Locking and Unlocking the Registry with SetACL.exe

These scripts were kindly contributed by Daniel E. Patterson.

LockRegistry.vbs

'*----------------------------------------------------------------------------*
'* LockRegistry.vbs                                                           *
'*                                                                            *
'* By: Daniel E. Patterson                                                    *
'*                                                                            *
'* Description:                                                               *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to      *
'* lock down the Windows XP registry, rendering anti-virus applications       *
'* obsolete.                                                                  *
'*                                                                            *
'* Usage:                                                                     *
'* If CSCRIPT //H:CScript has been issued to default scripting to             *
'* command-line actions, then:                                                *
'*   LockRegistry.vbs                                                         *
'* Otherwise:                                                                 *
'*   CSCRIPT LockRegistry.vbs                                                 *
'*                                                                            *
'* Background:                                                                *
'* In recent experiences, we have documented several rampant viruses that,    *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually    *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet   *
'* unrecognized variants. At this point, we are going to assert the position  *
'* that it is better not to assume we are protected at all unless we can      *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general  *
'* PC performance, since AV software is the biggest common drain on resources.*
'*                                                                            *
'* While the first-run condition of a worm or virus exploits a long-running   *
'* security hole in Microsoft Internet Explorer, they all need to create      *
'* entries in the registry to run again the next time your PC starts. Most    *
'* variants will either place random entries in the xxx\Runxxx nodes of the   *
'* machine or current user, while other more sophisticated families make use  *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts.    *
'* While notable portions of the registry are locked, however, those          *
'* applications can not be fully registered, and as a result, will fail to    *
'* load as desired by the author. Using this form of protection, then, you    *
'* may experience virus-related glitches when visiting an infected site, but  *
'* in the worst possible case, you will only need to reboot your computer to  *
'* get back to normal operation - since the virus will not be able to start   *
'* again after the PC has been shut down.                                     *
'*                                                                            *
'* Notes:                                                                     *
'* This script assumes that SetACL.exe is located in your path.               *
'* To install applications, use UnlockRegistry.vbs. Remember to lock the      *
'* registry again after installing new applications.                          *
'*----------------------------------------------------------------------------*
dim machineName     'NetBIOS Name of the Machine.
dim wshNetwork      'Network Scripting Object.
dim wshShell        'Shell Access.

  set wshNetwork = WScript.CreateObject("WScript.Network")
  set wshShell = WScript.CreateObject("WScript.Shell")

  machineName = wshNetwork.ComputerName

  Secure "hklm\Software\Microsoft\Rpc"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
  Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
  Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
  Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
  Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
  Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
  Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
  Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
  Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
  Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
  Secure "hkcr"
  WScript.Echo "Registry Locked..."


'*----------------------------------------------------------------------------*
sub Secure(key)
'Access only for Administrators (Read + Set), and Everyone (Read) - not inherited.
  WScript.Echo "Securing " & key & "..."
  wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace ""n:" & machineName & _
    "\Administrators;p:query_val,enum_subkeys,notify,write_dacl,write_owner,read_access""" _
    , 0, true
  wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace _ 
    ""n:Everyone;p:query_val,enum_subkeys,notify,read_access""" , 0, true
  wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:p_nc" _
    , 0, true
end sub
'*----------------------------------------------------------------------------*

UnlockRegistry.vbs

'*----------------------------------------------------------------------------*
'* UnlockRegistry.vbs                                                         *
'*                                                                            *
'* By: Daniel E. Patterson                                                    *
'*                                                                            *
'* Description:                                                               *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to      *
'* unlock the Windows XP registry, allowing installation of software.         *
'*                                                                            *
'* Usage:                                                                     *
'* If CSCRIPT //H:CScript has been issued to default scripting to             *
'* command-line actions, then:                                                *
'*   UnlockRegistry.vbs                                                       *
'* Otherwise:                                                                 *
'*   CSCRIPT UnlockRegistry.vbs                                               *
'*                                                                            *
'* Background:                                                                *
'* In recent experiences, we have documented several rampant viruses that,    *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually    *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet   *
'* unrecognized variants. At this point, we are going to assert the position  *
'* that it is better not to assume we are protected at all unless we can      *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general  *
'* PC performance, since AV software is the biggest common drain on resources.*
'*                                                                            *
'* While the first-run condition of a worm or virus exploits a long-running   *
'* security hole in Microsoft Internet Explorer, they all need to create      *
'* entries in the registry to run again the next time your PC starts. Most    *
'* variants will either place random entries in the xxx\Runxxx nodes of the   *
'* machine or current user, while other more sophisticated families make use  *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts.    *
'* While notable portions of the registry are locked, however, those          *
'* applications can not be fully registered, and as a result, will fail to    *
'* load as desired by the author. Using this form of protection, then, you    *
'* may experience virus-related glitches when visiting an infected site, but  *
'* in the worst possible case, you will only need to reboot your computer to  *
'* get back to normal operation - since the virus will not be able to start   *
'* again after the PC has been shut down.                                     *
'*                                                                            *
'* Notes:                                                                     *
'* This script assumes that SetACL.exe is located in your path.               *
'* After installing applications, use LockRegistry.vbs to re-lock the         *
'* registry.                                                                  *
'*----------------------------------------------------------------------------*
dim wshShell        'Shell Access.

  set wshShell = WScript.CreateObject("WScript.Shell")

  UnSecure "hklm\Software\Microsoft\Rpc"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
  UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
  UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
  UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
  UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
  UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
  UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
  UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
  UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
  UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
  UnSecure "hkcr"
  WScript.Echo "Registry Unlocked..."


'*----------------------------------------------------------------------------*
sub UnSecure(key)
' Set Inheritance on - clear non-inherited ACEs
  WScript.Echo "UnSecuring " & key & "..."
  wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:np", 0, true
  wshShell.Run "setacl -on """ & key & """ -ot reg -actn clear -clr dacl,sacl", 0, true
end sub
'*----------------------------------------------------------------------------*