registry protection.

I want to protect registry.
That is, I want to control creation/deletion of registry-key and
modification of registry-value.
Is this possible?

Thanks for any suggestions!
Sincerely!

Hook the native NT registry APIs like RegMon does (from
sysinternals.com). This is of course highly undocumented. Or, if there
is one specific key/value you want to monitor, setup a background thread
to check this key/value every half second or so and change it back if
it’s been tampered with (thanks to Microsoft for this tip. :slight_smile:

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chang
Sung, Jung.
Sent: Sunday, November 03, 2002 10:57 PM
To: File Systems Developers
Subject: [ntfsd] registry protection.

I want to protect registry.
That is, I want to control creation/deletion of registry-key
and modification of registry-value. Is this possible?

Thanks for any suggestions!
Sincerely!


You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

> ----------

From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
Reply To: xxxxx@lists.osr.com
Sent: Monday, November 04, 2002 8:27 AM
To: xxxxx@lists.osr.com
Subject: [ntfsd] RE: registry protection.

Hook the native NT registry APIs like RegMon does (from
sysinternals.com). This is of course highly undocumented. Or, if there
is one specific key/value you want to monitor, setup a background thread
to check this key/value every half second or so and change it back if
it’s been tampered with (thanks to Microsoft for this tip. :slight_smile:

Isn’t it better to use native OS support? ZwNotifyChangeKey and
ZwNotifyChangeMultipleKeys. It should be, at least, more efficient.

As for registry protection, what about standard way i.e. proper security
descriptor?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

Yeah, I forgot there were change notify APIs for registry keys also.

As for using a security descriptor, I assumed he wanted a greated level
of protection. Anyone who’s admin can of course just change it.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Vodicka, Michal
Sent: Monday, November 04, 2002 10:37 AM
To: File Systems Developers
Subject: [ntfsd] RE: registry protection.

> ----------
> From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Monday, November 04, 2002 8:27 AM
> To: xxxxx@lists.osr.com
> Subject: [ntfsd] RE: registry protection.
>
> Hook the native NT registry APIs like RegMon does (from
> sysinternals.com). This is of course highly undocumented.
Or, if there
> is one specific key/value you want to monitor, setup a background
> thread to check this key/value every half second or so and
change it
> back if it’s been tampered with (thanks to Microsoft for
this tip. :slight_smile:
>
Isn’t it better to use native OS support? ZwNotifyChangeKey
and ZwNotifyChangeMultipleKeys. It should be, at least, more
efficient.

As for registry protection, what about standard way i.e.
proper security descriptor?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]


You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

Anyone who is admin can of course install another piece of kernel code
to circumvent the first one.

Look, folks, NT is not secure against people with admin access. It’s not
supposed to be. If you can’t limit admin access, there’s no point to
creating complex monkey-puzzles that purport to control the activities
of people with admin access. If you can trust the admins, then careful
ACL setting protects anything with an ACL.

> ----------

From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
Reply To: xxxxx@lists.osr.com
Sent: Monday, November 04, 2002 8:27 PM
To: xxxxx@lists.osr.com
Subject: [ntfsd] RE: registry protection.

As for using a security descriptor, I assumed he wanted a greated level
of protection. Anyone who’s admin can of course just change it.

This is problem with questions like this; we have to assume. I tend to agree
with Benson, that’s why I mentioned SD. There is no security through
obscurity. On the other hand, complex puzzles can discourage most attackers.

It would be better if original poster explains the purpose of this
protection.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]