Windows XP Home without antiviruses
- Tutorial
Recently I read the topics " Windows-based computer without antiviruses " and " Setting up group policies for limited use of programs in Windows 7 " ... And I thought, "But there are quite a few small and medium-sized companies that use Windows XP Home Edition, and such tricks will not work there." Therefore, today I want to share how I configured Windows XP Home Edition, so as not to use antiviruses, or rather to minimize the likelihood of infection.
It all started with the fact that in one office, which I had served until recently, there were constantly problems with viruses. The administration did not want to give money to antiviruses, there were home games everywhere, autoruns from disks and flash drives were blocked, IE too ... But this did not help. In the end, I got tired of all this and I went to the "extreme step" ...
In Windows, you can create a whitelist or blacklist. The “black list” implies that the programs listed in it will not be launched, but the “white list” that only those programs that are listed in it + necessary for the operation of the system will be launched.
Based on the "white list", you can make a good defense against malvari. To create it you need to perform at least two steps:
In the future, you can add programs to the
In order not to get into the registry editor every time, I created a reg-file, in which I entered the list of programs and subsequently, as necessary, corrected it, and then started it after editing.
Below is a small piece of this file:
For two years of using this "trick" viruses were not noticed. On each computer stood ClamWin, which scanned disks in the evenings. Also, once a month I checked the system with antiviruses offline. The only problem is the dissatisfaction of users, which was quickly suppressed by explaining to the authorities "what, why and how."
Since I hinted at the beginning about the "black list", I will tell you a little about him. It can be useful when you need to prohibit the launch of several programs. It is created in the same way as the "white list", in two steps:
1 Parameter names must consist of numbers. The countdown starts from zero. The numbers should be in order.
2 Windows controls the launch of prog due to the fact that the functions
Thanks shiko_1st .
3 For research I used the program Process Explorerand Process Monitor by Mark Russinovich .
UPD1: To limit the launch of programs only from Program Files, you can use Microsoft's SteadyState utility . Thanks kondorkm
UPD2: For managing access rights in home Windows, the console utility cacls.exe is included, as well as:
xcacls.vbs - downloaded from the MS
xcacls.exe website - included in the Windows Support Tools
package subinacl.exe - included in the Windows package Resource Kit Tools
Thanks xn__p2a
It all started with the fact that in one office, which I had served until recently, there were constantly problems with viruses. The administration did not want to give money to antiviruses, there were home games everywhere, autoruns from disks and flash drives were blocked, IE too ... But this did not help. In the end, I got tired of all this and I went to the "extreme step" ...
In Windows, you can create a whitelist or blacklist. The “black list” implies that the programs listed in it will not be launched, but the “white list” that only those programs that are listed in it + necessary for the operation of the system will be launched.
"White list"
Based on the "white list", you can make a good defense against malvari. To create it you need to perform at least two steps:
- In the registry branch,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Explorer
you need to create a parameter ofRestrictRun
type DWORD (REG_DWORD) with a value1
. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Create a key in the branchRestrictRun
, and in it parameter0
1 of type STRING (REG_SZ) with a valueregedit.exe
.
IMPORTANT! If you perform step 1, but DO NOT perform step 2, then after rebooting you will not be able to run any program. To fix this, you will need to log in as another user with administrator rights, open the registry editor, find the branchHKEY_USERS
, select it, select the menu File -> Load Hive ..., in the file open dialog find the fileNTUSER.DAT
in the user directory under whose name this jamb was made, and press the "Open" button. Then find and delete the parameterRestrictRun
or assign a value to it0
, and then reboot.
Thanks xn__p2a
In the future, you can add programs to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
same way as in step 2. In this case, a reboot is no longer needed, the changes take effect immediately. In order not to get into the registry editor every time, I created a reg-file, in which I entered the list of programs and subsequently, as necessary, corrected it, and then started it after editing.
Below is a small piece of this file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"0"="regedit.exe"
"1"="notepad.exe"
"2"="wupdmgr.exe"
"3"="cleanmgr.exe"
"4"="wordpad.exe"
"5"="calc.exe"
"6"="mstsc.exe"
"7"="taskmgr.exe"
"8"="7zFM.exe"
"9"="7zG.exe"
"10"="7z.exe"
"11"="firefox.exe"
"12"="java.exe"
"13"="FlashUtil10d.exe"
"14"="NPSWF32_FlashUtil.exe"
"15"="thunderbird.exe"
"16"="soffice.exe"
"17"="soffice.bin"
"18"="python.exe"
"19"="sbase.exe"
"20"="scalc.exe"
"21"="sdraw.exe"
"22"="simpress.exe"
"23"="smath.exe"
"24"="swriter.exe"
And the whole file can be downloaded here . However, it is worth keeping in mind that my option is unlikely to suit you. My files differed from computer to computer, but usually the first 24 programs were always there.disadvantages
- This method does not protect the computer from viruses that do not create files on disk (for example, ms-blast), as well as from penetrating by “launching” dynamic library 2 (for example, conficer).
- The complexity of the implementation. I have to research 3 programs, find out which files they run at startup and in the process, so that they are also included in the “white list”.
- The inconvenience of making changes. The
RestrictRun
user cannot write to the key , despite the fact that the changes are made in the branchHKEY_CURRENT_USER
. Therefore, you have to log out of the user’s account, log in as the administrator, give the user admin rights, log in as the user, make changes to the registry, log out again, log in again as the admin, select admin privileges from the user%) Or, from the admin, through the branchHKEY_USERS
, like was described above. - You cannot specify full paths . If the virus file is named in the same way as some program from the “white list”, then it (the virus) will be launched. Also, the user himself can rename the file to allowed and run in this way (almost) any program.
Practice
For two years of using this "trick" viruses were not noticed. On each computer stood ClamWin, which scanned disks in the evenings. Also, once a month I checked the system with antiviruses offline. The only problem is the dissatisfaction of users, which was quickly suppressed by explaining to the authorities "what, why and how."
"Black list"
Since I hinted at the beginning about the "black list", I will tell you a little about him. It can be useful when you need to prohibit the launch of several programs. It is created in the same way as the "white list", in two steps:
- In the registry branch,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Explorer
you need to create a parameter ofDisallowRun
type DWORD (REG_DWORD) with a value1
. - The branch
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
create a keyDisallowRun
, and in it a parameter0
1 type STRING (REG_SZ) with a value such as to prevent calculator launchingcalc.exe
.
1 Parameter names must consist of numbers. The countdown starts from zero. The numbers should be in order.
2 Windows controls the launch of prog due to the fact that the functions
ShellExecute
andShellExecuteEx
, which are the "wrapper" for CreateProcess, check the keyRestrictRun
. Thus, the proposed method will protect only from unauthorized launch of programs only by the user himself, as well as from those viruses that try to run something through ShellExecute (of which most). You can read more about ShellExecute and RestrictRun here (LockWin is discussed there, but the mechanism of work isRestrictRun
described well). Thanks shiko_1st .
3 For research I used the program Process Explorerand Process Monitor by Mark Russinovich .
UPD1: To limit the launch of programs only from Program Files, you can use Microsoft's SteadyState utility . Thanks kondorkm
UPD2: For managing access rights in home Windows, the console utility cacls.exe is included, as well as:
xcacls.vbs - downloaded from the MS
xcacls.exe website - included in the Windows Support Tools
package subinacl.exe - included in the Windows package Resource Kit Tools
Thanks xn__p2a