Web Design Forums
| View previous topic :: View next topic |
| Author |
Message |
void.no.spam.com@gmail.co
Guest
|
 Posted: Fri Jul 04, 2008 8:45 pm Post subject: Need a registry monitor |
 |
|
I have a program that is only doing something when I log in as a non-
admin user, so I want to run a registry monitoring program to see what
it is doing. I tried RegMon, but it only works under Administrator.
Are there any other registry monitoring programs that don't require
running under Administrator? |
|
| Back to top |
|
 |
| |
Ads |
Advertising
Sponsor
|
|
B. R. 'BeAr' Ederson
Guest
|
| Posted: Sat Jul 05, 2008 2:34 am Post subject: Re: Need a registry monitor |
|
|
On Fri, 4 Jul 2008 13:45:20 -0700 (PDT), void.no.spam.com@gmail.com wrote:
| Quote: |
I have a program that is only doing something when I log in as a non-
admin user, so I want to run a registry monitoring program to see what
it is doing. I tried RegMon, but it only works under Administrator.
Are there any other registry monitoring programs that don't require
running under Administrator?
|
While under the non-admin account use RunAs... to execute RegMon as
Administrator. RegMon will monitor *all* processes, not only those
started by the Admin.
Right click on RegMon.exe inside Explorer (or any other file manager
of your choice) to get the [RunAs...] menu. You may need to have the
Shift key pressed while executing this right click. (Depends on the
Windows version and settings.) RunAs.exe can also be found inside the
System32 folder of Windows.
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)=== |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
Bear Bottoms
Guest
|
| Posted: Sat Jul 05, 2008 2:46 am Post subject: Re: Need a registry monitor |
|
|
On Fri, 04 Jul 2008 15:45:20 -0500, void.no.spam.com@gmail.com
<void.no.spam.com@gmail.com> wrote:
| Quote: |
I have a program that is only doing something when I log in as a non-
admin user, so I want to run a registry monitoring program to see what
it is doing. I tried RegMon, but it only works under Administrator.
Are there any other registry monitoring programs that don't require
running under Administrator?
Try exporting your registry with regedit, log in as a non-admin user and |
do whatever you think causes your concern, then export the registry again.
Open both files in notepad and use something like
http://www.aptedit.com/aptdiff.htm to compare the two files. That should
show you any changes to the registry easier than anything else.
--
Bear Bottoms
Freeware website: http://bearware.info |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
B. R. 'BeAr' Ederson
Guest
|
| Posted: Sat Jul 05, 2008 4:46 am Post subject: Re: Need a registry monitor |
|
|
On Fri, 04 Jul 2008 16:46:31 -0500, Bear Bottoms wrote:
| Quote: |
Try exporting your registry with regedit, log in as a non-admin user and
do whatever you think causes your concern, then export the registry again.
Open both files in notepad and use something like
http://www.aptedit.com/aptdiff.htm to compare the two files. That should
show you any changes to the registry easier than anything else.
|
The success of this method depends on several factors, though. To
export a Registry key, permissions to change it are necessary. In
standard setups, not even the Administrator has permission to write
all values (although an Admin can acquire the necessary right, if
necessary). A non-Admin user has even less privileges.
Exporting the Registry as Admin would need the inclusion of the user
hive of the account, under which the program in question will be
executed.
Because of the above, your suggested method usually works well to
detect "normal" changes to the Registry. In such cases it usually
is sufficient to export from the non-Admin account. If, OTOH, one
suspects the setting of hidden Registry keys (for whatever reason)
from the program, the export_&_compare method needs very careful
utilization.
Scenarios where the code is potentially malicious can be excluded
from the consideration, because from the first moment of running
suspicious code the system has to be regarded as compromised.
Therefore, any "let's run the program and watch the outcome"
approach would be wrong, anyway...
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)=== |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
Bear Bottoms
Guest
|
| Posted: Sat Jul 05, 2008 5:30 am Post subject: Re: Need a registry monitor |
|
|
On Fri, 04 Jul 2008 18:46:31 -0500, B. R. 'BeAr' Ederson
<br.ederson@expires-2008-07-31.arcornews.de> wrote:
| Quote: |
On Fri, 04 Jul 2008 16:46:31 -0500, Bear Bottoms wrote:
Try exporting your registry with regedit, log in as a non-admin user and
do whatever you think causes your concern, then export the registry
again.
