Locking and Unlocking the Registry with SetACL.exe
These scripts were kindly contributed by Daniel E. Patterson.
LockRegistry.vbs
'*----------------------------------------------------------------------------*
'* LockRegistry.vbs *
'* *
'* By: Daniel E. Patterson *
'* *
'* Description: *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to *
'* lock down the Windows XP registry, rendering anti-virus applications *
'* obsolete. *
'* *
'* Usage: *
'* If CSCRIPT //H:CScript has been issued to default scripting to *
'* command-line actions, then: *
'* LockRegistry.vbs *
'* Otherwise: *
'* CSCRIPT LockRegistry.vbs *
'* *
'* Background: *
'* In recent experiences, we have documented several rampant viruses that, *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet *
'* unrecognized variants. At this point, we are going to assert the position *
'* that it is better not to assume we are protected at all unless we can *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general *
'* PC performance, since AV software is the biggest common drain on resources.*
'* *
'* While the first-run condition of a worm or virus exploits a long-running *
'* security hole in Microsoft Internet Explorer, they all need to create *
'* entries in the registry to run again the next time your PC starts. Most *
'* variants will either place random entries in the xxx\Runxxx nodes of the *
'* machine or current user, while other more sophisticated families make use *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts. *
'* While notable portions of the registry are locked, however, those *
'* applications can not be fully registered, and as a result, will fail to *
'* load as desired by the author. Using this form of protection, then, you *
'* may experience virus-related glitches when visiting an infected site, but *
'* in the worst possible case, you will only need to reboot your computer to *
'* get back to normal operation - since the virus will not be able to start *
'* again after the PC has been shut down. *
'* *
'* Notes: *
'* This script assumes that SetACL.exe is located in your path. *
'* To install applications, use UnlockRegistry.vbs. Remember to lock the *
'* registry again after installing new applications. *
'*----------------------------------------------------------------------------*
dim machineName 'NetBIOS Name of the Machine.
dim wshNetwork 'Network Scripting Object.
dim wshShell 'Shell Access.
set wshNetwork = WScript.CreateObject("WScript.Network")
set wshShell = WScript.CreateObject("WScript.Shell")
machineName = wshNetwork.ComputerName
Secure "hklm\Software\Microsoft\Rpc"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
Secure "hkcr"
WScript.Echo "Registry Locked..."
'*----------------------------------------------------------------------------*
sub Secure(key)
'Access only for Administrators (Read + Set), and Everyone (Read) - not inherited.
WScript.Echo "Securing " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace ""n:" & machineName & _
"\Administrators;p:query_val,enum_subkeys,notify,write_dacl,write_owner,read_access""" _
, 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace _
""n:Everyone;p:query_val,enum_subkeys,notify,read_access""" , 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:p_nc" _
, 0, true
end sub
'*----------------------------------------------------------------------------*
UnlockRegistry.vbs
'*----------------------------------------------------------------------------*
'* UnlockRegistry.vbs *
'* *
'* By: Daniel E. Patterson *
'* *
'* Description: *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to *
'* unlock the Windows XP registry, allowing installation of software. *
'* *
'* Usage: *
'* If CSCRIPT //H:CScript has been issued to default scripting to *
'* command-line actions, then: *
'* UnlockRegistry.vbs *
'* Otherwise: *
'* CSCRIPT UnlockRegistry.vbs *
'* *
'* Background: *
'* In recent experiences, we have documented several rampant viruses that, *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet *
'* unrecognized variants. At this point, we are going to assert the position *
'* that it is better not to assume we are protected at all unless we can *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general *
'* PC performance, since AV software is the biggest common drain on resources.*
'* *
'* While the first-run condition of a worm or virus exploits a long-running *
'* security hole in Microsoft Internet Explorer, they all need to create *
'* entries in the registry to run again the next time your PC starts. Most *
'* variants will either place random entries in the xxx\Runxxx nodes of the *
'* machine or current user, while other more sophisticated families make use *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts. *
'* While notable portions of the registry are locked, however, those *
'* applications can not be fully registered, and as a result, will fail to *
'* load as desired by the author. Using this form of protection, then, you *
'* may experience virus-related glitches when visiting an infected site, but *
'* in the worst possible case, you will only need to reboot your computer to *
'* get back to normal operation - since the virus will not be able to start *
'* again after the PC has been shut down. *
'* *
'* Notes: *
'* This script assumes that SetACL.exe is located in your path. *
'* After installing applications, use LockRegistry.vbs to re-lock the *
'* registry. *
'*----------------------------------------------------------------------------*
dim wshShell 'Shell Access.
set wshShell = WScript.CreateObject("WScript.Shell")
UnSecure "hklm\Software\Microsoft\Rpc"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
UnSecure "hkcr"
WScript.Echo "Registry Unlocked..."
'*----------------------------------------------------------------------------*
sub UnSecure(key)
' Set Inheritance on - clear non-inherited ACEs
WScript.Echo "UnSecuring " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:np", 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn clear -clr dacl,sacl", 0, true
end sub
'*----------------------------------------------------------------------------*