How does HIPS Registry access work?

Hey!

How does CIS HIPS protect the registry objects? Does an alert popup only when an application tries to open or read a key or does an application have to attempt to write (make changes) to a certain key within the windows registry? Is there a way to set read/write registry permissions?

Cheers!

You will get a HIPS alert for key read or write because it is possible to still modify a registry key even if a key is opened with key read access as noted by MSDN documentation of RegCreateKey/RegCreateKeyEx functions.

Access for key creation is checked against the security descriptor of the registry key, not the access mask specified when the handle was obtained. Therefore, even if hKey was opened with a samDesired of KEY_READ, it can be used in operations that modify the registry if allowed by its security descriptor.

■■■■. I was hoping to make a wishlist for some sort of registry control with individual read/write permissions.

Oh well…

Just found this thread when I wanted to ask a similar question.

I have Firefox (Waterfox) and lots of other programs very often asking for access to Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections and I always wondered why that is (given that a read operation should not be a problem).

Are those people all using the wrong API, or is there no better one than the one linked above? This key should be for proxy support according to google, so there is no reason why any program should be able to write to it in most use cases.

In the past I had the same problem (aka giant annoyance) with the SystemCertificates keys so I had to remove them from the protected list - which is a ■■■■ solution, I know.

There is also the RegOpenKey/RegOpenKeyEx to open a handle to a specified key, so I’m sure it will still generate an alert, though I haven’t tried using such API function to test.

Tried that (RegOpenKey, RegQueryInfoKey, RegEnumKey, RegCloseKey) and I get no alerts for protected registry keys. :slight_smile:

Yeah I was going to post that observation earlier, I don’t know why it only triggers on RegCreateKey but not for openkey ???