레지스트리
Posted 2007. 6. 11. 14:38, Filed under: Study/Computer Science악성코드 중에서는 레지스트리 정보를 변경해서 자신을 자동 실행하거나
기타작동을 하는데 사용한다.
몇가지 값들을 찾아서 정리해 본다.
;Disable Automatic Restart in the event of a BSOD
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AutoReboot"=dword:00000000
;Speed up shutdown
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="3000"
;Disable the Desktop Cleanup Wizard
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
"NoRun"=dword:00000001
;Disables Error Reporting, but notifies when errors occur
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
"DoReport"=dword:00000000
;Disable Welcome Screen and uses Classic Logon
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LogonType"=dword:00000000
;Disable Windows Picture and Fax Viewer
[HKEY_CLASSES_ROOT\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\ShellImagePreview]
;Do not use Simple File Sharing
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000
;Speed up Network Browsing by removing Network Scheduled Tasks
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}]
;Remove Shortcut Arrows
[HKEY_CLASSES_ROOT\lnkfile]
"IsShortcut"=-
;Disables Windows Tour bubble popup
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Tour]
"RunCount"=dword:00000000
;Disable Imapi CD-Burning Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000004
;Disable Messenger Service (to stop spam. Does not affect MSN or Windows Messenger)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
;Disable Remote Registry Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
;Disable SSDP Discovery Service (Universal Plug'n'Play)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Start"=dword:00000004
;Disable Universal Plug'n'Play Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Start"=dword:00000004
;Disable Windows Time Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000004
;This will add "Services" to the right-click menu of "My Computer"
[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\services]
@=hex(2):53,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,00,00
"SuppressionPolicy"=dword:4000003c
[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\services\command]
@=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,79,00,73, 00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,6d,00,63,00,2e,00,65,00,78,00, 65,00,20,00,2f,00,73,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52, 00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00, 32,00,5c,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,6d,00,73, 00,63,00,20,00,2f,00,73,00,00,00
;This adds the "Open Command Window Here" on the right click menu for folders
[HKEY_CLASSES_ROOT\Directory\shell\cmd]
@="Open Command Window Here"
[HKEY_CLASSES_ROOT\Directory\shell\cmd\command]
@="cmd.exe /k \"cd %L\""
[HKEY_CLASSES_ROOT\Drive\shell\cmd]
@="Open Command Window Here"
[HKEY_CLASSES_ROOT\Drive\shell\cmd\command]
@="cmd.exe /k \"cd %L\""
;Remove Shared Documents from My Computer
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{59031a47-3f72-44a7-89c5-5595fe6b30ee}]
;NoRecentDocsmenu removes the recent documents from the start menu.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsMenu"=dword:00000001
;Classic search, full path in title bar and address bar.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath"=dword:00000001
"FullPathAddress"=dword:00000001
"Use Search Asst"="no"
"Settings"=hex:0c,00,02,00,1b,01,e7,77,60,00,00,00
;Allow renaming of Recycle Bin
[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder]
"Attributes"=hex:50,01,00,20
"CallForAttributes"=dword:00000000
;NoLowDiskSpaceChecks won't check if you are low on diskspace and pop up a balloon telling you.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiskSpaceChecks"=dword:00000001
;Change MenuShowDelay (Start Menu load speed)
[HKEY_CURRENT_USER\Control Panel\Desktop]
"MenuShowDelay"="2"
;Adds search keywords to Internet Explorer
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\MSKB]
@="http://support.microsoft.com/?kbid=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\AV]
@="http://www.altavista.com/sites/search/web?q=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\Ggl]
@="http://www.google.com/search?q=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\MSN]
@="http://search.msn.com/results.asp?q=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\FM]
@="http://www.filemirrors.com/search.src?file=%s"
;Prevents Internet Explorer windows from being reused
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"AllowWindowReuse"=dword:00000000
;Max your Internet Explorer's simultaneous downloads to 10 (default was 2)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPer1_0Server"=dword:0000000a
"MaxConnectionsPerServer"=dword:0000000a
;Remove WMP Right Click Options (Queue-it-up, etc.)
