Blocked Registry Keys

What am I doing wrong?

  1. /Defense+/Common Tasks/My Protected Files:
    I added group name called “Windows Registry” and inside the
    same group I added “%windir%\system32\regedit.exe”.

  2. /Defense+/Advanced/Predefined Security Policies:
    I created a new predefined security policy and named it “Restricted Registry Access”.

    I also edited the “Access Rights” for that group:

    [b]Access Rights/Protected Registry Keys[set to ask]/Modify.../Blocked Registry Keys:[/b]
    I added the entire registry using the follwing wildcard: *
    
  3. /Defense+/Advanced/Computer Security Policy/Add…:
    I added the group (Windows Registry) in the list.
    Also assigned the security policy “Restricted Registry Access” to the group.

  4. When I use regedit the registry is still editable.

I’m not sure why it does not work. The only way to make it work is
by adding the protected registry key inside:
/Defense+/My Protected Registry Keys

However that also affects all the programs.

I can work around that by following the exact same steps listed above and and using the “allow registry keys” to override the protected registry keys rules. I’m not sure I want to add all the keys manually. Why is the “Block Registry Keys” not working?

I hope this is not too confusing. It’s quite simple. I need an answer as soon as possible.

Thank you!

Hello and welcome to the forums. :slight_smile:

That’s because CIS can determine whether the user (you) is requesting the action via the GUI, as opposed to any other unknown program that does not have specific access to the registry stated in the Defense+ rules. In other words, it will let you edit by using regedit because you are requesting the actions, but it won’t let any other program on your PC edit it at its own will, unless stated i the D+ rules.

Thanks for the reply.

Hmm… How do I protect a registry key for a single executable? I don’t want to apply the rule to all of the programs that run on my system.

By the way, what do you mean by “other programs”? I tried to run a sandboxed application that uses the registry. The sandbox is supposed to be limiting access to the registry via the “blocked registry key” rules, however, it does not work. The sandbox (not the comodo sandbox) lanches an executable, this executable uses the registry APIs to modify the Windows registry. So I’m kind of confused as what you mean by “other programs”.

The sandbox example is a little confusing, so forget that.

I just need to be able to limit a program from accessing specific registry keys.

Let’s suppose that I want to protect x.exe. I want x.exe to have restricted access to the windows registry. Let’s say I want to limit access to the entire HKEY_USERS key. Would that be possible? If so, let’s also suppose that x.exe creates a new child process (y.exe) which will also attempt to modify HKEY_USERS key. Will y.exe inherit x.exe’s rules?

first, add HKEY_USERS to your protected registry files.
(go to Defense+ > my protected reg. keys > “groups…” > add > new group > name it HKEY_USERS (or whatever you prefer). then right click the newly made group > add > highlight HKEY_USERS group > add it to the right side > apply.

then, add x.exe to your defense+ security policy (located in defense+ tab > advanced > comp. security policy). > right click the entry > edit > access rights > go to ‘protected registry keys’ section > “modify…” > blocked registry keys > add the keys to the list.

by doing this, those keys will not be able to be modified by x.exe. any other registry keys that x.exe might try to access, you will be alerted.

you can also block x.exe from all your protected registry keys and allow certain ones only. or allow it access all keys except the ones you block it from.

if it does create a new child process such as y.exe you will automatically be alerted if it tries to access any protected keys.

Yeah that works, but if I’m not wrong the problem is that now all the programs will display an alert asking what I want to do and the only way to bypass the prompt is to setup different policies. Why I cannot override the “protected registry keys” based on the executable? Is there a way to do that? I see the “allowed registry keys” feature works well and you can override the “protected registry keys”. Why I cannot do the same for the blocked registry keys and override the “protected registry keys”?

If I understood, “blocked registry keys” is only used for denying access to the a list of keys without displaying any alerts and those keys need to be defined in the “my protected keys”, otherwise it will not work.

If that is correct, then I am not trying in any way to bypass the prompt. I just want to override the rules and make sure x.exe does not get access to the entire registry or just a few keys only.

