NVT Registry Guard - Protect registry keys and values

[Deleted member 178]

NoVirusThanks Registry Guard is a powerful utility which uses a kernel-mode driver to prevent any process or only specific processes from writing\reading\deleting custom registry keys\values. You can prevent, for example, any process from writing to registry autostart locations, or prevent processes from hijacking your Internet Explorer registry settings, and much more. With NoVirusThanks Registry Guard you can protect custom Windows registry keys and values from unauthorized modifications, a swiss army knife against nasty malware. Recommended for experienced Windows users only.


Key features and characteristics

• Prevent the modification of specific registry keys and values
• Useful to protect all registry autostart locations
• Write your own rules to block custom registry keys and values
• Specify to monitor any process or only specific processes
• Easy-to-write rules thanks to wildcarding and aliases
• Monitor the creation of registry keys
• Monitor the writing\modification of registry values
• Monitor the deletion of registry keys and values
• Monitor the reading of registry values
• Show useful information when an action is blocked
• Powerful protection thanks to the kernel-mode driver
• Supports all Microsoft Windows Vista+ OSs
• Very lightweight in memory and CPU usage

By default, NoVirusThanks Registry Guard prevents any process from writing to common registry startup locations. To edit the default rules or to create your custom rules, click the button “Rules” (it may ask you Admin credentials) to edit the Rules.DB file. After you have modified and saved the rules file, you should restart the program. Writing rules is very easy, you can use wildcards characters and aliases, example:

Writing rules is very easy, you can use wildcards characters and aliases, example:

[%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *DeleteKey*]
[%OPR%: DELETE_VALUE] [%EXE%: *regedit.exe] [%KEY%: *\Software*] [%VAL%: *DeleteValue*]
[%OPR%: READ_VALUE] [%EXE%: *regedit.exe] [%KEY%: *\Software*] [%VAL%: *ReadValue*]
[%OPR%: WRITE_VALUE] [%EXE%: *regedit.exe] [%KEY%: *\Software*] [%VAL%: *WriteValue*]
[%OPR%: CREATE_KEY] [%EXE%: *regedit.exe] [%KEY%: *\Software*] [%VAL%: *New Key #1*]

Registry Guard actually does block in real-time specific processes from writing\reading\deleting to\from the Windows registry if the rules match the event, and when an action is blocked, it is then logged in the textarea. It is like a HIPS\real-time protection for custom registry keys and values so they can't be created\changed\deleted\read


Homepage

 

[Solarlynx]

Does it provide the same protection of the Registry as WinPatrol free?

It doesn't have GUI. So if I install a prog is it enough just to stop the NVT Registry Guard and then start again?

Thanks.

 

[Deleted member 178]

Does it provide the same protection of the Registry as WinPatrol free?

It is just a Realtime monitor, it doesn't show popups or else. When a registry keys is created you can see where it is located, then delete it manually if you think it is malicious.

It doesn't have GUI. So if I install a prog is it enough just to stop the NVT Registry Guard and then start again?

no no , you must keep it active all the time.

screenshot taken on my system

 

[Online_Sword]

When a registry keys is created you can see where it is located, then delete it manually if you think it is malicious.

It sounds strange. Could not this tool directly and automatically prevent the creation of the monitored key?

Maybe you enabled the "passive logging mode" or any other similar thing?

 

[Deleted member 178]

no it is like this by default, no other options afaik

 

[Solarlynx]

Hmmm so it doesn't block changing the Registry? Then actually it doesn't provide any real-time protection.

 

[Deleted member 178]

It is a realtime monitor only i guess. Not a blocker.

 

[Deleted member 178]

errata:

Registry Guard actually does block in real-time specific processes from writing\reading\deleting to\from the Windows registry if the rules match the event, and when an action is blocked, it is then logged in the textarea. It is like a HIPS\real-time protection for custom registry keys and values so they can't be created\changed\deleted\read

 

[Solarlynx]

errata:

I read this as well but when I installed a prog (not a portable version) NVT RG didn't react. Did anyone tested RG in this respect?

 

[Deleted member 178]

I read this as well but when I installed a prog (not a portable version) NVT RG didn't react. Did anyone tested RG in this respect?

same here

 

[harlan4096]

Looks interesting! but I think KTS/KIS have enough (or even better) control over registry with Application Control -> Private Data Protection -> Manage Resources...

 

[Solarlynx]

Looks interesting! but I think KTS/KIS have enough (or even better) control over registry with Application Control -> Private Data Protection -> Manage Resources...

Actually this is applicable to any AV or FW with HIPS.

 

[NoVirusThanks]

Updated Registry Guard to v1.5:
Protect Registry Keys & Values with Registry Guard | NoVirusThanks

[11-02-2018] v1.5.0.0

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Executable files are digitally signed with both SHA1 and SHA256 code sign
+ Now the program works fine when Secure Boot is enabled
+ Updated Rules.db with new rules to prevent UAC\DeviceGuard\AppLocker bypasses
+ Updated Rules.db with a new rule to protect LowRiskFileTypes value
+ Bring the application to front if the Desktop icon is clicked and the program is running
+ Fixed display of main window on multi-monitors
+ Ask a confirmation when the program is closed via Tray Icon -> Exit
+ For wildcard rules you can use the asterisk * and the ? character
+ Updated Exclusions.db with new exclusion rules
+ Show "New Value Data" in logged events
+ Fixed parsing of exclusion rules
+ Minor fixes and improvements

 

[l0rdraiden]

Updated Registry Guard to v1.5:
Protect Registry Keys & Values with Registry Guard | NoVirusThanks

[11-02-2018] v1.5.0.0

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Executable files are digitally signed with both SHA1 and SHA256 code sign
+ Now the program works fine when Secure Boot is enabled
+ Updated Rules.db with new rules to prevent UAC\DeviceGuard\AppLocker bypasses
+ Updated Rules.db with a new rule to protect LowRiskFileTypes value
+ Bring the application to front if the Desktop icon is clicked and the program is running
+ Fixed display of main window on multi-monitors
+ Ask a confirmation when the program is closed via Tray Icon -> Exit
+ For wildcard rules you can use the asterisk * and the ? character
+ Updated Exclusions.db with new exclusion rules
+ Show "New Value Data" in logged events
+ Fixed parsing of exclusion rules
+ Minor fixes and improvements

What are your plans for ERP 4? I havent found any news about it or new features
Do you plan to fusion ERP and RG?

 

[Deleted member 178]

What are your plans for ERP 4? I havent found any news about it or new features
Do you plan to fusion ERP and RG?

the ERP thread on wilders has some infos for v4 from private beta testers.