Windows Registry Keys Hardening

Berouz_Afzal · May 30, 2018, 7:13am

I have developed a test protected anti-malware service based on ELAM driver but the registry keys are still delete-able from the graphical registry editor interface.
However, as I see the registry keys for Windows defender are not delete-able and they give an error message “Cannot delete defender. Error while deleting key”.
I need to know that what is the valid way to implement a similar protection for registry key entries for my service. Does this have anything to do with inserting NULL characters in the registry key/values?

Scott_Noone_OSR · May 30, 2018, 12:25pm

They most likely have a registry callback that blocks the operation:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nc-wdm-ex_callback_function

-scott
OSR
@OSRDrivers

Tim_Roberts · May 30, 2018, 12:53pm

xxxxx@gmail.com wrote:

I have developed a test protected anti-malware service based on ELAM driver but the registry keys are still delete-able from the graphical registry editor interface.
However, as I see the registry keys for Windows defender are not delete-able and they give an error message “Cannot delete defender. Error while deleting key”.
I need to know that what is the valid way to implement a similar protection for registry key entries for my service. Does this have anything to do with inserting NULL characters in the registry key/values?

They probably just had the key be owned by LOCAL_SYSTEM and set the
DACLs to prohibit access by all other users, similar to the way the
Properties keys are handled in the Enum branch.

Such keys can still be tweaked, if you know the magic spell to launch
regedit as LOCAL_SYSTEM, but that’s a guru-level operation.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Martin_Drab · May 31, 2018, 10:21am

What about SeBackupPrivilege and SeRestorePrivilege? Well, you would
probably need a registry editir able to enable them for itselfs,
however, they should allow you to access every registry key (and every
file).

Dne 30. 5. 2018 v 18:52 xxxxx@probo.com napsal(a):

xxxxx@gmail.com wrote:
> I have developed a test protected anti-malware service based on ELAM driver but the registry keys are still delete-able from the graphical registry editor interface.
> However, as I see the registry keys for Windows defender are not delete-able and they give an error message “Cannot delete defender. Error while deleting key”.
> I need to know that what is the valid way to implement a similar protection for registry key entries for my service. Does this have anything to do with inserting NULL characters in the registry key/values?

They probably just had the key be owned by LOCAL_SYSTEM and set the
DACLs to prohibit access by all other users, similar to the way the
Properties keys are handled in the Enum branch.

Such keys can still be tweaked, if you know the magic spell to launch
regedit as LOCAL_SYSTEM, but that’s a guru-level operation.