I am collecting and comparing the list of monitored keys and other capabilites of current registry monitor apps. Mostly of the free ones. The list of monitored keys may or may not be the most important feature of an application, but this thread mainly discusses this aspect.

'+' means: Key (group) is monitored by the app
'L' means: Key is monitored by the app only in the HKLM subtree
'U' means: Key is monitored by the app only in the HKCU subtree
'HK**' means: The same key is monitored in both HKLM and HKCU
*** means: Recurse into all immediate subkeys here, 1 level depth

List entry types:
(K) is a key, contained values/subkeys are watched
(v) is a single value watched for changes
(M) multiple values in different keys
(?) entry type unknown. Please provide information

1 SM: Mike Lin's Startup Monitor (free)
2 RP: DiamondCS Registry Prot 2.0 (free)
3 RD: RegDefend 1.0 (http://www.ghostsecurity.com/index.php?page=regdefend) (shareware) [Wilders forum] (http://www.wilderssecurity.com/forumdisplay.php?f=72)
4 RR: Regrun 4 Gold Pro (http://www.greatis.com/security/antitrojan.htm) (shareware) [see also] (http://www.greatis.com/security/registrytracer.htm)
5 TT: Spybot Search and Destroy Teatimer (free)
6 SS: System Safety Monitor (http://maxcomputing.narod.ru/ssme.html?lang=en) (free)
7 GA: Microsoft Antispyware = Giant Antispyware (free)
8 WP: Winpatrol (http://www.winpatrol.com)
9 MJ: MJ Registry Watcher (http://www.jacobsm.com/#downloads) 1.2.3.8 (free) [Wilders thread] (http://www.wilderssecurity.com/showthread.php?t=54666)

Links are provided to reports about malwares using the specific key. Isn't that cool!

