On Mon, Mar 23, 2009 at 5:48 PM, Paul Everett <[email protected]> wrote: > Ok, I've been messing with the svchost.exe file all day and now realize > a key is a key, not an exe file. > Where would I find this svchost key?
I believe this refers to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost The SVCHOST.EXE program looks there to figure out which services to start, and which ones to run in which processes. I assume the references to making that key read-only are a stop-gap defense against malware. If malware assumes it can write to that key, and you change the permissions on the key such that nobody (not even admins) can make changes to the key, the malware will be unable to set itself up as a SVCHOST service. Of course, this assumes malware authors don't start checking to see if they have permission, and granting themselves permission if they don't. (Admins can set permission on anything.) Hence "stop-gap". The real solution is to not run as admin. You need admin rights to make changes to that key, and you also need admin rights to set the permissions. I just went to that registry key using my regular user account, and I can't edit or delete a darn thing. Security. It works, when you use it. :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
