Creating Registry Rules
The Registry Shield comes pre-configured with an example rule for HKEY_LOCAL_MACHINE\SOFTWARE\*, to familiarize you with rule creation so you can configure your own rules to protect your important or sensitive registry keys.
To create a new rule, open the Online Armor Control Panel, select Files and Registry from the list on the left, then select the Registry tab and and click the Add rule button.
To assist you in filling out the Registry Rule Editor, any fields or checkboxes that are yet to be correctly completed will be flagged with a red bullet, placed to the left of their name. Placing your mouse pointer over these bullets will display a tooltip with hints on how to complete the flagged section.
The following options are available on the General tab:
- Group – Allows you to select which group the rule should be assigned to.
- Rule name – Allows you to choose a descriptive name for the rule
- Active – Unticking this option deactivates the rule so that it is not currently in effect.
- Key mask – Allows you to define the registry key you want to protect. You can either browse for a key or value and have the appropriate mask added automatically, or manually enter a key or value and custom mask. Use an asterisk (*) to define "any string" and a (?) to define "any character".
- Entering HKEY_LOCAL_MACHINE\SOFTWARE\TestKeyB\* means that your rule will monitor any values directly below the "TestKeyB" key and the first level of sub-keys under the "TestKeyB" key (this doesn't include the contents of these sub-keys unless the "Include sub-keys" option has been ticked).
- Entering HKEY_LOCAL_MACHINE\SOFTWARE\TestKeyB means that your rule will monitor only the "TestKeyB" key itself.
- Entering HKEY_LOCAL_MACHINE\SOFTWARE\TestKey? means that your rule will monitor any key or value under HKEY_LOCAL_MACHINE\SOFTWARE\ with the name "TestKey" followed by one wildcard character (ie. "TestKey1" or "TestKeyA" but not "TestKeyA1").
- Include sub-keys – Allows you choose whether sub-keys of the mask should be included in the rule. When selecting a value this option will be unavailable.
- Rule scope
- Rule type: Create, Delete, Modify or Read – Allows you to choose whether your rule will apply to creation, deletion, modification or reading of registry keys. You can select as many or as few of these options as you wish.
- For unknown programs: Ask, Allow, or Block – Allows you to set which action the rule should take for Unknown programs.
Note: These settings will not be enforced on Unknown programs that have been manually marked as Installers by the user.
- For trusted programs: Ask, Allow, or Block – Allows you to set which action the rule should take for Trusted programs.
Note: These settings will not be enforced on Trusted programs that have been automatically detected as Installers.
- For Not Trusted programs: Ask, Allow, or Block – Allows you to set which action the rule should take for Not Trusted programs.
- Message – Allows you to customize the message that is displayed on the Registry Shield pop-ups
The Programs list is organized using a table with the following columns:
- Program – Shows the name of the program.
- Key – Shows the name of the registry key. If this action is allowed for all keys, an asterisk (*) will be displayed.
- Action – Shows the action the program was configured to take for this registry key.
Each row is color coded to indicate whether the program is Allowed to take this action for this registry key (green), or is Blocked from taking this action for this registry key (red).
A legend showing the colors and their corresponding status can be displayed by clicking on the Legend link above the table.
Programs List context menu
You can right-click in the Programs list to access the following option:
- Delete – Removes the item from the list. Deleting the item will cause Online Armor to pop up if this program tries to take this action on this registry key in the future.
- Online Armor's processes and critical Windows processes are exempt from any registry rules. This is to ensure that it isn't possible to unintentionally create registry rules that would render your system unbootable.
- The Registry Rule Editor's browser displays and allows for only the two root keys, HKEY_LOCAL MACHINE and HKEY_USERS and their contents to be selected. Other keys are purely virtual keys that redirect to sub-keys under these two root keys. As such, advanced users who are manually completing the "Mask" field should be aware that the Registry Rule Editor does not support registry rules having masks which refer directly to virtual keys. For example, if you wish to create a rule that refers to the virtual key HKEY_CURRENT_USER you must enter the appropriate sub-key under HKEY_USERS into the "Mask" field in place of HKEY_CURRENT_USER.
- The Registry Rule Editor's browser is unable to view any entries under HKEY_LOCAL_MACHINE\SECURITY or HKEY_LOCAL_MACHINE\SAM\SAM for security and safety reasons. Windows users have limited access to these keys and Online Armor does not escalate the rights to access it as doing so would leave it open to access by other programs. Incorrectly limiting system access to entries under this key also has the potential to damage your system. Advanced users may complete the "Mask" field manually if they wish to configure protection for entries under this key.