Forums Developers How to prevent registry access???

Hi everbody!

I wish to know how to prevent mIRC to access windows registry.

I have a cybercafe and people is using mIRC to stole registry informations, as for example, game and applications CD-Keys.

A customer show me this code sample that gets Half-Life CD-Keys:

----------
regread {
var %a = regread
.comopen %a WScript.Shell
if !$comerr {
var %b = $com(%a,RegRead,3,bstr,$1-)
var %c = $com(%a).result
.comclose %a
if (%c != $null) return %c
else goto error
}
:error
return error! when reading or key does not exist
}

pegarkey echo -a $regread(HKCU\Software\Valve\Half-Life\Settings\Key)
----------

Best regards,

/Leandro Peracchi

are you locking them from opening the registry in windows as well? (ie. start -> run -> regedit) ? because if not, then it doesnt matter what mirc can/cant do, they can still do it using the windows environment.

if you are, then all i can say is, dont allow the use of such functional irc clients in your cafe

there is a lock, but it does not lock the /comopen commands
you might want to suggest that in the features board, to add a lock to that command as well

You can disable the WScript crap, but I don't recall how.

But yea, if you're going to allow people to run mIRC, you're probably allowing them to download and execute all sorts of files that would compromise your system. If this isn't the case, then simply restrict the creation of any files. If they can't save their script, they can't execute it.

- Raccoon

Well, they could load mirc.ini as a script, couldn't they?

Hi guys!

Regedit is disabled by system policies.

The real problem is the comopen command... :tongue:

Please dont cross post (post the same question in multiple areas). It causes confusion and wont get you more or faster answers. I've deleted the other post since this is the one ppl have replied to

Since /comclose cannot (yet) be locked in the Options dialog, the only thing you can do about it is creating a custom alias, comclose { halt }, that will stop ordinary scripts from using this feature.

If you would like to disable Wscript, this page might help. I'm not sure if disabling or uninstalling it will make your browser unable to run scripts too.

this should definitely be a call to Khaled to get /comopen lockable in the next mirc

Hello there

Well, almost three years back while I had to depend on netcafe's for internet access, I came across few software which were customised so that a fellow user will only have limited privilage or access to the workstation or services. I think finding such a software, where access to the registry or control pannel is disabled by the Administrator could help you to achieve what you seek.
BUT I am not so sure whether mIRC will bypass such securities provided by these sort of Administrating software.

Please check the following links for more details.

www.right-fax.com/cafe/Internet-Cafe-Software.htm
www.h2ad.com
www.antamedia.com

All the best

Hi everbody!

Thanks for the replies.

I hope that soon a new version of mIRC allow us to lock this /com commands and this way increase the security of computers with mIRC.

For now I will follow the tip of Online and see what I get if I disable Windows Scripting Host.

I am afraid of indesirable side effects of doing this in my computers...

I already use a great software for Cyber Cafes called SmartLaunch.

Take a look at http://www.smartlaunch.net/

Best regards and happy new year for everbody!!!

/Leandro Peracchi

Hi Online!

I followed the steps in the link you provided to disable Windows Scripting Host but this don´t resolved...

That function /comopen stills work... :P

Anyway, thanks for help!

/Leandro Peracchi

Yeah you're right... even removal of wscript.exe wouldn't disable the COM object. One thing that worked here is renaming HKEY_CLASSES_ROOT\WScript.Shell to something other than "Wscript.Shell". This makes the object not usable (until you rename it back, that is). This solution doesn't seem to interfere with IE's script parsing abilities, but if you decide to do this, just write down to yourself that you did, because some applications (or scripts) might need it. I don't know...

wouldnt do much good if ppl put older versions on there now would it, it should have had this ability built into the OS for that type of environment adding it now wouldnt really solve any issue

Well, theoretically, an admin should control what programs are run on there......right?

theory is a nice concept that makes u feel all warm and fuzzy inside, here we deal with facts not theory

So you're telling me that real admins DON'T decide which programs are run?

no what im tellin u is that windows doesnt really allow real admin control. if it did this would have never ever been an issue at all.

http://www.steampowered.com/forums/forumdisplay.php?s=&forumid=31 maybe these people can help

Hi everbody!

I still don't find a solution to this problem...

Any other ideas?

Best regards,
/Leandro Peracchi

Did you try to rename that registry key? It's a rather safe solution that works here. Once it's done, scripts will not be able to address the Wscript.Shell object and use its capabilities.

Hi Online!

No, I didn't tried to rename that registry key...

I am afraid of that other programs stop to work correctly.

Are you using this solution? Do you see if another program stops to work?

Thanks again for the quick response!

Best regards,
/Leandro Peracchi

Look, Wscript is an optional part of the Windows, so nothing is supposed to crash if you disable it (fully or partially). I don't think the COM object is widely used by applications. When I browsed the web I noticed that it's only used by some VB Scripts (*.vbs) and particular server-side ASP applications (theoretically every programming language with COM interface can use it).

So... feel free to rename the key to anything else you'd want, and if (in the worst case) a program complain about a missing Wscript object, you'll always be able to rename it back. I see no danger in doing it, and at least when I did myself nothing went wrong.

I hope this answered your questions, and if anyone feels like correcting me, please do so. Good luck!

just out of curiosity, where the hell did you learn so much about COM objects? (this is directed at querty too)

When I found a name of an interesting COM object that might become useful (for example, Word.Application; Microsoft.XMLHTTP; ADOX.Catalog), I used google to search for its name. That's now I learned (or not) about possible ways to use it.

Microsoft's Ole Viewer allows you to browse through the objects you have on your PC and reveal their methods and properties.

This is what I did, but qwerty might have something to add

Hi guys!

I just followed the Online tip.

Will do some tests to see if I detect some problem.

If something goes wrong, I return to give you a feedback.

Best regards,
/Leandro Peracchi

i just searched the whole thing and certain objects i _know_ are on my pc weren't listed, including: MAPI.Session, WScript.Shell and WinHTTP5.1.dll

Google should return a few results for every object, including pieces of code from which you can get ideas. However this is what I can add:

WScript.Shell - Get Wscript's documentation here.

MAPI.Session - If it's identical to MSMAPI.* objects, this example might become useful.

WinHTTP5.1.dll - What you are looking for is "WinHttp.WinHttpRequest.5.1", but keep in mind that this object only exists on some WinXP systems, so don't expect scripts that depend on it to work everywhere. Instead, use "Microsoft.XMLHTTP"

thankyou for the mapi.session link, ive been wondering how to send emails WITH attachments for a while, ty

Your problem isn't with mIRC so to speak, but with the lack of security policies in your OS environment.

If you are using Windows 2000 or Windows XP Pro as the OS for these machines, you are better off using Group Policies to disable registry access to users.

Be careful, however.