How does A1RunGuard work?

Technical Review

In-depth, A1RunGuard uses Windows Image File Execution Debugger method to intercept the running of the executable files.

This technique has a lot of advantages (over other methods/techniques):

  • System files are not changed.
  • No drivers, complete independence of running executables.
  • Perfect compatibility with Windows versions (from Windows 7 to Windows 11).
  • Easy set/undo by changing several registry keys.
  • Block processes by its name or by full pathname.

However, there are also cons of the said method, which are:

  • This technique does not support wildcards in the process names.
  • The process is intercepted by the name, not by its contents.

What happens during the launch of an application?

  1. Windows checks for the presence of the sub-key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{name of the executable}.
  2. If the sub-key exists, Windows checks for the "Debugger" registry value. If this value exists, Windows executes the file, stored in the Debugger value with the command line of the started application.
  3. A1RunGuard uses its application: "A1RunScanner.exe" as a debugger.
A1runscanner.exe then completes the launch the application or blocks it.

A1RunGuard Features

  • Prevent Ransomware Attacks by monitoring essential processes.
  • Block a process by filename or by full file path.
  • Lock process by a password.
  • Redirect process lanch to another program.