Use D+ To Prevent an App from Modifying a Registry Entry?

Can D+ be used to prevent a specific application from modifying a specific registry record?

I know which application it is and I know what registry record it modifies.

–Larry

Using Version 3.10.102363.531 of Comodo

If it is not featured in Defense+ Tasks > Common Tasks >My Protected Registry Keys
it would be possible to add new registry keys to protect.

Then Defense+ Tasks > Advanced >Computer Security Policy could be used to modify the policy for that application and edit Access Rights \ Protected Registry Keys \Modify… button \Blocked Registry Keys

Maybe I’m not using correct terminology for what I want to protect in the registry.
I would describe it thus:

HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout

D+ shows HKEY_CURRENT_USER\Control Panel\Desktop as something I can add as a protected key but it does not show ForegroundLockTimeout. When I select what D+ shows it adds
HKEY_CURRENT_USER\Control Panel\Desktop*

So maybe ForegroundLockTimeout is a named value in the Desktop record. I don’t want to lock all the values, just the one named ForegroundLockTimeout.

Is that possible?

–Larry

Add the path HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout using Add new items at the top of the dialogue box.

I added the key name to a group I created. Then I added that key to the Blocked Registry Keys list of both PhotoshopElementsEditor.exe and PhotoshopElementsOrganizer.exe.

The key still gets changed. In the Security Policy>Process Access Rights>Protected Registry Keys entry for both of these exe files, the setting is ASK. Should I change those to Block?

Applying that Protected registry key and configuring a regedit.exe policy to block HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout worked fine so it should work also for PhotoshopElementsEditor.exe and PhotoshopElementsOrganizer.exe

There is definitely something strange going on. When my changes to Comodo did not work, I figured that maybe I didn’t know the name of the process that was changing ForegroundLockTimeout. So I fired up Process Monitor and set its filters to show accesses (by any process) to the record in the registry. Process Monitor showed TweakUI accessing the ForegroundLockTimeout record (and the new value set) when I used TweakUI to change the setting. That made me think it would show what other process was changing it. But when I ran PSE7, the setting changed but Process Monitor showed no accesses. Huh??

I can only guess that there is a way to change the setting in the registry that can not be seen by Process Monitor. I guess it must bypass the normal mechanisms. It figures that Adobe would use something like that.

Although I’m not successful yet, I sure am learning stuff!

–Larry

I searched around for more info and it looks like that there is a Windows Function that also change ForegroundLockTimeout.

http://www.damirscorner.com/CategoryView,category,Development,Win32.aspx

Since ForegroundLockTimeout it is not security related it is unlikely that CIS will be updated to alert about such function.

Thanks for that info. I think I’ll just live with the app changing the setting. It’s just another annoyance that the new version 7 of Photoshop Elements introduced. Some of the others are a lot more serious and I persued this one because I thought it might actually easy to block it.
Thanks,
Larry