Windows 10: How to block registry keys which are associated with IOC's

Hello Team,Hope you are well !I want to put some registry keys in the block mode onto my MDATP console which are associated with the IOC or part of some sort of breach.Can anyone please help me how to do so, i tried going to configuration manager in MSATP but unable to do so.Thank you!

:)

 

Can NOT remove ATITool registry key!

It's low priority to stop ATITool from making undeletable class keys in the reigstry?

That's about one rung above spyware.

What bothers me most is that I'm pretty sure you can't protect a registry key by any simple means, something must still be running somewhat that is protecting that key. Even after I manually removed the service. That's what bothers me.

 

File Association Helper in Startup

from another forum on May 6, 2018:
You can uninstall File Association Helper in less than 5 minutes. Here are the steps to follow:

Step 1 — Uninstall File Association Helper via Control Panel

Simply go to Start > type Control Panel > double click the first result to launch Control Panel.
Then go to Uninstall a program > locate File Association Helper in the list and select it
Select Uninstall > wait until Windows completely removes FAH from your PC.
Restart your PC.
Step 2 — Clean the Registry Editor

Now that you removed the program, you also need to remove any traces or file changes associated with it. To do that, you need to open the Registry Editor.

Go to Start > type “regedit” > launch the Registry Editor
Locate the following keys and delete them:
KEY_CURRENT_USERSoftwareFile Association Helper
HKEY_LOCAL_MACHINESoftwareFile Association Helper

Step 3 — Check all the hidden files and folders

File Association Helper may have left behind various hidden files and folders. In order to completely remove the software, you can also need to delete these files. Here’s how to do that:

Simply go to Start > type Control Panel > double click the first result to launch Control Panel. On Windows 10, you can also type “Show hidden files and folder” in the search box. Then simply check Show hidden files, folders and drives and jump straight to step number 3.
RECOMMENDED: Click here to fix common PC issues and speed up your system
Go to Folder > select Show Hidden Files and Folders
Locate the following folders:
Crogram FilesFile Association Helper
C*Biggrinocument and SettingsAll UsersApplication DataFile Association Helper
C*Biggrinocuments and Settings%USER%Application DataFile Association Helper

4. Delete them and then restart your PC.

Step 4 — Empty Temp Folder

The final step is to clean the Temp folder where all the temporary files are stored. To empty the folder, go to Start and type the %temp% command.

This will open the Temp folders. You can now empty them. If the system displays an error message when deleting some files, leave them. The files might be in use by Windows services or some running software.

Step 5 — Use a dedicated tool to remove software leftovers

After you performed all the steps listed above, you have removed 99.9% of all the files and folders left behind by File Association Helper. However, there may be a few file that escaped your scrutiny. In order to make sure that you have removed all of them, you can also use a dedicated software uninstaller.

These applications are specially designed to remove the selected application along with all of its files and registry entries. As a result, the application will be completely removed from your PC.

There are many great uninstaller tools available on the market, but the best are IOBit Uninstaller and Revo Uninstaller so feel free to try any of these tools.

 

ATITool registry key

Hello,

During ATITool installation, the following registry key was added to my registry:

"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{85b5ddd0-e090-4b15-bdf2-a443a3ca0b66}"

After uninstalling the program, this key remained. I tried to delete it through the registry editor but it returned the following error:

"Cannot delete {85b5ddd0-e090-4b15-bdf2-a443a3ca0b66}: Error while deleting key."

I'm running Vista Home Premium 32-bit by the way. I also tried to change permissions for the key and deleting in safe mode, but neither of those worked either.

Any ideas on how i can remove this key? Any help is appreciated, thanks.