Written by Jung-Sik Choi - HAURI Virus Lab

It could be the best way if any Anti-Viruses search, detect, recover to normal when policy modified; however, it is hard to realize indeed, because not every user or enterprise set same system condition.
Therefore, let's find out what kinds of policy exist, and how to recover them.

1. Registry

Registry stores many kinds of Windows settings, and it could be easily edited by Regedit.exe program.
Settings for extension, installed softwares, Uninstall information, and especially Windows policies are stored in Regedit.exe. Registry is divided largely into HKEY_CLASSES_ROOT, HKEY_CURENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG, and Windows policies are stored in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. Same as their names, Current_User is applied policy for current log-on user, and Local_Machine is for current entire PC environment.

2. Windows Basic Tool

1) Task Manager
In case of executing Task Manager in public PC, sometimes (Ctrl+Alt+Del) is not executed normally, and popup warninig windows. In this case, Task Manager's normal execution is not available, and the malicious codes could exploit thoroughly during this time.
If registry key values are set like below, Task Manager may be inactive.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Name : DisableTaskMgr
Type : REG_DWORD
Data : 0 - Active Task Manager, 1 - Inactive Task Manager

2) Regedit
Regedit also could be inactive like Task Manager; however, Regedit doesn't work when warning message pops up same as Task Manager, and settings cancel is available by modifying registry only, thus user must find other registry edit method in those cases.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Name : DisableRegistryTools
Type : REG_DWORD
Data  : 0 - Active Regedit, 1 - Inactive Regedit

3. Windows Control

1) Display Properties
Some malicious codes change user's desktop, especially fake Anti-Viruses usually take advantage of this method, moreover, they pops-up red colored warning sign, advertisement webpage, and download webpages. These malicious codes do not let users recover their desktop easily by blocking Display Properties execution. For this method, malicious codes use Windows provided basic policy. Related registry value is like below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Name : NoDispCPL
Type : REG_DWORD
Data : 0 - Active Display Properties, 1 - Inactive Display Properties

2) Control Panel
Malicious code could block Control Panel execution. Users rarely use Control Panel, but when it necessary, if it doesn't work normally, users usually feel unconvenience, and even some of them do format their PCs.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Name : NoControlPanel
Type : REG_DWORD
Data : 0 - Active Control Panel, 1 - Inactive Control Panel

3) Click mouse right button
Blocking mouse right button click also could be possible by malicious code. Due to this blocking,  users will be hard to do file copy & paste, even file name change.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Name : NoViewContextMenu
Type : REG_DWORD
Data : 0 - Active Tray Icon, 1 - Inactive Tray Icon

4. Taskbar

In the Right bottom of desktop, there are tray icons and clock. Many users use Taskbar for convenience, but some malicious code could control this Taskbar to On/Off by modifying registry values.

Registry values for clock inactive is like below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Name : HideClock
Type : REG_DWORD
Data : 0 - Active Clock, 1 - Inactive Clock

Registry values for Tray Icon inactive is like below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Name : NoTrayItemsDispla
Type : REG_DWORD
Data : 0 - Active Tray Icon, 1 - Inactive Tray Icon

5. Internet Explorer

Internet Explorer has its policy differently from Windows, and it exists in registry. If Internet Option is inactived, [Tool]-[Internet Option] click will be unavailable, it can't be accessed even through Control Panel. If Startpage Change function is inactived, Startpage Setting Window will be inactived, so that page change will not be available.

Registry values for Internet Option inactive is like below.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\internet Explorer\Restrictions
Name : NoBrowserOptions
Type : REG_DWORD
Data : 0 – Active Internet Option, 1 – Inactive Internet Option

Registry values for Startpage Change inactive is like below.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\internet Explorer\ Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\internet Explorer\ Control Panel
Name : HomePage
Type : REG_DWORD
Data : 0 – Active Internet Option, 1 – Inactive Internet Option

There are malicious codes which insert strings to IE's title windows. If title show any strings such as "Hacked By XXX", users can delete it by deleting below values.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Name : Window Title
Type : REG_SZ
Data : Strings that malicious code inserts

Except above, there are many other policies such as hiding folder option, Inactive Command mode use, Inactive search and etc. Windows support those policies because some public system, or uninhabited system use Windows. Also, evenafter malicious codes change the registry values, Anti-Virus could not detect/repair them, because if Anti-Virus repairs registry when system has restriction as a policy, it could be a problem.

Therefore, it is the best way to do not get infection by malicious codes. Do use authentic Anti-Virus product, and the latest engine update daily, block the possibility of policy change by malicious code.