Tipped off by a post elsewhere on this BBS that referred to a utility called REGMON from www.sysinternals.com , I discovered that the means might exist to write a utility I've been searching for.

I just had a peek at the open-source code for Regmon, and I think it can be done. I just don't have the tool (NuMega's VtoolsD and the Microsoft DDK) to modify the SYS/VXD portions of this project.

Here's the tool I'm thinking of writing: Instead of being called REGMON, it would be called REGBLOCK. The user would feed it a pointer to a hand-created list of parent registry keys. For example:

Hkey_Local_Machine/Software/SomeKey/SomeKey
Hkey_Current_User/Software/SomeKey/SomeKey

...and any requests to read or write keys in those trees or under those trees would fail with a "key does not exist" error. But not permanently, only for as long as the blocker was running.

It looks like this is do-able, because REGMON fully hooks the system calls that read/write the registry. It seems to do it fairly cleanly, using a SYS/VXD combination on Windows NT.

Most or all of the complex user interface of REGMON could be thrown away (which is too bad, as it's the only portion of the project that I can modify and compile) in favor of a pure command-line driven utility that simply activated/deactivated the SYS/VXD hooks and pointed to the configuration file.

Anyone interested in playing with this?

By the way, a description of how the system hooks work is here:

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4795&pg=3

I have neither the tools, time, expertise or desire to do this, but I was wondering what problem you're having that this utility would solve.

Several different things could be done with such a utility. The most obvious would be to keep spyware/adware from installing itself to auto-run-on-startup. In fact, pretty much any time a software package tries to install to the "Run" key in the system registry, I would like to block it.

What you really want to do is to block access to those keys, and _also_ to save the results to a .reg file. Then you can leave the blocker running most of the time, and then periodically see if there's anything in the .reg file that should have been allowed.

If Windows didn't write to the registry quite so much you could take an approach like the personal firewalls take, popping up a dialog with:

"Allow/Always Allow/Ignore/Always Ignore"

Good idea, Roger. The "RegMon" program I linked can log registry accesses already. I'm just looking to take it the next logical step and have a deny list as well. By the way, I'm also looking for bidirectional deny capablility (reads as well as writes). One might wish to control those independently, although that is not strictly necessary.

Hi.

As for the Run keys, look for StartUpMonitor by Mike Lin (he also wrote the nice StartUp controll panel) at http://www.mlin.net/StartupMonitor.shtml.
I use both utilities all the time.

cu,
sven

Okay, but the Run keys are only one of the possible reasons I would like to have a regblocker utility.

Hmm. Looking at StartupMonitor, it seems to have some of the functionality I'm looking for built-in to the code. Maybe I'll talk to its author and see if he'd like to take a stab at it.

Thanks for the link, Sven.