Open both files in notepad and use something like
http://www.aptedit.com/aptdiff.htm to compare the two files. That should
show you any changes to the registry easier than anything else.
The success of this method depends on several factors, though. To
export a Registry key, permissions to change it are necessary. In
standard setups, not even the Administrator has permission to write
all values (although an Admin can acquire the necessary right, if
necessary). A non-Admin user has even less privileges.
Exporting the Registry as Admin would need the inclusion of the user
hive of the account, under which the program in question will be
executed.
Because of the above, your suggested method usually works well to
detect "normal" changes to the Registry. In such cases it usually
is sufficient to export from the non-Admin account. If, OTOH, one
suspects the setting of hidden Registry keys (for whatever reason)
from the program, the export_&_compare method needs very careful
utilization.
Scenarios where the code is potentially malicious can be excluded
from the consideration, because from the first moment of running
suspicious code the system has to be regarded as compromised.
Therefore, any "let's run the program and watch the outcome"
approach would be wrong, anyway...
BeAr
|
Thanks BeAr...in such a case as your scenario...wouldn't an expert
evaluation of a HijackThis log expose it? And also maybe an expert
evaluation of Process Monitor both of which could be done in a couple of
the better free Tech Support Forums? (It would have to be by one of the
well known moderators, and I have one in particular in mind.)
--
Bear Bottoms
Freeware website: http://bearware.info |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
Alfred Einstein
Guest
|
| Posted: Sat Jul 05, 2008 9:11 am Post subject: Re: Need a registry monitor |
|
|
"B. R. 'BeAr' Ederson" <br.ederson@expires-2008-07-31.arcornews.de> wrote in
message news:9wfkq2rkd9jt$.dlg@br.ederson.news.arcor.de...
| Quote: |
Scenarios where the code is potentially malicious can be excluded
from the consideration, because from the first moment of running
suspicious code the system has to be regarded as compromised.
Therefore, any "let's run the program and watch the outcome"
approach would be wrong, anyway...
|
Suppose you "run and watch the outcome" while it's running in a sanbox? |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
B. R. 'BeAr' Ederson
Guest
|
| Posted: Sat Jul 05, 2008 11:02 am Post subject: Re: Need a registry monitor |
|
|
On Sat, 5 Jul 2008 00:11:05 -0400, Alfred Einstein wrote:
| Quote: |
Scenarios where the code is potentially malicious can be excluded
from the consideration, because from the first moment of running
suspicious code the system has to be regarded as compromised.
Therefore, any "let's run the program and watch the outcome"
approach would be wrong, anyway...
Suppose you "run and watch the outcome" while it's running in a sanbox?
|
Not foolproof "in concept", but without having followed the current
security issues of sandbox programs too closely, I haven't heard of
any relevant break-outs. Analyzing the results of the test-run
would need extern access to the files and memory footprint of the
sandbox, though. (Because the "inside" of the sandbox has to be
regarded as compromised, again.)
I.e.: Access the sandbox registry hive from outside instead of running
Regedit inside the box. And don't forget that analyzing the registry
will tell you only *some* aspects of the behavior of the program in
question...
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)=== |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
B. R. 'BeAr' Ederson
Guest
|
| Posted: Sat Jul 05, 2008 11:02 am Post subject: Re: Need a registry monitor |
|
|
On Fri, 04 Jul 2008 19:30:34 -0500, Bear Bottoms wrote:
| Quote: |
Scenarios where the code is potentially malicious can be excluded
from the consideration, because from the first moment of running
suspicious code the system has to be regarded as compromised.
[...]
Thanks BeAr...in such a case as your scenario...wouldn't an expert
evaluation of a HijackThis log expose it?
|
Depends on the capabilities of the malware. You'd need to run
HijackThis from a system non-accessible to the potential malware.
(Booting from a clean extern hard disk, which never was attached
to a *running* system that might be infected. Or sth. like that.)
Don't forget to import the appropriate registry hives if you do
this.
| Quote: |
And also maybe an expert evaluation of Process Monitor
|
Both methods will work against most malware. (Even if running
HijackThis from a possibly compromised user account.) The reason
is, that most malware authors aren't capable (or don't care to
make the effort) to circumvent more than the most basic tricks
from the anti-malware repertoire. Since they usually get loads
of infections, anyway, such efforts are plainly unnecessary.
