AtGuard

[Bill_MI]

SysInternals has a slick little utility (AUTORUNS) to view and disable any driver/service/app running at startup. I've used it successfully to disable several things but AtGuard is elusive. The IAMAPP.EXE runs regardless of settings (though AtGuard seems to be totally disabled). Anyone successful? Any clues what's starting iamapp.exe?

Sure enough, this technique has proved AtGuard is responsible for doing something with Steve Gibson's menu research - the problem disappears with AtGuard disabled this way (only). All web filters are normally OFF and no combo of disabling AtGuard by normal means clears up this problem - as long as drivers are running.

On a secondary note, if you're running Firefox 1.5.0.4 and AtGuard 3.22.11 on Win2K/SP4 with tcpip.sys 5267 what do YOU see at: http://www.grc.com/grcmenu.htm under the Freeware menu? The Utilities text screwed up? I have two machines doing the same thing and AtGuard is 99% suspect. Steve is playing a lot with coding so this problem may not last.

Here's the (7) things that are disabled in AUTORUNS that causes that page to work properly:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iamapp IAMAPP.EXE (Not verified) WRQ, Inc. c:\program files\atguard\iamapp.exe
BUT IT STILL RUNS!!!???

HKLM\System\CurrentControlSet\Services
iamServ IAMSERV.EXE (Not verified) WRQ, Inc. c:\program files\atguard\iamserv.exe

HKLM\System\CurrentControlSet\Services
DNSFILT AtGuard DNS Filter (Not verified) WRQ, Inc. c:\program files\atguard\dnsfilt.sys
FWFILT AtGuard Firewall Filter (Not verified) WRQ, Inc. c:\program files\atguard\fwfilt.sys
HTTPFILT AtGuard HTTP Filter (Not verified) WRQ, Inc. c:\program files\atguard\httpfilt.sys
Iamdrv AtGuard Filter (Not verified) WRQ, Inc. c:\program files\atguard\iamdrv.sys
NDISFILT c:\program files\atguard\ndisfilt.sys

On a tertiary note - it sure would be nice to be abe to *completely* disable AtGuard (even if it takes a reboot like this does). It's golden as a debug tool and proven over and over that just drivers loaded affects things.
_________________
Expert Opinions $5 ... Shut Up $10

[Bill_MI]

If anyone's interested, I FOUND THE PROBLEM. It has to do with SysInternal's AUTORUNS program having an apparent deficiency.

AUTORUNS tries to hide programs from running in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

...by hiding such disabled entries in the created key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled

Well, this o/s (Win2K/SP4 up-to-date) RUNS IT ANYWAY!!! I proved this by intentionally breaking this entry and that makes all the difference.

This is just a curiosity since running iamapp.exe with no drivers doesn't hurt anything - it just bugged me why a disabled program ran to begin with.

Now, back to the AtGuard 3.3 wait.
_________________
Expert Opinions $5 ... Shut Up $10

[Bill_MI]

Again (if anyone's interested), I found an issue with this technique. Perhaps someone with more knowledge how Windows hooks and dependencies work could enlighten me more. It boils down to this...

Because I've used Autoruns to disable a driver, I create the following System Error: