Windows Seven and Defense+ issue

CIS pretty much never did this in Vista, but now I have Windows 7 RC installed with CIS version 3.9.95478.509, and pretty much whenever I plug in a USB device or do something for the first time, I get tons and tons of prompts saying that services.exe is trying to modify the registry root, and that this is a rare occurrance. Considering I just plugged in my USB receiver for my presentation remote and got 9 or 10 prompts of the same warning, this isn’t really rare at all >:( ??? (sometimes I’ll get that same warning that over 32,000 people got according to ThreatCast). Is this just a bug in CIS installed on Win7? As I said before, this never happened when my computer ran Vista. Hopefully an update is in the works that’ll address Windows 7 problems like this one. Thanks for your help.

Welcome to the forum myownboss :slight_smile:

I am running Windows 7 on one box and I haven’t really seen this problem, even though I quite often use a usb stick.

Which build of Windows 7 are you using and what are your D+ settings?

I have Win7 build 7100, and D+ is set as the following:

Image Execution Control level is disabled, but detecting shellcode injections is on.
D+ security level is at “Clean PC”
Physical Memory, Disks, and keyboard are monitored against direct access.
Under “activities to monitor,” only Windows Messages and DNS/RPC client service are unchecked.
Everything is selected under “objects to monitor against modifications”

Thanks for your help.

BTW I’m using the 32-bit version of Win7

I got the same problem on windows 7 64 bit.

Curious. As I said, I’ve been running Windows 7 for quite some time now, both x86 and x64 and I haven’t seen this problem.

I run D+ in Paranoid mode and monitor for everything and I haven’t seen a pop-up for the USB stick since the first time it was requested. I assume you are selecting to remember your choices?

The only thing I can think of is to make sure DeviceDisplayObjectProvider.exe and possibly DeviceDisplayObjectProvider.dll are listed in D+

What do you mean about those 2 files in D+, the exe and the dll? Where should I find them ???

When inserting a new USB stick on Win 7 RC I get these pop ups also. But that is a one time phenomenon.

Well, at least I’m not the only one. It’s the “services.exe wants to modify the registry root” message or something to that extent, right.

And I just plugged in a U3-enabled flash drive now, and I didn’t get the services.exe registry root message a dozen times. I did get one U3 related security message, since it’s foreign to CIS/D+, but other than that, it works fine. Probably because I chose “remember my selection” whenever those messages pop up.

I guess there’s no way to get rid of them without going through them each time they show up and making sure CIS remembers your selection :(. Oh well.

But I just installed the CIS suite on an XP based partition on the same PC running Win7, and these messages rarely show up, if at all. Clearly this is something related to CIS in Win7

Clearly this is something related to CIS in Win7

You may well be right. Although CIS does work with Win7 it’s not, as the majority of applications, certified to do so.

As far as I know, there will be updates to CIS in the coming weeks and months, leading to CIS 4 sometime around years end/early 2010.

I think most developers are waiting for confirmed RTM win7 wimmain build, before releasing Win 7 specific apps.

Sorry, just bumping this thread to ask a dumb question. Or is it? I dunno. Anyway, I just got a computer with W7 and ran into this same issue. I figured out that these D+ alerts were related to plugging in my flash drive for the first time so I allowed the services.exe requests and clicked “remember my answer.” Now I’m wondering if that was not so smart of me since it could leave me vulnerable to something not flash drive-related in the future. Is that correct or is it not a problem?

I tried to figure out how to go back and change these settings and navigated to Defense+>>>Advanced>>>Computer Security Policy. From there, I saw that services.exe is using a custom policy (that I inadvertently created?) and have no idea what the default policy was. How do I change it back as if I’d never had it remember my answer to allow those requests? I apologize for my ignorance but this is very confusing to me. Please help!

The rule for services.exe is only Custom Policy and you cannot give it a predefined policy as a safety measure/

To get rid off the entries you stored double click on the rule for services → Access rights → delete the permissions you gave for Driver installation, Protected Registry Keys and Protected Files/Folders.