Monday 25 February 2019

windows 7 - Block a registry key to prevent rewriting or deleting accidentally or intentionally using the command line


I see the post in superuser and I have a similar case, but with a small difference.


I created a reg key.


"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe"

And the content target: /windows/system32/wscript.exe


And I need to block this key permanently (or any other key that I want to create), to prevent accidental or intentional deletion or modification of any malware


Question:


What command line can help me to do this? (cmd or powershell or both)



Answer



I need to block this key to prevent deletion or modification by malware.


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe


What command line can help me to do this?



As per the answers in the link in your question, the easiest way to do this is to remove the Edit permissions from SYSTEM and the Administrators groups and the key should then effectively be read only.


You can do this from the command line with regini by following the procedure below.



Warning:




  • I would be very tempted to back up your whole system before making such changes (you may feel comfortable just backing up the registry - see below).




  • The instructions below contain steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.




  • For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.




  • For more information see How to back up and restore the registry in Windows







  1. Create a file (for example block.txt) with the following contents:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe [2 19]


  2. Execute the block.txt script using the following command, run from an elevated (Administrator) cmd shell:


    regini block.txt


Notes:




  • The regini command must be run from an elevated (Administrator) cmd shell, otherwise it will fail (an no error will be displayed).




  • The permission entry is set to [2 19] which is Administrators Read Access and SYSTEM Read Access.




  • You need to think carefully whether other user groups also require read access.


    Using a permission entry of [2 8 19] will in addition also allow standard users (and administrator accounts with filtered user token) read access for the key.




  • You may need to change the permissions of the parent key to prevent sub-keys being deleted (I haven't verified this).





Further Reading



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...