1. Problem raising
Most *s and some viruses are self-started through the registry self-start key or file association or through system services. For details, please refer to the "Windows Self-start Method". So is there a way to prevent *s or viruses from modifying registry keys and increasing services?
2. Solve the problem
The registry of windows2000/xp/2003 can set permissions, but we rarely use it. Set permissions for the following registry keys:
1. Set the registry self-start item to everyone read-only (Run, RunOnce, RunService) to prevent *s and viruses from starting through self-start project
2. Set .txt, .com, .exe, .inf, .ini, .bat and other files to be read-only read-only to prevent *s and viruses from starting through file associations.
3. Set the registry HKLM\SYSTEM\CurrentControlSet\Services to everyone read-only to prevent *s and viruses from starting in "service" mode
The permission settings of the registry key can be achieved in the following ways:
1. If it is in a domain environment, it may be implemented through the active directory group policy.
2. The local computer's group policy is used (use secedit on the command line)
3. This article is implemented through the setacl program and batch processing, which can be downloaded in /setacl/
4. Manual operation can be done through regedt32 (windows2000 system, "Permissions" under the menu "Security") or regedit (windows2003/xp, "Permissions" under the "Edit" menu)
The batch code is given later.
If there is only user group permissions, the above key values are read-only by default, so there is no need to worry about it.
3. Applicable groups
1) People who are not very familiar with computers and do not install/uninstall software frequently
2) Friends who like to download and install software online
3) The operators of each computer have administrator rights, and these people have uneven computer levels
4. Still existing problems
1) Install antivirus software and may operate on those registries when patching, so you must first restore the permission settings, then install them, and reset them after the installation is completed. inconvenient
2) Can't prevent 3721. I wonder if the permissions of 3721 are too high (I heard that 3721 is started through the driver and has ring level 0 permissions)
3) Only suitable for windows2000/xp/2003, there is nothing else to do with it
4) Only deal with simple viruses and *s
V. Others
After reading this article, you may not be able to help but curse: I am crazy, I have to do it like a paper, and writing such a lot of things is a waste of my time. If this is true, I'm really sorry. Just because the company is implementing ISO, I also think the things advocated in ISO are pretty good. In order to standardize my documents, I will do more practice.
Packed programs can be used to:
/php/?sub=down&tid=741 download.
6. Batch source code
@goto start
==============================================================
Name: Anti-* Horse
Function:
1. Disable runonce runservices
2. It is prohibited to modify .txt, .com, .exe, .inf, .ini, .bat and other file associations.
3. Modification of "service" information is prohibited
Principle: Set the registry permissions to read-only
Version revision status
Version number Revision date Revision person Revision content
1.0 2004-12-22 netu0 Create this script
==============================================================
:start
@SETLOCAL
@rem Activity code page is set to Chinese
@chcp 936>nul 2>nul
@echo.
@echo ************************************************************
@echo #
@echo # Welcome to the anti-* horse program
@echo #
@echo #
@echo ************************************************************
:chkOS
@echo.
@ver|find "2000" > nul 2>nul
@if "%ERRORLEVEL%"=="0" goto :2000
@ver|find "Microsoft Windows [version 5" > nul 2>nul
@if "%ERRORLEVEL%"=="0" goto :2003
@ver|find "XP" > nul 2>nul
@if "%ERRORLEVEL%"=="0" goto :XP
@echo.
@echo #Your operating system is not one of Windows 2000/XP/2003 and cannot be used.
@goto quit
@rem Insert different commands from different systems in the following statement
:2000
@set UpdatePolicy=secedit /refreshpolicy machine_policy>nul 2>nul
@goto Selection
:XP
@set UpdatePolicy=GPUpdate /Force>nul 2>nul
@goto Selection
:2003
@set UpdatePolicy=GPUpdate /Force>nul 2>nul
@goto Selection
:Selection
@rem User Choice
@echo.
@echo Please enter the number before the following options
@echo.
@echo 1: Install anti-* horse protection
@echo 2: Delete anti-* horse protection (restore default settings)
@echo 3: View technical information
@echo 4: Exit
@echo.
@set /p UserSelection=Enter your selection (1, 2, 3, 4)
@if "%UserSelection%"=="1" goto install
@if "%UserSelection%"=="2" goto uninstall
@if "%UserSelection%"=="3" goto information
@if "%UserSelection%"=="4" goto quit
@rem Enter other characters
@cls
@goto Selection
:information
@cls
@echo
============================================================
@echo #
@echo # Welcome to the anti-* horse program
@echo #
@echo #Function:
@echo #
@echo # 1. Set the registry auto-start entry to read-only (Run, RunOnce, RunService),
@echo # Prevent *s and viruses from starting through self-start projects
@echo # 2. Set .txt, .com, .exe, .inf, .ini, .bat and other files to be read-only,
@echo # Prevent *s and viruses from starting through file association
@echo # 3. Set the registry HKLM\SYSTEM\CurrentControlSet\Services to read-only
@echo # Prevent *s and viruses from being started in "service"
@echo #
@echo #Precautions:
@echo # Some installers will also use the above registry keys. Please run this program before installation.
@echo # Then select 2 to restore the default settings. After the installation is completed, re-run the program.
@echo # Then select 1 to implement anti-* horse protection
@echo ==============================================================
@echo.
@echo Press any key to return to selection
@pause>nul 2>nul
@cls
@goto Selection
:install
@set OP=/grant everyone /read /p:no_dont_copy
@goto Doit
:uninstall
@set OP=/revoke everyone /read /p:yes
@goto Doit
:Doit
@echo.
@echo is executing...
@rem HKLM
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
@setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
@rem HKCU
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
@setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce /registry %OP%>nul 2>nul
@rem USERS
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
@setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce /registry %OP%>nul 2>nul
@rem Services
@setacl MACHINE\SYSTEM\CurrentControlSet\Services /registry %OP%>nul 2>nul
@rem CLASSES_ROOT
@setacl CLASSES_ROOT\exefile\shell\open\command /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\inifile\shell\open\command /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\txtfile\shell\open\command /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\comfile\shell\open\command /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\batfile\shell\open\command /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\inffile\shell\open\command /registry %OP%>nul 2>nul
@echo is updating account policies, review policies...
@REM [Refresh local security policy]
@%UpdatePolicy%>nul 2>nul
@echo Account policy and audit policy update completed
:complete
@echo Operation is completed
@echo.
@echo.
@echo Please press any key to exit.
@pause>nul 2>nul
:quit
@rem Clear
@del %systemroot%\system32\>nul 2>nul
@del %systemroot%\system32\>nul 2>nul
@ENDLOCAL