I could easily bypass the registry by setting up different policies and allowing the “trusted applications” group to have access to the entire registry.

MY PROTECTED REGISTRY KEYS {
* => BLOCK
}

GROUP FOR (X.EXE) {
HKEY_LOCAL_MACHINE\software\x* => ALLOW
x.exe will only have access to the above key.
}

GROUP FOR (TRUSTED APPLICATIONS) {
* => ALLOW
Now, by doing this, I can no longer deny access to any key because the ALLOW rule has a higher priority I guess? I dont know.
Let’s suppose I want to deny access to only one key. How do I do that without writing all the keys manually?
For example, let’s say that I want to deny access only to the key allowed in “group for (x.exe)”.

the rules would need to change like this:
HKEY_LOCAL_MACHINE\...[bunch of keys] => ALLOW
HKEY_LOCAL_MACHINE\software\...[120keys] => ALLOW
HKEY_LOCAL_MACHINE\software\x* => BLOCK

I cannot do the following:
HKEY_LOCAL_MACHINE\software\* => ALLOW
HKEY_LOCAL_MACHINE\software\x* => BLOCK
because somehow that would invalidate the block rule listed above and give the "trusted application" group access to the key allowed in "group for (x.exe)".

}

I apologize for the confusion.

Sorry, I’m having a little trouble understanding what your scenario is.

So you’re saying that all other programs on your PC would ask for access to HKEY_USERS as well? Well, yes that’s true. I guess the way I told you to configure it in my previous post, would be used if you had many programs you would want to limit to HKEY_USERS.

But yes, I believe you can configure it so only x.exe has limited access without adding HKEY_USERS to your protected registry keys (hence, no other programs asking for access).

I THINK that maybe if you remove HKEY_USERS from your protected registry keys, and keep HKEY_USERS in the blocked registry access for x.exe’s policy it might still protect HKEY_USERS from x.exe. Try that and tell me if it works, if haven’t already. If it doesn’t work, then I’m out of ideas.

But even if the keys DO have to be in the “my protected registry keys”, yes, you can also set your “trusted applications” to have access to the registry and then set certain programs to trusted and that will override it.

What program are you trying to configure this for anyway. In my opinion, you shouldn’t be running it if you feel like you need to put these specific restrictions on it. If it is safe application, let it have access to the registry. if it’s a shady program, then it’s easier to just manually add the entries in each of the program’s settings. if you have THAT many programs that you don’t trust, where you feel you need to set up a predefined policy to block numerous programs from accessing specific parts of the, don’t use them.

I’ll try to keep it simpler.

I want an executable to have limited access to the entire registry without having to setup the protected registry keys.

I THINK that maybe if you remove HKEY_USERS from your protected registry keys, and keep HKEY_USERS in the blocked registry access for x.exe's policy it might still protect HKEY_USERS from x.exe. Try that and tell me if it works, if haven't already. If it doesn't work, then I'm out of ideas.

No, that does NOT work. Otherwise I would not be spending my time posting here. “Blocked registry keys” is only to automatically bypass the prompt and deny access to your protected registry keys. The same is for “allowed registry keys”, which will do the exact opposite and automatically grant access to the keys without displaying any alerts.

I just want my exe to have limited access to only certain registry keys or certain files. Why do I have to define these keys or files globally in “my protected registry keys” / “my protected files”?

I also noticed a lot of bugs and issues. The documentation lacks a lot of information and does not explain how COMODO rules really work. I had to figure that out on my own. I guess the more “confusion” the better, so you will have more customers coming to you asking for help and buying the PRO license?

I apologize for complaining, after all COMODO Internet Security is a FREE product. Buggy, “confusing”, very limited but FREE… of course.

I just wanted to say this, so perhaps you might consider improving your software in the future?

PS. For those that disagree, please don’t waste your time replying how much you love COMODO Internet Security and how well it works for you. I simply don’t care.

Well, I’m afraid that’s not possible then. You can always post in the CIS Wishlist for anything that you think would improve CIS.

If you encounter a bug please report it here.