Task Manager protection: Hi All, A good programme to add to the list is Task Manager, as I guess that certain Trojans might use it to close other programmes. Taskmgr.exe, is usually found in the \windows\system32 folder. Add it to the Process Guard list. Select the drop down options - Enable "Close Message handling" & "Allow Global Hooks". Keep the standard blocking flags as default No normal Allows flags enabled. This way no one can close Task Manager without using the Human Interface Device and Task Manager cannot close any listed programme but can close any other programme. If you need to close a listed programme you can enable the "Termination" Allow flag, then Disaallow after you have used it it.
i put permanently the allow flag terminate on it, because a protected program can be buggy and can hang, i need to be able to terminate them. I don't know any way to use the task manager from another program to terminate another one, it seems to haven't any command line, so no need to worry. Moreover if it is protected by PG, i don't see any way to hijack it. May be DCS can confirm that. More usefull may be is to remove any allowances to explorer.exe, my system works well like that and never logs anything on a normal usage. I remember explorer.exe trying a endtask one time but that just happend once.
Here is a few tips if you are having problems :- 1) Try renaming PG_MSGPROT.exe to PG_MSGPROT1.exe and rebooting. 2) Disable CLOSE MESSAGE HANDLING for any application you enabled it on. 3) Read the helpfile, especially STEP by STEP guides to uninstalling. 4) Disable Protection in Process Guard before uninstalling. 5) Terminate PG_MSGPROT.exe in Task Manager before running the uninstall utility. 6) Run the uninstall utility before installing a new version. 7) Ensure that PGUARD.dat does not exist in your SYSTEM32 folder (usually c:\windows\system32\) before installing a new version. The installer will delete this file if it can, but if existing Process Guard protection is active it will stop this file from being deleted.
Re:Tips, Tricks & FAQ's - CD / DVD Device errors Device Errors from CD / DVD Some times you may experience Device errors when running a CD or DVD programmes such as those using .exe such as Start or Setup. To work around this try the following: With the CD or DVD in the drive open it to view the file system rather than allowing autorun, then using PG's "Add file to protect" navigate to the .exe file on your CD/DVD drive, find the file such as D:\start.exe and add into the PG list. Once in the list you can then give it the nessary allows. Note: Playing music CDs or DVD video does not usually requie any action within PG
Close Message Handling: (CMH) As there are known issues with CMH for some configurations, I thought it might be nice to describe one of the tools that can let one "see" what is happening For those that use Close Message handling and would like to check that the the CMH enabled programme is protected without using the progrmme Exit key or DCS's Advanced Process Termination's Kill 7 there are a number of other tools available. One such tool,which is easy to use, is Faber Toys available from: http://www.faberbox.com/fabertoys.asp You will need to add faber toys.exe to the protection list and allow Getinfo & Read (this stops a lot of logging in Process Guard) When Faber Toys is running you can click on the running processes file in the top window and then the bottom window will show the modules loaded. If procguard.dll is loaded then Close Message Handling will normally be working. If it is not and you have close message handling enabled on a particular program then restart it until procguard.dll is showing, you may need to use Faber Toys refresh to renew the modules loaded list. Pilli
Process Guard data back up. This is useful if you get a corrupted Process list or checksum list: Disable Process Guard and Terminate dcsuserprot.exe using Task Manager: Go to the \windows\system32 folder - Find pguard.dat & pghash.dat, highlight them both, right click and "Send to" compressed (zipped) folder. This will create a zipped archive called pguard.zip which you can use as a backup. This file can be stored wherever you keep your normal back ups and restrored should the need arise.
Re: Tips, Tricks & FAQ's Information Request This thread has very informative and detailed information regarding NIS 2004 and other programme rules. https://www.wilderssecurity.com/showthread.php?t=27903
Re: Tips, Tricks & FAQ's - XP RC1 Have now loaded XP SP2 RC1 and initially had a problem with Internet Explorer & Windows explorer not accepting manually entered addresses. To resolve this problem the following procedure worked for myself and another user. Remove Internet Explorer & Windows explorer from the process protection list & the checksum list. Disable learning mode and reboot. When windows restarts Secure desktop shows a whole new bunch of programmes to view and as they were all part of the new build I allowed them. After which I re-added IE and windows explorer to the list with the four blocks and the global hooks option allowed and then fired them up. Secure desktop needed the required allows. After this both programmes appear to behave properly, rebooting several times times to ensure that all the new services are captured to the checksum list has shown no new recurrence of the original problem. I have a feeling that this may be something to do with the debug code that is in all the XP beta versions.
Re: Tips, Tricks & FAQ's - XP RC1 Hi all, I've put some detailed discussions (along with historical and technical background) onto my webpage. At http://www.commontology.de/andreas/win_secure.html you will find a page about securing windows that is to be worked on, but the parts about PG are ready. On the page you can click your way to a discussion of the old (v2.000) or to a discussion of the current (3.000 beta) version. (Be prepared for a lot to read ) HTH, Andreas Also, feel free to quote it or to refer/link to it, of course. If you have any suggestions, mail me at A<dot>wagner<at>stud<dot>uni-frankfurt<dot>de.