[-HKEY_CLASSES_ROOT\CLSID\{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}]
[-HKEY_CLASSES_ROOT\CLSID\{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}]
[-HKEY_CLASSES_ROOT\CLSID\{8DD448E6-C188-4aed-AF92-44956194EB1F}]
;Removes Sign up with Passport Wizard when trying to sign in MSN Messenger
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport]
"RegistrationCompleted"=dword:00000001
;Disables Preview of Movie file formats (allowing you to move/rename/delete without errors)
[-HKEY_CLASSES_ROOT\.avi\ShellEx]
[-HKEY_CLASSES_ROOT\.mpg\ShellEx]
[-HKEY_CLASSES_ROOT\.mpe\ShellEx]
[-HKEY_CLASSES_ROOT\.mpeg\ShellEx]
And A site to keep you busy for days!!
http://www.kellys-korner-xp.com/xp_tweaks.htm
disabling IP Forwarding
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"IPENABLEROUTER"=DWORD:00000000
disallow fragmented IP
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001
disabling ICMP-Redirect
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLEICMPREDIRECTS"=DWORD:00000000
enabling TCP/IP-Filtering
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLESECURITYFILTERS"=DWORD:00000001
disallow forward of fragmented IP-Pakets
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000
restart if Evenlog fails
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"CRASHONAUDITFAIL"=DWORD:00000001
Winsock Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]
"ENABLEDYNAMICBACKLOG"=DWORD:00000020
"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000
"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010
Denial-of-Service Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002
"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003
"TCPMAXHALFOPEN"=DWORD:00000064
"TCPMAXHALFOPENRETRIED"=DWORD:00000050
"TCPMAXPORTSEXHAUSTED"=DWORD:00000001
"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002
"ENABLEDEADGWDETECT"=DWORD:00000000
"ENABLEPMTUDISCOVERY"=DWORD:00000000
"KEEPALIVETIME"=DWORD:00300000
"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000
"DISABLEDYNAMICUPDATE"=DWORD:00000001
Disable Router-Discovery
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]
"PERFORMROUTERDISCOVERY"=DWORD:00000000
Disabling DomainMaster
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]
"MAINTAINSERVERLIST"="No"
"ISDOMAINMASTER"="False"
Disable Netbios-Name exposing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]
"NONAMERELEASEONDEMAND"=DWORD:00000001
Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]
"BINDSECONDARIES"=DWORD:00000001
disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"CACHEDLOGONCOUNT"=DWORD:00000001
disabling IP-Source-Routing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"DISABLEIPSOURCEROUTING"=DWORD:0000001
allow only MS CHAP v2.0 for VPN connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001
disabling caching of RAS-Passwords
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"DISABLESAVEPASSWORD"=DWORD:00000001
Printerinstallation only by Admins/Print Operators [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMAN
PRINT SERVICES\SERVERS]
"ADDPRINTDRIVERS"=DWORD:00000001
disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHARESERVER"=DWORD:00000000
disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHAREWKS"=DWORD:00000000
allow only authenicated PPP Clients
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"FORCEENCRYPTEDPASSWORD"=DWORD:00000002
enabling RAS-Logging
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"LOGGING"=DWORD:00000001
disabling NTFS 8.3 Namegeneration
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]
"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001
disallow anonymous IPC-Connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001
enabling SMB Signatures (Server)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001
enabling SMB Signatures (Client)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001
NT LSA DoS (Phantom) Vulnerability
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]
"AUTO"="0"
MDAC runs in secured [1] / unsecured [0] Mode
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]
"HANDLERREQUIRED"=DWORD:00000001
disable Lan Manager authentication
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"LMCOMPATIBILITYLEVEL"=DWORD:00000002
Level 0 - Send LM response and NTLM response; never use NTLMv2
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
disabling DCOM (possible also with DCOMCNFG.EXE)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]
"ENABLEDCOM"="N"
restrict Null-User-/Guest-Access to Eventlog
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001
disable displaying last logged in user
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"DONTDISPLAYLASTUERNAME"="0"
restrict Floppy-/CD-ROM-access to the current logged on user
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATEFLOPPIES"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATECDROMS"="1"
no Autorun for CD-Rom (1=enabled 0=disabled)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]
"AUTORUN"=DWORD:00000000
clear pagefile on shutdown
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY
MANAGEMENT]
"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001
enabling Screensaver Lockout
[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]
"SCREENSAVEACTIVE"="1"
disabling OS/2 Subsystem (if not needed)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: OS2
disabling POSIX Subsystem (if not needed)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: POSIX
run IIS CGI with context of "IUSR_computername"
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"CreateProcessAsUser"=dword:00000001
Security Message (Logon)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"Welcome"=" Unauthorized Access is prohibited "
Policies (1=enabled 0=disabled)
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]
enable logging of successful http requests
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogSuccessfulRequests"=dword:00000001
disable IIS FTP bounce attack (IIS 2/3)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]
"EnablePortAttack"=dword:00000000
enable logging of bad http requests
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogErrorRequests"=dword:00000001