A registry question the experts will love :)

[Lord Orwell]

ok someone tell me if there is anything wrong with this program flow (this is all theory)

You run your program and when windows shuts down , it writes a command in the runonce part of the registry to run it again next time windows is started.

The next time windows is started, the key starts your program and windows automatically deletes the reg key.

Then when the program closes at the end of that windows session, it writes a new runonce command.

The kicker of this is if anyone searches the registry during the windows session, they won't find any reg entries.

Why would someone want to do this? Well all evil intentions aside, it could be pretty useful for a "netnanny" program or something similar as a 2nd way of running your program on startup, to help prevent defeating of it by a novice kid wanting to see porn.

If you register your program as a service, there would basically be no way of preventing it from running every time windows starts (until windows crashes some day, preventing the reg entry)

Anyone think of any reason why this wouldn't work?

[JeroenDEGA]

You run your program and when windows shuts down , it writes a command in the runonce part of the registry to run it again next time windows is started.

I think this will be the weekest link in the story. Because when somehow your prog is stopped, it will not write in the registry so the process will stop.

Good luck with it.

[Sastraxi]

Actually, he could give the user an option to restart the computer or not, and in any case write it to the runonce, and it will do that in any case. You can use the ShutdownWindowsEx or something like that API call. That actually is a good idea, Lord Orwell!

[Tokhra]

Could you not just write the code to add the registry key in the Form_QueryUnload event so that whenever the program is terminated it adds the reg key back to the registry?

Or doesnt the QueryUnload execute when the computer shuts down? Also.. remove your program from the windows tasklist. That way the only way to kill your program will be from an option in your program or a process viewer.

[RobDog888]

Tokhra has the right idea. You could write the code in the queryunload event to write the values to the runonce reg. key. In the queryunload event there are 6 ways the event is invoked.
1 - vbFormControlMenu-The user chose the Close command from the Control menu on the form.
2 - vbFormCode- The Unload statement is invoked from code.
3 - vbAppWindows - The current Microsoft Windows operating environment session is ending.
4 - vbAppTaskManager- The Microsoft Windows Task Manager is closing the application.
5 - vbFormMDIForm- An MDI child form is closing because the MDI form is closing.
6 - vbFormOwner- A form is closing because its owner is closing.

So even if Windows was shutting down the code will be written to the reg. key. You can even disable the other unload methods so the user can not shut your program down unless they reboot, but then it will start-up again.

[Lord Orwell]

the query_unload is exactly what i had in mind.

[amitabh]

Originally posted by Lord Orwell

If you register your program as a service, there would basically be no way of preventing it from running every time windows starts (until windows crashes some day, preventing the reg entry)

Anyone think of any reason why this wouldn't work?

Once this happens, your program is gone for good until you program is started explicitly, or the users reinstall the program. And you can never be sure when windows crashes or reboots improperly.

[Lord Orwell]

I have a plan for that too

[amitabh]

What's that?

[TheSarlacc]

that is a neat theory, but a simple way to defeat it would be to press the RESET button on the tower while windows is started! or when windows is loaded into safe mode, i think the runonce regkey is not looked at!

[Lord Orwell]

thats why i disabled safe mode with 2 simple lines added to the msdos.sys file.
Don't ask what they are.
but here's a hint. One sets the default choice on the
menu to "normal" instead of safe and the other
changes the wait time to zero seconds.

I believe i mentioned in the original posting that i knew
the reg entry wouldn't be written if the system had to
be reset. But ask yourself: What gets ran everytime your system boots back from a crash?

Plus the program is also ran from another place as well. I can't remember if i mentioned that this was a backup method? hmm. I have no less than 5 different ways the program will be loaded. And whenever it is ran, it will restore all the other ways. The way we went over here is sort of extra.

Once i get all of this down, the applications will be potentially unlimited. Key logger, web monitor, security, etc.

[Tygur]

Can't the user find the file name and boot to DOS (off a boot disk if necessary) and just delete the file?

[amitabh]

There will always be a way to subvert your programs. But the thing is how much difficult you make it for possible crackers

[j2k]

That's a neat idea, Lord Orwell.

Perhaps what you could do is write a command to be run in win.ini as that loads even after an improper shut down to load your program, which could then delete the line from win.ini and rewrite it in the runonce registry system.

Just a suggestion

[Lord Orwell]

one: win me and all flavors of nt don't have a dos mode.
and in fact with nt you can't boot from a floppy and view the hard drive.
two: you can't modify the registry from dos mode (easily)
three: Not concerned about hackers. They aren't in the target audience.
four: its not too hard to make a file name dos can't delete. I've accidently done it once or twice. Windows allows more characters in a file name than dos does.
five:
five: to prevent deletion of the file while windows is open, the program will always have its own file share-locked by simply keeping it open in append mode.

as you can see, there are ways to do anything.

[Tygur]

Lord Orwell,
If hackers aren't the target audience, then why go through all this trouble to begin with. We're obviously trying to make it very hard for someone to get rid of this program.

Also, it doesn't matter if windows me doesn't have a dos mode. You can still boot off a boot disk and delete the file.

You probably already know this next point, but I'll say it anyway. As for being unable to read the hard drive of a computer with windows nt, that only applies for people with NTFS partitions. (Sure, that's most of them, but it is possible that someone might be using fat32 on win2k or fat on winNT.)

And as for making a file DOS can't delete, making a filename DOS can't handle doesn't cut it. The file will still have a short version of its name that can be seen in DOS, unless windows screws up or something.

[Lord Orwell]

i wasnt referring to making a long file name dos couldn't delete. When i said more characters, i was referring to &%#, etc.I was referring to short file names dos couldn't delete. it can be done from windows because a file will only have a long file name separate from the short name if you give it a name longer than 8 characters.

And if i was writing a program to prevent access to parts of a computer, then a large portion of general users know the places a program can be ran from and could conceivably fix it so your program won't run anymore.

[TiPeRa]

I am sure there is a way to create un-openable folders. I did it once but cannot remember exactly how. It involved creating a folder in dos with Alt+0160 or Alt+0225. That makes it difficult to open in DOS (weird characters) and impossible in Windows.