Re: Tips, Tricks & FAQ's ProcessGuard V3 ProcessGuard Version 3 - Secure message Handling: Taken from the help file: Custom Message Verification Usually ProcessGuard will only ask for human verification when you click on the X button of one of your programs. However if you tried to exit an application by going to the File Menu then clicking on Exit or by clicking on a custom button which exit's the application, you may find ProcessGuard didn't request your verification before closing down. Or you may find that even if you cancel the verifications that ProcessGuard does display, that the application still closes down. You can fix this issue by holding down the INSERT key on your keyboard, whilst you click your mouse on a menu item, or button. Now the next time you click on that button or on that menu item, ProcessGuard will request your verification. By holding down the INSERT key you are allowing ProcessGuard to learn that there is other ways that this application can use windows messages to close itself. ProcessGuard will then protect the application from any malicious application which may use these custom messages. You can theoretically allow ProcessGuard to learn any menu item or button you want, it doesn't necessarily need to be a button or menu item which closes the application. There could be a menu item which disables your firewall's protection for instance, by holding down INSERT and clicking on it, you are making sure that only you can disable your firewall, not a malicious program. If you want to remove any custom messages you made ProcessGuard learn, simply remove Secure Message Handling from the application. This clears ProcessGuard's knowledge of the custom messages for the application. You can then enable it again immediately if you want the feature back on, but the custom messages you defined will be gone for that application. This custom message verification is enabled for any application which has Secure Message Handling enabled for it, all you need to do is hold down the INSERT key and click on a button or menu item to activate this feature.
Re: Tips, Tricks & FAQ's - SMH PG Icon When right clicking the ProcessGuard Icon using the normal Exit the PG GUI is closed, this is fine as protection is still running but protection can inadvertently disabled. By using the tip below you can force an HID for protection of the Disable / Enable menu item. Here is how - Once you have right clicked the PG icon, hold the insert key down now click the disable protection menu item, close the GUI and restart - The next time you go to disable PG from the PG Icon you will get an HID whilst still being able to Exit the GUI without getting an HID. With this new feature you could, of course, also teach PG to do the same for the exit key.
Re: Tips, Tricks & FAQ's Secure Message Handling Secure Message Handling This was posted by Andreas1 in another thread and is a very worthy addition to this thread. Thank you Andreas: .... I might perhaps add some general details here. When an application closes, it has to perform all kinds of tasks (saving changes, clearing variables and buffers, destroying windows etc.). Normally you have one event that, when happening, triggers the whole chain of these other procedures. Or, let's admit, a few of these events that could be in that position. And, of course these events are what PG's SMH is after - whenever one of them occurs, you get the confirmation prompt. (And since in such an application shutdown procedure, several of the events may happen, you sometimes get several prompts.) The main problem arises when you have applications that do their cleaning up in a not-so-orderly way. Maybe the initial event is not one that PG normally catches. In that case, the app-shutdown sequence would start, and maybe at a later point one (or more) of the events that PG recognizes by default happens. Then you get a confirmation prompt (or several), but then it's too late - the shutdown sequence is in full swing already. (And even when you cancel one of the events, then either another, non-cancelled aspect of the shutdown procedure takes care of what you've just meant to block, or you have effectively blocked something, but will end up with the application gone, only some uncleared buffer still hanging around or so.) That's why it (sometimes) helps to teach PG with the INS key. In order for SMH to work properly, it has to catch the very first of the shutdown events. And in most cases, you can tell it that a certain event should count as one of them. BTW, in what way did you shut down MJRW? Normally, PG catches the "x" window icon quite well, but actions you perform on an app's systray icon often have to be taught to it with the INS trick.
Re: Tips, Tricks & FAQ's After posting the above question, I found the answer at https://www.wilderssecurity.com/showthread.php?t=63314
Limited Account I use the share version, and PG does not load in the system tray at bootup. Is it possible to have PG load at startup when using a limited account?
Re: Tips, Tricks & FAQ's Because of it's nature ProcessGuard has to be installed as an admin, other users still get alerts. Giving limited user accounts full access would undermine PG's usefullness as a security program. HTH Pilli
Re: Limited Account Yes, by using RUNASSPC from http://www.robotronic.de/runasspcEn.html and creating a shortcut in your autostart folder. However, you will get an error message (just like starting the PG GUI via runas.exe). Don't worry - just click "OK" and you're done.
Re: Tips, Tricks & FAQ's Member dukezofhazord"s post was split off and placed in the appropriate forum with new title Hosts issue. Can be seen here, https://www.wilderssecurity.com/showthread.php?t=111130 snowbound
Re: Tips, Tricks & FAQ's The Close Message Handling feature extension is really only for advanced users, but could be pretty useful. I'll try to think of a really good use and demo this, if anyone can do so please do Perhaps you have a window which auto minimises and you DON'T want it to, there may be a control being pressed (same as if you minimised it) and you can then control this window's messages (minimise close etc). It may or may not work depending on what the program does, what window messages are available and get used. Basically any program which sends window messages around its windows to do things, can be controlled somewhat. Any suggestions ?
Re: Tips, Tricks & FAQ's Just an idea - For the demo, could you possibly create two separate programs. One can just have a gui with several different windows/tabs. The other program (lets call it Modifier) can send controls to the first program to minimize, close or exit windows. The first demonstration can show how Modifer can alter the functions of the first program without Secure Message Handling enabled. The second demonstration can show how Processguard interfers with Modifer's functionality to protect the first program.
