Is it possible to build in the capacity to deny system access
Sure would be handy fighting malware

What exactly are you thinking about?
Editing the ACLs?
Blocking usage of bad files by removing the according access types?
This could get difficult, since most oft bad processes are running under the user account, so just blocking system access wouldn't do. But maybe changing the access types to "see and delete" only?
I haven't written the code to manipulate ACLs yet, but it should not be too difficult... I'll need to think about it (and find a free minute to code ;) ).

Im just starting to understand the basics
so far no luck in denying just sytem BUT I can goof up acls realy easy :)
On ntfs systems I can defeat vundo and l2m with this script

if not exist "%WinDir%\System32\XCACLS.exe" copy XCACLS.exe "%WinDir%\System32" >nul
::sample batch
XCACLS l2m1.DLL /P ADMINISTRATOR:F /Y
XCACLS l2m2.DLL /P ADMINISTRATOR:F /Y
XCACLS l2m3.DLL /P ADMINISTRATOR:F /Y
echo crappie>guard.tmp
XCACLS guard.tmp /P ADMINISTRATOR:F /Y

Reboot

modify and run this batch then delete files

xcacls l2m1.DLL /T /E /G System:F Administrators:F /C /Y
xcacls l2m2.DLL /T /E /G System:F Administrators:F /C /Y
xcacls l2m3.DLL /T /E /G System:F Administrators:F /C /Y
XCACLS guard.tmp /T /E /G System:F Administrators:F /C /Y

Goofing up isn't a problem for me either :D
Anyway... the code to manipulate ACLs was already there, I just forgot where I used it before :rolleyes:
So next release will have that function.

And the next version will have a page showing Authenticode certificates...

Thanks Patric

Looking farward to it

Ok, I've just uploaded new versions of RunAlyzer, RegAlyzer and of course FileAlyzer, the later one including a plaintext ACL preview as well as a simple ACL editor window.

Hi Patric

Im not seeing an editor, i must be blind.

Edit: I see it now

Hmmm sorry, you're right, it's quite hidden :rolleyes:
That was more or less a debug measure, but I grew that accustomed to it that I didn't think about it being not plain in sight :D

For everyone else looking for it: just click on the plaintext ACL text.

Patric Thanks for the new tool
Best its sort of hard to see i think.
I have to ask next :)
Eventualy can you can make it so we can call FileAlizer and modify acls from a batch

Did you intentionaly include r/click create detiotion rule in this new version?
I hadnt noticed, that could have been in prior version's as well. ?