Locking and Unlocking the Registry with SetACL.exe
These scripts were kindly contributed by Daniel E. Patterson.
LockRegistry.vbs
'*----------------------------------------------------------------------------*
'* LockRegistry.vbs *
'* *
'* By: Daniel E. Patterson *
'* *
'* Description: *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to *
'* lock down the Windows XP registry, rendering anti-virus applications *
'* obsolete. *
'* *
'* Usage: *
'* If CSCRIPT //H:CScript has been issued to default scripting to *
'* command-line actions, then: *
'* LockRegistry.vbs *
'* Otherwise: *
'* CSCRIPT LockRegistry.vbs *
'* *
'* Background: *
'* In recent experiences, we have documented several rampant viruses that, *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet *
'* unrecognized variants. At this point, we are going to assert the position *
'* that it is better not to assume we are protected at all unless we can *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general *
'* PC performance, since AV software is the biggest common drain on resources.*
'* *
'* While the first-run condition of a worm or virus exploits a long-running *
'* security hole in Microsoft Internet Explorer, they all need to create *
'* entries in the registry to run again the next time your PC starts. Most *
'* variants will either place random entries in the xxx\Runxxx nodes of the *
'* machine or current user, while other more sophisticated families make use *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts. *
'* While notable portions of the registry are locked, however, those *
'* applications can not be fully registered, and as a result, will fail to *
'* load as desired by the author. Using this form of protection, then, you *
'* may experience virus-related glitches when visiting an infected site, but *
'* in the worst possible case, you will only need to reboot your computer to *
'* get back to normal operation - since the virus will not be able to start *
'* again after the PC has been shut down. *
'* *
'* Notes: *
'* This script assumes that SetACL.exe is located in your path. *
'* To install applications, use UnlockRegistry.vbs. Remember to lock the *
'* registry again after installing new applications. *
'*----------------------------------------------------------------------------*
dim machineName 'NetBIOS Name of the Machine.
dim wshNetwork 'Network Scripting Object.
dim wshShell 'Shell Access.
set wshNetwork = WScript.CreateObject("WScript.Network")
set wshShell = WScript.CreateObject("WScript.Shell")
machineName = wshNetwork.ComputerName
Secure "hklm\Software\Microsoft\Rpc"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
Secure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
Secure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Secure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
Secure "hkcr"
WScript.Echo "Registry Locked..."
'*----------------------------------------------------------------------------*
sub Secure(key)
'Access only for Administrators (Read + Set), and Everyone (Read) - not inherited.
WScript.Echo "Securing " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace ""n:" & machineName & _
"\Administrators;p:query_val,enum_subkeys,notify,write_dacl,write_owner,read_access""" _
, 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace _
""n:Everyone;p:query_val,enum_subkeys,notify,read_access""" , 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:p_nc" _
, 0, true
end sub
'*----------------------------------------------------------------------------*UnlockRegistry.vbs
'*----------------------------------------------------------------------------*
'* UnlockRegistry.vbs *
'* *
'* By: Daniel E. Patterson *
'* *
'* Description: *
'* Used with SetACL.exe (available at http://setacl.sourceforge.net/) to *
'* unlock the Windows XP registry, allowing installation of software. *
'* *
'* Usage: *
'* If CSCRIPT //H:CScript has been issued to default scripting to *
'* command-line actions, then: *
'* UnlockRegistry.vbs *
'* Otherwise: *
'* CSCRIPT UnlockRegistry.vbs *
'* *
'* Background: *
'* In recent experiences, we have documented several rampant viruses that, *
'* while detected by one of the five major AV applications, were not detected *
'* by others, and even though all of the brands will be sure to eventually *
'* include defs from this current period in history, it does not do any of us *
'* any good at the present time - while being hammered by new and as of yet *
'* unrecognized variants. At this point, we are going to assert the position *
'* that it is better not to assume we are protected at all unless we can *
'* force our system to be secure without the aid of AV software. As a benefit *
'* of this approach, we are also expecting to see a huge increase in general *
'* PC performance, since AV software is the biggest common drain on resources.*
'* *
'* While the first-run condition of a worm or virus exploits a long-running *
'* security hole in Microsoft Internet Explorer, they all need to create *
'* entries in the registry to run again the next time your PC starts. Most *
'* variants will either place random entries in the xxx\Runxxx nodes of the *
'* machine or current user, while other more sophisticated families make use *
'* of Browser Helper Objects (BHOs) that run when Windows Explorer starts. *
'* While notable portions of the registry are locked, however, those *
'* applications can not be fully registered, and as a result, will fail to *
'* load as desired by the author. Using this form of protection, then, you *
'* may experience virus-related glitches when visiting an infected site, but *
'* in the worst possible case, you will only need to reboot your computer to *
'* get back to normal operation - since the virus will not be able to start *
'* again after the PC has been shut down. *
'* *
'* Notes: *
'* This script assumes that SetACL.exe is located in your path. *
'* After installing applications, use LockRegistry.vbs to re-lock the *
'* registry. *
'*----------------------------------------------------------------------------*
dim wshShell 'Shell Access.
set wshShell = WScript.CreateObject("WScript.Shell")
UnSecure "hklm\Software\Microsoft\Rpc"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Compatibility"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Embedding"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Fonts"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\Ports"
UnSecure "hklm\Software\Microsoft\Windows NT\CurrentVersion\WOW"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Run"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\RunServices"
UnSecure "hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Run"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce"
UnSecure "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Settings"
UnSecure "hkcr"
WScript.Echo "Registry Unlocked..."
'*----------------------------------------------------------------------------*
sub UnSecure(key)
' Set Inheritance on - clear non-inherited ACEs
WScript.Echo "UnSecuring " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:np", 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn clear -clr dacl,sacl", 0, true
end sub
'*----------------------------------------------------------------------------*
1 Comment
Hi
I’ve a new problem for you … I’m running a Windows 10 home (up to date) and I use Norton 360.
A update of Norton was applied automatically which brings many changes…
Many years ago I’ve used SETACL and SETACL studio to customize permissions on
“run” keys in the register… It worked fine until the new version of Norton.
Norton had a good idea : for the first time, it has added a line for NortonUI.exe
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and to protect this entry, the key is now locked and it is no longer possible
to change somthing. SETACL also falls with “not authorized”… 8°-(
Your script above also does not work…
Directly withe SETACL studio not better.
The Norton support is unable to solve this problem.
Would it be better to add a new planified task… as other entries for Norton ??
Have an idea or a solution ? What can I try ?
Thanks for your reply
PLF