Effective ways to protect the registry from malware attacks or malicious programs
Fix registry problems, like the content that should not have, is the task of the registry cleaner program. But that often becomes dangerous, it’s not an invalid registry, but registry is manipulated to run the malware, or registry that prevents you to do things like accessing the Task Manager, access the Run, and others. Then, why did Windows allow this? Good and bad intentions are the problem, because the features are used to maintain the system that are not easily modified. For example, the computer dedicated to the public. But of course, do not let go if your personal computer is made helpless. Some vital registry include:
HKLMSOFTWAREMicrosoftCurrentVersionRun
This key stores information programs that automatically run, usually a firewall or antivirus programs, or programs like your favorite messenger client. You can also view it through Start – Run, type msconfig, and select the StartUp tab as shown below.
Imagine?, what if that starts automatically is malware? Although this key is most often the targets, there are several other key functions on startup, run the program, more details are:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce.
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices.
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce.
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesSetup.
You may often find the same key, just different HKCU and HKLM hive. The difference is in HKCU, the key is only valid for active users, while the HKEY_LOCAL_MACHINE key is valid for all users.
Restore the folder options in Explorer
(HKLM) HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
The key is owned by HKLM or HKCU hive. As the name implies, this key save the configuration of Windows Explorer. A value that is often created by the malware in this key is ‘NoFolderOptions‘ is filled with numbers 1 (DWORD data type).
What happened after that? Menu tools – Folder Options window will disappear from Explorer.
This is one of the malware to protect themselves, because with the menu, the user can set the configuration further folders, such as showing all the hidden files, super hidden, and so on in Windows Explorer. To keep a folder options menu, change the value in ‘NoFolderOptions’ to 0 or delete the value from the registry.
Restore Task Manager
(HKLM) HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
In this key contains several values that can be quite vital because it involves the system configuration. for example, if there is value ‘DisableTaskMgr‘ which has value 1 with the data type DWORD, then running, will not be accessible.
Another important value is ‘DisableRegistryTools’ that if it has value 1 (DWORD type data), then regedit will not be executed. Although as you know, there are various ways to access the registry.
Restore Run Tool
(HKLM) HKCUSoftwareMicrosoftWindowsCurrentVersionSystemPoliciesExplorer
If this key store a value ‘NoRun’ = 1, then the Run menu usually accessible via the Start Menu will be lost. Likewise, if you try to access it through a combination of Windows key + R, will appear the message “This Operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator. ”
Restore hidden files, superhidden files
(HKLM) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Windows explorer, is a mandatory tool for windows users, and can display some useful information, although sometimes quite an advanced level (in accordance with a key). Some malware will try to close access to important information by doing the configuration values in this key, among others are :
- Hidden = 0 (DWORD). These values will hide files with hidden attributes. Set number 1 to see the files with hidden attributes.
- ShowSuperHidden = 0 (DWORD). These values will hide files with super hidden attribute or system. Set numbers 1 to see the files with Hidden attribute super.
- HideFileExt = 1 (DWORD). These values will hide file extensions, users can be caught unawares run executable files that may be malware. For that, generally malware imitating specific icon (eg icon folders, images) with the interesting name of the file so that encourages users to run it. Set numbers 0 to see the file extension.
These values also can change the menu Tools – Folder Options – View tab in Windows Explorer (the record set enabled the menu on the registry).
In fact, a configuration that covers access to the above information is used by some windows users, the goal in order to prevent users from hidden files and system of windows that are not recommended for users to access. For example, page file and boot loader. So, make sure you understand the information files that appear in windows explorer, if you want to display the above information.
Of course there are many other keys that can be manipulated, not limited to key just discussed. There’s a saying that says “there is no smoke without fire”, The more you understand theregistry key, the easier you will see the Fire tau suspicious things that happen in the system.
Note if the registry change as malware, are generally malware will do my best to maintain the desired configuration to the registry always updates. So it will be in vain if you fix the registry.
Backup Registry
Improve one by one registry can be exhausting work, the computer teaches us to best utilize the available tools. One of them by doing backup / export the registry so that it can do restore / import at any time in the step easily, without having to modify one by one registry repaired.
But backup entire registry is not a good idea for most cases, in addition to a large size (can reach tens of MB if you export the whole through regedit), as well as changes in the registry is very fast (because the installation program activities, play games, and so on).
Therefore, this section will be shown how to backup / export a registry key to save the REG file. This is not the only way, but quite easy to implement.
At first, we’ll backup the contents of key HKCUSoftwareMicrosoftWindowsCurrentVersionRun, run regedit, and navigate to the key. Right-click on the Run key, and select Export menu. Then save the format Registration Files (*. reg), and name backup.reg. Depending on the configuration of your registry, more or less shown as backup.reg content below:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe /onboot" "Messenger (Yahoo!)"=""C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet"
The meaning of the contents of the file above is 3 files that run the application automatically from the key, namely sidebar.exe, IDMan.exe and Yahoo Messenger.exe. Now, assume we have a friend who idly changing value of data via regedit or whatever, and he changed the data path.
C:\Program Files\Internet Download Manager\IDMan.exe
become
D:DataMyProgram.exe
Of course, these changes result in an improper thing. But, do not worry, by double clicking backup.reg, then import the registry will be done, and the key has been returned as usual.
Now, how that changed the key is malware that work automatically?
This method is effective and very easy to prevent malware or malicious program
Well, now what if a malware to add value to the key to call it, let’s say it is Bad value = C: Windows System32 bad.exe, so there are a total of 4 applications that will run automatically by Windows. If you try to recover the key by double clicking backup.reg, value the malware will not be losts.
Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe /onboot" "Messenger (Yahoo!)"=""C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet"
Note the new line below:
[-HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
This line rewrite key backed up, but by adding the sign – (minus) on the front. It means to delete a subkey and values under the key. Thus the value or value of any malware that tries to add itself to the key, will also be deleted. Furthermore, it will create new value in accordance with the configuration that you have backups.
Simple! but effective enough, right?
In the same way, you can create a backup of other important key, and combines the backup.reg become a powerful file to restore registry that “contaminated”.
![[New Updates] Advanced System Care 4 Free : One Click to Optimize PC in Quick and Deep](http://agilworld.com/scripts/timthumb.php?src=http://agilworld.com/wp-content/uploads/2011/07/preview-advanced-system-care-4-free.jpg&w=100&h=85&zc=1)
Pingback: Tweets that mention Know More about the Windows Registry : How to protect windows registry from malware? | Agilworld.Com -- Topsy.com
Pingback: Spesial About Windows System | Know more about windows registry (Regedit) | Agilworld.Com
Pingback: Free Software From Microsoft : 30 Secret Tools For Windows That You Must Know | Agilworld.Com
Pingback: Spesial About Windows System | Know more about windows registry (Regedit) | Agilworld.Com
Pingback: Trackback @ The Movie Zone
Pingback: Reviews | Best 6 Freeware Registry Cleaner Software | Agilworld.Com
Pingback: Grupoelo