Summary
When using ATTK, you may see the detection type: Policy. This type of detection indicates that ATTK found Windows Settings suspiciously changed, possibly modified by malware. One good example is some malware that disable Task Manager to prevent the user from killing the malware process. The modified Task Manager settings can be detected by ATTK as Policy.
Details
| Policy | Type | Description |
|---|---|---|
| SCRNSAVE.EXE | Desktop | Set screen saver value to Blank |
| BackupWallpaper | Desktop | Enable the predefined backup wallpaper of the OS |
| NoSetActiveDesktop | Desktop | Disable Active Desktop |
| Wallpaper | Desktop | Enable the predefined wallpaper of the OS |
| NoChangingWallpaper | Desktop | Disable the changing of wallpapers |
| NoActiveDesktopChanges | Desktop | Disable changing of Active Desktop |
| Start Page | Internet Explorer | Set start page value of Internet Explorer to "about:blank" |
| Home Page | Internet Explorer | Enable user to change the HomePage Address in the Internet Options of IE |
| Window Title | Internet Explorer | Delete value to be shown in the Menu Bar of IE |
| AntivirusDisableNotify | Security | Users will be notified that Antivirus Software is Disabled |
| AntivirusOverride | Security | Enable Antivirus Monitoring |
| FirewallDisableNotify | Security | Users will be notified that the Firewall is Disabled |
| FirewallOverride | Security | Enable 3rd Party Firewall Monitoring |
| UpdatesDisableNotity | Security | Users will be notified that Updates are available |
| DisableWindowsUpdateAccess | Security | Access to Windows Updates is Enabled |
| AUOptions | Security | Enable "Download updates for me but let me choose when to install them" |
| NoAutoUpdate | Security | Enable Windows Automatic Updates |
| EnableDCOM | Security | Launching of servers and connecting to objects by remote clients is allowed on a per-class basis according to the value |
| DoNotAllowXPSP2 | Security | Windows XP Service Pack 2 will be shown in Windows Update |
| RestrictAnonymous | Security | Allow anonymous users |
| AutoShareServer | Security | Admin$ shares will not be available (on a server machine) |
| AutoShareWks | Security | Admin$ shares will not be avialable (on a workstation machine) |
| Messenger | Security | Set Net Send Service startup type to Automatic |
| RemoteRegistry | Security | Set Remote Registry accessible service startup type to Automatic |
| EnableFirewall | Security | Enable WIndows XP Firewall |
| TIntSvr | Security | Set TIntSvr Service startup type to Manual |
| wscsvc | Security | Set wscsvc service startup type to Automatic |
| wuauserv | Security | Set wuauserv service startup type to Automatic |
| DisableRegedit | System | Delete value of HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\System DisableRegedit and HKLM\Software\Microsoft\WIndows\CurrentVersion\Policies\System DisableRegedit |
| DisableRegistryTools | System | Allows users to run registry editor |
| DisableTaskMgr | System | Allows users to run Task Manager |
| DisableCMD | System | Enable command prompt and batch files |
| DisableConfig | System | System Restore will be configurable in the "System Properties" a.k.a. WIndows + Break |
| DisableSR | System | System Restore will be shown in the "System Properties" a.k.a Windows + Break |
| DisableMSI | System | Set value for Windows Installer is enabled for all applications. All install operations are allowed |
| Hidden | Explorer | Enable "Show Hidden Files" |
| HideFileExt | Explorer | Enable "Always show extensions of Known File Types" |
| ShowSuperHidden | Explorer | Enable "Show System Files" |
| DisallowCpl | Explorer | The system displays the icons of all Control Panel Item |
| DisallowRun | Explorer | Users can run all installed Windows Programs |
| NoClose | Explorer | Shut Down appears on the Start Menu and in the Windows Security dialog box |
| NoControlPanel | Explorer | Allow to access Control Panel |
| NoDesktop | Explorer | Show Desktop Items |
| NoDrives | Explorer | All Drives will show |
| NoFind | Explorer | Find features operate normally |
| NoFolderOptions | Explorer | Allow "Folder Options" in Windows Explorer will be accessible |
| NoLogOff | Explorer | Show "Log Off" on "Shut Down Windows" menu |
| NoRecentDocsMenu | Explorer | Show "My Recent Documents" and "Customize Start Menu" in the Start Menu |
| NoRun | Explorer | Show Run command |
| NoSetFolders | Explorer | Control Panel, Printers, and Network and Dial-up connections can run |
| NoSetTaskBar | Explorer | Users can use the Taskbar and Start Menu Properties dialog box |
| NoTrayContextMenu | Explorer | Context-sensitive menus appear when you right-click the taskbar or right-click items on the taskbar |
| CheckedValue | Explorer | The values for Hidden files and Folders will be interchangeable |
| NoDriveAutoRun | Explorer | Disables AutoPlay on all kinds of Drives |
| NoDriveTypeAutoRun | Explorer | Disables Autorun on all kinds of Drives |
ATTK fixes the policy by restoring the registry value to the default.
For example:
Policy: Wuauserv Detects HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start=3
After the fix, it should return to the default value, which is 2.
