Manually Adding Reg Values to monitor.
Click the "Add" button and you'll see the following screen.
Add option to have WinPatrol monitored -->
You may want to monitor the following registry values which are known to be changed by current malware. Just Copy and Paste the string into the Add Registry to Monitor window.


Prevent System Restore from being Disabled

    Lately, we've seen malware will disable your System Restore feature before it downloads its complete payload. The key below may not exist so by setting the value you'll be notified if malware tries to reset it. A value of 1 will disable System Restore so by setting it to 0 allows you to protect it from changing to 1 or other values.

    The following settings will tell WinPatrol you want to be notified if anyone tries to create and change this value from a non-zero value.

    Just copy and paste the key below into WinPatrol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

Enter the following and click the Add button
   Name:  DisableSR           Value:    0  

Value Type to "REG_DWORD"      


DLL Preloading Remote Attack Vector

    This key determines how Windows searches for DLLs to load. The default value "0" tells Windows to use the default method to find the location of the DLL. If a program is not specific in setting the path to a DLL, malware could inject it's own malicious DLL in the default search path. This key may not exist so by setting the value you'll be notified if malware tries to reset it.
  • See the following for more information and to download a fix from Microsoft:
    http://support.microsoft.com/kb/2264107
  • The following settings will tell WinPatrol you want to be notified if anyone tries to create and change this value from a non-zero value.

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager
Value Type to "REG_DWORD"

Enter the following and click the Add button
Name:  CWDIllegalInDllSearch        Value:    1  

This is a correction over previous post.


Security Center Settings

    These values are those reminder balloons that let you know if you have Firewall and AntiVirus software installed. Some of you might want these disabled but in most cases you'll want to be notified if these values change from 0 to 1.  If the value is 1 you won't be notified if your AntiVirus or Firewall software is disabled.  When some programs infiltrate your system they'll change these values to 1 so you don't know. You can add these values so WinPatrol can auto protect you or let you know if someone is changing them.

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Security Center
Change Value Type to "REG_DWORD"

Add each of the following and click the Add button
Name:  AntiVirusDisableNotify        Value:    0
Name:  FirewallDisableNotify           Value:   0


To make it as easy as possible to take advantage of the WinPatrol Registry monitor features we've created registry scripts that allow you to safely add registry values in WinPatrol without having to be an expert.

Many of our scripts have been created by friends and other 3rd party programs who allow WinPatrol to protect values that are important to their programs.

Default WinPatrol 18 Settings
http://www.winpatrol.com/support/win18default.reg

 

More Scripts Coming Soon.

Problems?
Some browsers including Firefox and Chrome will not execute registry scripts. Instead you'll see the text which makes up the script.  This is done for your security because registry scripts (.reg) files are commonly used by viruses and malware. If you use these browsers you can see what our scripts look like so you'll know they are safe and will only  contain commands that add values to the WinPatrol folder in the registry.

Ideally, you'll be able to download one of our .reg scripts to your hard drive.  When you click to open this file by default it should launch the program Regedit.exe and it will process each of the commands in script, which will tell WinPatrol locations you'd like to monitor.

In some cases, you could have also security program which has changed which program is used when you click on a .reg file.  They do this for your protection and will probably open the reg script in notepad.exe.

In this case you'll need to run  regedit.exe and use their import function to execute one of the WinPatrol scripts.

 




Bits From Bill

Copyright 2014 Ruiware, LLC    All Rights Reserved.