But from a security POV one cannot rely on the laziness of the
adversary...
Btw.: Sysinternals AutoRuns and RootKitRevealer are also tools
worth to be considered:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Especially the latter incorporates some sophisticated techniques,
which make it more robust against deception. None of them covers
the whole malware area, tough...
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)=== |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
B. R. 'BeAr' Ederson
Guest
|
| Posted: Sat Jul 05, 2008 11:02 am Post subject: Re: Need a registry monitor |
|
|
Following up myself, since I forgot to mention:
[Sandbox]
| Quote: |
Not foolproof "in concept",
|
Ah, and bear in mind, that the malware may behave differently inside
a sandbox. (There are techniques to detect that the code is running
inside a box.) And the malicious behavior can depend on a trigger,
like a special date. In either case, you may regard a program safe,
although it is not.
Furthermore, without detailed code analysis one can only address
*aspects* of the whole matter. The important bits may go unnoticed...
BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"? =
===============================================================--(Oops!)=== |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
Bear Bottoms
Guest
|
| Posted: Sat Jul 05, 2008 5:07 pm Post subject: Re: Need a registry monitor |
|
|
On Sat, 05 Jul 2008 02:25:45 -0500, B. R. 'BeAr' Ederson
<br.ederson@expires-2008-07-31.arcornews.de> wrote:
| Quote: |
And also maybe an expert evaluation of Process Monitor
Both methods will work against most malware. (Even if running
HijackThis from a possibly compromised user account.) The reason
is, that most malware authors aren't capable (or don't care to
make the effort) to circumvent more than the most basic tricks
from the anti-malware repertoire. Since they usually get loads
of infections, anyway, such efforts are plainly unnecessary.
But from a security POV one cannot rely on the laziness of the
adversary...
Btw.: Sysinternals AutoRuns and RootKitRevealer are also tools
worth to be considered:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Especially the latter incorporates some sophisticated techniques,
which make it more robust against deception. None of them covers
the whole malware area, tough...
BeAr
|
Thanks again. I suppose if you think you are infected, the easiest way
would be just to flatten and restage. Of course, many many people are just
not set up to do that easily. One should be.
--
Bear Bottoms
Freeware website: http://bearware.info |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
Franklin
Guest
|
| Posted: Sat Jul 05, 2008 10:19 pm Post subject: Re: Need a registry monitor |
|
|
On Fri 04 Jul 2008 22:46:31, Bear Bottoms wrote:
| Quote: |
On Fri, 04 Jul 2008 15:45:20 -0500, void.no.spam.com@gmail.com
void.no.spam.com@gmail.com> wrote:
I have a program that is only doing something when I log in as a
non- admin user, so I want to run a registry monitoring program
to see what it is doing. I tried RegMon, but it only works under
Administrator. Are there any other registry monitoring programs
that don't require running under Administrator?
Try exporting your registry with regedit, log in as a non-admin
user and do whatever you think causes your concern, then export
the registry again. Open both files in notepad and use something
like http://www.aptedit.com/aptdiff.htm to compare the two files.
That should show you any changes to the registry easier than
anything else.
|
Mr Bottoms, that advice is definitely untried.
First of all, not all the registry hives are included in a regedit
export. Probably far better to use ERUNT.
http://larshederer.homepage.t-online.de/erunt/
Secondly, registry files are far from small and Notepad could easily
take a very long time just to open certain ones. Thirdly, the binary
entries won't display in Notepad.
Fourthly, this snapshot approach won't show important read-only
accesses nor a temporary change which is then reset.
If Regmon (or ProcMon) is the best way to do this by far and would be
worth exploring further to see if the security issue can be
circumvented. If that fails then a registry guard like the ones below
are not all that great a solution because they too cover only a subset
of the reg keys but they're miles better than what you proposed.
TeamTimer from SpyBot
http://www.safer-networking.org/en/faq/33.html
RegistryProt from DiamondCS
http://www.diamondcs.com.au/freeutilities/regprot.php |
|
| Back to top |
|
|
| |
Ads |
Advertising
Sponsor
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
55 Attacks blocked
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
