these more standard startup locations these days and many threats are quite clever in getting around tools like HIPS etc. so it's not a 100% bullet-proof mechanism for stopping malware from installing itself to start on boot, even if it did cover all of the locations you mentioned.  The bad guys are pretty sneaky these days unfortunately and they've got a lot of tricks to get into systems and infect them, so having additional layers is always a good idea, which is why I'm glad you are throwing Malwarebytes into the mix.  It has something like 6 layers of protection which each target different phases of the attack chain, so adding that to something like TeaTimer should definitely prove to be quite robust.

Edited by exile360

Share this post


Link to post
Share on other sites
8 hours ago, Glenn8D said:

HUH? Is this a mis-post that should be aimed at another post?

He was a spam bot or spammer.  I found the exact same user name on several SEO forums (a dead giveaway, especially for "sleeper" spammer accounts that make semi-legit appearing posts at first, but later return to insert spammy links into their posts for the purposes of SEO).

I flagged him as a spammer which removed his posts and disabled his account.  I despise spam.

Anyway, if there's anything else I might assist you with, please let me know.  We're always glad to help out when we can.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.