FREQUENTLY ASKED QUESTIONS
What is Learning Mode?
ProcessGuard initially starts up in this special mode. This is so that ProcessGuard can give ALLOW access to your TRUSTED programs, such as your web browser, security programs and more. This part of setup is very important, so please be sure to follow the setup guide online or in the help file. This describes Learning Mode in more detail.
What does invalid handle mean?
This is a default error message from the Operating System, because ProcessGuard blocked the execution of a program midway through the program being started. The program never started, because ProcessGuard has control over it.
If you receive this message unexpectedly, you may have ticked the option "Block new and changed programs". Do not use this option unless you have completely configured your computer ready for use, otherwise legitmate programs could be blocked from running. This option is only intended for use when you are really sure you dont want ANY new programs starting.
Does ProcessGuard still protect my system if procguard.exe is not running?
Yes, protection is still active. The main ProcessGuard program (procguard.exe) is essentially just a configuration and
realtime-viewing program, but it doesn't provide the protection - the driver does. In the case of Close Message handling, another process (dcsuserprot.exe) will be active, but all other protections are handled by the driver.
Is there a Windows 95/98/ME version?
No, sorry. The kernel-mode driver technology is not compatible with the older operating systems (95/98/ME/NT), it only runs under Windows 2000, Windows XP, and Windows 2003.
ProcessGuard is giving me alerts, is my system infected?
Not all alerts ProcessGuard shows are related to infections or malicious software. Some valid programs need certain privileges that ProcessGuard can restrict. It is up to you the user to know whether you trust a certain application. If you are unsure about the application then it would be best to leave ProcessGuard as it is, protecting you from whatever the application is doing. Otherwise if you know and trust the application then give it the privileges it desires.
I have "show balloon alerts" ticked, but I don't see any. Why?
Balloon alerts can be completely disabled for all programs, this is an option in some software such as "XP-AntiSpy". This setting is per user. The registry key can be reset manually if needed, and is at this location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
In this key, there is a DWORD EnableBalloonTips
Set to 0 for no balloons, or 1 for balloons.
What are pgaccount.exe and dcsuserprot.exe?
These 2 programs are both parts of ProcessGuard. You will see one pgaccount.exe for every active user account on your system. For instance if you logged in as Administrator then switched to another account, there will be two instances of pgaccount.exe running. The Windows Task Manager will show you which logged in user owns each, if you want to check.
Both (dcsuserprot.exe and pgaccount.exe) of these applications need to be running for ProcessGuard to work to it's full extent. PGAccount.exe is responsible for showing the Permit or Deny window for program execution requests.
Does ProcessGuard use much CPU or many resources?
No. We've worked very hard to ensure that ProcessGuard is as "light-weight" as possible in terms of resource and CPU use, so you won't notice it running (other than the presence of a system tray icon, of course!). Most protection is handled by the kernel-mode driver, which uses a minimal amount of memory and is only in use when events occur which are of interest to the ProcessGuard protection model.
All this means is that for the most part (~99.9% of the time), ProcessGuard will typically be using 0% CPU and very little memory. You can even close down the ProcessGuard interface to save memory - if you dont need to see logs.
Why isn't Read access blocked by default?
Reading-based attacks are extremely rare so protection isn't often
needed, but ProcessGuard provides the
ability to protect against reading simply for completeness of it's feature set.
Only advanced users who understand what they're doing should block Read access.
What is a kernel-mode driver?
Put simply, under Windows NT-based systems (including Windows
2000, Windows XP, and Windows 2003) a kernel-mode device driver is a 32-bit
modular component that runs at a privileged level (known as Ring 0 to those
familiar with Intel hardware) on the computer's CPU. As such, drivers run as
trusted components of the kernel, virtually becoming a part of the operating
system itself.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.