Windows XP Home without antiviruses

  • Tutorial
Recently I read the topics " Windows-based computer without antiviruses " and " Setting up group policies for limited use of programs in Windows 7 " ... And I thought, "But there are quite a few small and medium-sized companies that use Windows XP Home Edition, and such tricks will not work there." Therefore, today I want to share how I configured Windows XP Home Edition, so as not to use antiviruses, or rather to minimize the likelihood of infection.

It all started with the fact that in one office, which I had served until recently, there were constantly problems with viruses. The administration did not want to give money to antiviruses, there were home games everywhere, autoruns from disks and flash drives were blocked, IE too ... But this did not help. In the end, I got tired of all this and I went to the "extreme step" ...

In Windows, you can create a whitelist or blacklist. The “black list” implies that the programs listed in it will not be launched, but the “white list” that only those programs that are listed in it + necessary for the operation of the system will be launched.


"White list"


Based on the "white list", you can make a good defense against malvari. To create it you need to perform at least two steps:
  1. In the registry branch, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Exploreryou need to create a parameter of RestrictRuntype DWORD (REG_DWORD) with a value 1.
  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Create a key in the branch RestrictRun, and in it parameter 01 of type STRING (REG_SZ) with a value regedit.exe.
For the changes to take effect, you must restart the computer.

IMPORTANT! If you perform step 1, but DO NOT perform step 2, then after rebooting you will not be able to run any program. To fix this, you will need to log in as another user with administrator rights, open the registry editor, find the branch HKEY_USERS, select it, select the menu File -> Load Hive ..., in the file open dialog find the file NTUSER.DATin the user directory under whose name this jamb was made, and press the "Open" button. Then find and delete the parameter RestrictRunor assign a value to it 0, and then reboot.
Thanks xn__p2a

In the future, you can add programs to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRunsame way as in step 2. In this case, a reboot is no longer needed, the changes take effect immediately.

In order not to get into the registry editor every time, I created a reg-file, in which I entered the list of programs and subsequently, as necessary, corrected it, and then started it after editing.
Below is a small piece of this file:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"0"="regedit.exe"
"1"="notepad.exe"
"2"="wupdmgr.exe"
"3"="cleanmgr.exe"
"4"="wordpad.exe"
"5"="calc.exe"
"6"="mstsc.exe"
"7"="taskmgr.exe"
"8"="7zFM.exe"
"9"="7zG.exe"
"10"="7z.exe"
"11"="firefox.exe"
"12"="java.exe"
"13"="FlashUtil10d.exe"
"14"="NPSWF32_FlashUtil.exe"
"15"="thunderbird.exe"
"16"="soffice.exe"
"17"="soffice.bin"
"18"="python.exe"
"19"="sbase.exe"
"20"="scalc.exe"
"21"="sdraw.exe"
"22"="simpress.exe"
"23"="smath.exe"
"24"="swriter.exe"
And the whole file can be downloaded here . However, it is worth keeping in mind that my option is unlikely to suit you. My files differed from computer to computer, but usually the first 24 programs were always there.


disadvantages

  1. This method does not protect the computer from viruses that do not create files on disk (for example, ms-blast), as well as from penetrating by “launching” dynamic library 2 (for example, conficer).
  2. The complexity of the implementation. I have to research 3 programs, find out which files they run at startup and in the process, so that they are also included in the “white list”.
  3. The inconvenience of making changes. The RestrictRunuser cannot write to the key , despite the fact that the changes are made in the branch HKEY_CURRENT_USER. Therefore, you have to log out of the user’s account, log in as the administrator, give the user admin rights, log in as the user, make changes to the registry, log out again, log in again as the admin, select admin privileges from the user%) Or, from the admin, through the branch HKEY_USERS, like was described above.
  4. You cannot specify full paths . If the virus file is named in the same way as some program from the “white list”, then it (the virus) will be launched. Also, the user himself can rename the file to allowed and run in this way (almost) any program.

Practice


For two years of using this "trick" viruses were not noticed. On each computer stood ClamWin, which scanned disks in the evenings. Also, once a month I checked the system with antiviruses offline. The only problem is the dissatisfaction of users, which was quickly suppressed by explaining to the authorities "what, why and how."


"Black list"


Since I hinted at the beginning about the "black list", I will tell you a little about him. It can be useful when you need to prohibit the launch of several programs. It is created in the same way as the "white list", in two steps:
  1. In the registry branch, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Exploreryou need to create a parameter of DisallowRuntype DWORD (REG_DWORD) with a value 1.
  2. The branch HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\create a key DisallowRun, and in it a parameter 01 type STRING (REG_SZ) with a value such as to prevent calculator launching calc.exe.
For the changes to take effect, you must restart the computer.




1 Parameter names must consist of numbers. The countdown starts from zero. The numbers should be in order.
2 Windows controls the launch of prog due to the fact that the functionsShellExecuteandShellExecuteEx, which are the "wrapper" for CreateProcess, check the keyRestrictRun. Thus, the proposed method will protect only from unauthorized launch of programs only by the user himself, as well as from those viruses that try to run something through ShellExecute (of which most). You can read more about ShellExecute and RestrictRun here (LockWin is discussed there, but the mechanism of work isRestrictRundescribed well).
Thanks shiko_1st .
3 For research I used the program Process Explorerand Process Monitor by Mark Russinovich .

UPD1: To limit the launch of programs only from Program Files, you can use Microsoft's SteadyState utility . Thanks kondorkm

UPD2: For managing access rights in home Windows, the console utility cacls.exe is included, as well as:
xcacls.vbs - downloaded from the MS
xcacls.exe website - included in the Windows Support Tools
package subinacl.exe - included in the Windows package Resource Kit Tools
Thanks xn__p2a

Also popular now: