Modify Registry Permissions to prevent Trojans

I. Question proposal

Most Trojans and some viruses are automatically started by using the self-startup items or files in the Registry or by using system services. For details, see Windows auto-start mode. is there a way to prevent Trojans or viruses from modifying registry keys and adding services?

Ii. Problem Solving

You can set permissions for the Windows 2003/XP/registry, but we only use less. Set the permissions for the following registry keys:

1. Set the Registry auto-start item to everyone read-only (Run, RunOnce, RunService) to prevent Trojans and viruses from being started by the self-starting project.

2XX sets .txt0000.com0000.exe,. inf,. ini,. bat and other files to be associated with the everyone read-only file to prevent Trojans and viruses from being started through file association.

3. Set the Registry HKLMSYSTEMCurrentControlSetServices to everyone read-only to prevent Trojans and viruses from being started as "services.

You can set permissions for the registry key in the following ways:

1. if it is in the domain environment, it may be implemented through the Group Policy of the Active Directory.

2. Group Policy of the Local Computer (use Secedit for command line ).

3. This article uses the Setacl program for batch processing.

4. For manual operations, you can use Regedt32 (for Windows systems, "Permissions" under "security") or Regedit (for Windows/XP, "Permissions" under the "edit" menu ") the batch processing code is provided later. If you only have the Users Group permission and the above key values are read-only by default, you don't have to worry about this.

3. Applicable audience

1. People who are not familiar with computers and do not often install/uninstall software.

2. Friends who like to download and install software online.

3. The operator of each computer has the administrator privilege. The computer level of these employees is uneven.

Iv. Existing Problems

1. install anti-virus software. During patching, you may perform operations on those registries. In this way, you must first restore the permission settings, install the software, and then reset the settings. Inconvenient.

2. I don't know if the 3721 permission is too high (I heard that 3721 is started through the driver and has Ring0 permission ).

3. It is only applicable to Windows2000, XP, and 2003.

4. You can only deal with simple viruses and Trojans.

V. Source Code of Batch Processing

@ Gotostart

========================================================== ======================================

Name: Anti-Trojan Horse

Function:

1. Disable the self-starting project (runrunoncerunservices)

2. disable file associations such as. txt).comcmd.exe,. inf,. ini, And. bat.

3. Modification of "service" information is prohibited

Principle: Set the Registry permission to read-only

Version revisions

Version Number Revision Date revised

1.0-12-22 netu0 create this script

========================================================== ======================================

: Start

@ SETLOCAL

@ Rem activity code page set to Chinese

@ Chcp936> nul2> nul

@ Echo.

@ Echo ************************************** **********************

@ Echo #

@ Echo # Welcome to the anti-Trojan Horse program

@ Echo #

@ Echo #

@ Echo ************************************** **********************

: ChkOS

@ Echo.

@ Ver | find "2000"> nul2> nul

@ If "ERRORLEVEL" = "0" goto: 2000

@ Ver | find "MicrosoftWindows [version 5"> nul2> nul

@ If "ERRORLEVEL" = "0" goto: 2003

@ Ver | find "XP"> nul2> nul

@ If "ERRORLEVEL" = "0" goto: XP

@ Echo.

@ Echo # your operating system is not one of Windows2000/XP/2003 and cannot be used.

@ Gotoquit

@ Rem insert different commands of different systems in the following statement

2000

@ SetUpdatePolicy = secedit/refreshpolicymachine_policy> nul2> nul

@ GotoSelection

: XP

@ SetUpdatePolicy = GPUpdate/Force> nul2> nul

@ GotoSelection

2003

@ SetUpdatePolicy = GPUpdate/Force> nul2> nul

@ GotoSelection

: Selection

@ RemUserChoice

@ Echo.

@ Echo enter the number before the following options

@ Echo.

@ Echo1: Install anti-Trojan Horse Protection

@ Echo2: delete anti-Trojan Horse protection (restore the default setting)

@ Echo3: view technical information

@ Echo4: Exit

@ Echo.

@ Set/pUserSelection = enter your selection (1, 2, 3, 4)

@ If "UserSelection" = "1" gotoinstall

@ If "UserSelection" = "2" gotouninstall

@ If "UserSelection" = "3" gotoinformation

@ If "UserSelection" = "4" gotoquit

@ Rem enter other characters

@ Cls

@ GotoSelection

: Information

@ Cls

@ Echo

========================================================== ================================

@ Echo #

@ Echo # Welcome to the anti-Trojan Horse program

@ Echo #

@ Echo # function:

@ Echo #

@ Echo #1. Set the Registry auto-start item to read-only (Run, RunOnce, RunService ),

@ Echo # prevent Trojans and viruses from being started by self-starting projects

@ Echo # 2、set .txt).comcmd.exe,. inf,. ini,. bat, and other files to read-only,

@ Echo # prevent Trojans and viruses from being started through File Association

@ Echo #3. Set the Registry HKLMSYSTEMCurrentControlSetServices to read-only

@ Echo # prevent Trojans and viruses from being started as "services"

@ Echo #

@ Echo # Note:

@ Echo # The preceding registry key is also used in some installation programs. Run this program before installation,

@ Echo # select 2 to restore the default setting. After the installation is complete, run the program again,

@ Echo # select 1 to implement anti-Trojan Horse Protection

@ Echo ===================================================== ======================================

@ Echo.

@ Echo press any key to return and select

@ Pause> nul2> nul

@ Cls

@ GotoSelection

: Install

@ SetOP =/granteveryone/read/p: no_dont_copy

@ GotoDoit

: Uninstall

@ SetOP =/revokeeveryone/read/p: yes

@ GotoDoit

Oit

@ Echo.

@ Echo is executing the operation...

@ RemHKLM

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRun/registryOP> nul2> nul

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRunOnce/registryOP> nul2> nul

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRunServices/registryOP> nul2> nul

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRunEX/registryOP> nul2> nul

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEX/registryOP> nul2> nul

@ SetaclmachineSOFTWAREMicrosoftWindowsCurrentVersionRunServicesEx/registryOP> nul2> nul

@ RemHKCU

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServices/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunEX/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEX/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServicesEx/registryOP> nul2> nul

@ SetaclCURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce/registryOP> nul2> nul

@ RemUSERS

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRun/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunServices/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunEX/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEX/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunServicesEx/registryOP> nul2> nul

@ SetaclUSERSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce/registryOP> nul2> nul

@ RemServices

@ SetaclMACHINESYSTEMCurrentControlSetServices/registryOP> nul2> nul

@ RemCLASSES_ROOT

@ SetaclCLASSES_ROOTexefileshellopencommand/registryOP> nul2> nul

@ SetaclCLASSES_ROOTinifileshellopencommand/registryOP> nul2> nul

@ SetaclCLASSES_ROOTxtfileshellopencommand/registryOP> nul2> nul

@ SetaclCLASSES_ROOTcomfileshellopencommand/registryOP> nul2> nul

@ SetaclCLASSES_ROOTatfileshellopencommand/registryOP> nul2> nul

@ SetaclCLASSES_ROOTinf