ESET Online Help

Search
Select the category
Select the topic

Working with registry

We want to monitor changes made to registry value AppInit_DLLs that allows automatic loading of dynamic-link library (DLL) to certain processes on the system. A related registry value with similar functionality is AppCertDlls. Whole registry value paths are:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\ AppCertDlls

Rule

<?xml version="1.0" encoding="utf-8"?>
<rule>
<body>
<name>AppInit registry entry was created [A0101]</name>
<severity>Warning</severity>
<operations>
 <operation type="RegSetValue">
         <operator type="OR">
                 <operator type="AND">
                         <condition component="RegistryItem" property="Key" condition="ends" value="Appinit_Dlls" />
                         <operator type="OR">
                                 <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" />
                                 <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" />
                         </operator>
                 </operator>
                 <operator type="AND">
                         <condition component="RegistryItem" property="Key" condition="ends" value="Control\SESSION MANAGER\AppCertDlls" />
                         <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SYSTEM\ControlSet" />
                 </operator>
         </operator>
 </operation>
</operations>
</body>
</rule>

Things to notice in the rule example above:

1.Use of shortened HKEY values instead of full ones because full HKEY values are not matched.

2.Inclusion of Wow6432Node for AppInit_DLLs. This and many other values are duplicated in this registry key for x86 support on x64 systems. We also need to monitor this value.

3.Matching registry value via ends condition. Firstly, we decided to match the registry value name "AppInit_DLLs" and check if the path to the registry value is the wanted one. This approach should theoretically lower the server's workload because of the short-circuit evaluation of conditions. Using the whole registry value path for matching ("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs") is also acceptable.

4.CurrentControlSet registry value is an alternating symbolic link that is dynamically evaluated by the operating system and is pointing to ControlSet%number%. As Enterprise Inspector receives a registry path with ControlSet%number% value, we split the registry value path into two components.