Autostarts
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
+ + + + + + + + + (K) HK**\SW\MS\Windows\CV\Run(Once) link (http://support.microsoft.com/default.aspx?scid=kb;en-us;137367)
- + - + - - - - + (K) HKLM\SW\MS\Windows\CV\RunEx
- + - - - - - - + (K) HKLM\SW\MS\Windows\CV\RunOnce\Setup link (http://support.microsoft.com/default.aspx?scid=kb;en-us;137367)
- + + + - + + + + (K) HKLM\SW\MS\Windows\CV\RunOnceEx link (http://www.sophos.com/virusinfo/analyses/trojnettroja.html)
- - - + + + L + + (K) HK**\SW\MS\Windows\CV\RunServices(Once) link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE.AB&VSect=T)
- - + + - - + - + (v) HKCU\SW\MS\Windows\CV\Explorer\Shell Folders\Startup link (http://www.sophos.com/virusinfo/analyses/trojkillavd.html)
- - - + - - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\User Shell Folders
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Explorer\ShellExecuteHooks link (http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_LEMIR.EL)
- - - + - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\SharedTaskScheduler link (http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=38398)
- - - + - - - - + (K) HKLM\SW\MS\Windows\CV\ShellServiceObjectDelayLoad link (http://www.sophos.com/virusinfo/analyses/trojwtha.html)
- - - - - - - - + (?) HKLM\SW\MS\Windows\CV\app management\arpcache\ link (http://www.giantcompany.com/antispyware/research/spyware/spyware-Memory-Watcher.aspx)
- - - + - - - - + (K) HKLM\SW\MS\Active Setup\Installed Components link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_PRORAT.17)
- - - ? - - - - + (M) HKLM\SW\MS\Active Setup\Installed Components\***\StubPath link (http://www.megasecurity.org/Trojaninfo/subseven2.2_startup.html)
- + - + + + + - + (K) HKLM\Software\CLASSES\#file\shell\open\command (#=exe,com,pif,bat) link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_YAHA.AA)
- - - + - + + - + (K) HK**\SW\MS\Windows\CV\policies\Explorer\Run link (http://www.sophos.com/virusinfo/analyses/trojproratj.html)
- - + + - - - - + (v) HKLM\System\CCS\Control\Session Manager\BootExecute link (http://www.sophos.com/virusinfo/analyses/trojthemousea.html)
- - - + - - - - + (K) HKLM\System\CCS\Control\Session Manager\FileRenameOperations link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REVOP.D)
- - - - - - - - + (K) HKLM\System\CCS\Control\Session Manager\KnownDLLs link (http://support.microsoft.com/default.aspx?scid=KB;en-us;q164501)
- - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\PendingFileRenameOperations link (http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html)
- - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\environment\path
- - - - - - + - + (K) HKLM\System\CCS\Control\lsa link (http://securityresponse.symantec.com/avcenter/venc/data/w32.netspree.worm.html)
- - + + - + - - + (K) HKLM\System\CCS\Services link (http://www.symantec.com/avcenter/venc/data/trojan.boxed.a.html)
- - - + - + - - + (M) HKLM\System\CCS\Services\***\Image Path
- - - - - - - - + (K) HKLM\System\CCS\Services\vxd link (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.smorph.html)
- - - + - - + - + (K) HKLM\System\CCS\Services\WinSock2 link (http://securityresponse.symantec.com/avcenter/venc/data/trojan.riler.html)
- - - - + - + - + (K) HKLM\SW\MS\Code Store Database\Distribution Units\ link (http://www.pestpatrol.com/PestInfo/R/RapidBlaster.asp)
- - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
- - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup link (http://forums.subratam.org/index.php?showtopic=1063)
- - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logon
- - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
- - - + - - - - + (v) HKCU\Control Panel\Desktop\scrnsave.exe link (http://www.symantec.com/avcenter/venc/data/w32.petch.b.html)
- - - - - - - - - (K) HK**\SW\MS\Windows NT\CV\Extensions
- - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\load
- - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\run
- - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\Winlogon
- - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell
- - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Run link (http://www.sophos.com/virusinfo/analyses/w32kullana.html)
- - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Load link (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100442)
- - L + - - - - + (K) HK**\SW\MS\Windows NT\CV\Winlogon link (http://www.sophos.com/virusinfo/analyses/trojgina.html)
- - L + - - L - + (v) HK**\SW\MS\Windows NT\CV\Winlogon\UserInit link (http://www.symantec.com/avcenter/venc/data/w32.petch.b.html)
- - + + - + + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Shell link (http://www.sophos.com/virusinfo/analyses/trojproratj.html)
- - + - - - - - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Taskman
- - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Winlogon\Notify link (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.b.html)
- - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Svchost link (http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q250/3/20.ASP&NoWebContent=1)
- - + + - + - - + (v) HKLM\SW\MS\Windows NT\CV\Windows\APPINIT_DLLs link (http://www.avp.ch/avpve/newexe/win32/highway.stm)
- - - - - - - - + (M) HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager\***\Application path
- - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\WOW\boot link (http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.coced240b.tro.html)
- - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\Shell Extensions\Approved link (http://sarc.com/avcenter/venc/data/pf/adware.zestyfind.html)
- - - - - - - - + (K) HKEY_CLASSES_ROOT\Protocols\Filter link (http://uk.trendmicro-europe.com/consumer/security_info/ve_detail.php?Vname=TROJ_STARTPGE.AF)
- - - - - - - - + (K) HKLM\SW\Classes\Protocols\Filter link (http://uk.trendmicro-europe.com/consumer/security_info/ve_detail.php?Vname=TROJ_STARTPGE.AF)
- - - - - - - - + (K) HK**\SW\classes\mailto\shell\open\command link (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.pointex.html)
- - - - - - - - + (v) HKCU\SW\MS\Command Processor\AutoRun link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_HITON.A)
- - - - - - - - + (K) HK**\SW\MS\ole link (http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=65362&VName=WORM_SDBOT.XN&VSect=T)
- - - - - - + - - (v) HKCR\ftp\shell\open\command\(Default)
- - - - - - + - - (v) HKCU\ftp\shell\open\command\(Default)
- - - - - - - - + (K) HKLM\System\CCS\Control\MPRServices link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LAMUD.A&VSect=T)
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J

Security settings
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - - - - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\Advanced link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LAMUD.A&VSect=T)
- - - - - - - - - (K) HKLM\SW\MS\Windows\CV\WindowsUpdate link (http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html)
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Explorer link (http://vil.nai.com/vil/content/v_100998.htm)
- - - - - - + - - (K) HKLM\SW\MS\Windows\CV\policies\Explorer\RestrictRun link (http://forum.gladiator-antivirus.com/index.php?showtopic=21415&st=0&#entry75584)
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\System link (http://securityresponse.symantec.com/avcenter/venc/data/vbs.bingd@mm.html)
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Network link (http://vil.nai.com/vil/content/v_100998.htm)
- - - - - - - - - (K) HKLM\SW\MS\Security Center link (http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html)
- - - - - - - - - (K) HKLM\SW\Policies\Microsoft\Windows\WindowsUpdate link (http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html)
- - - - - - + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\DefaultPassword

Internet Explorer hijacks and parasites
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - + + + - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects link (http://www.pestpatrol.com/PestInfo/t/trojan_win32_startpage_gv.asp)
- - - - - - L - + (K) HK**\SW\MS\Internet Explorer\Toolbar link (http://www.pestpatrol.com/PestInfo/u/unknown_trojan_2.asp)
- - - - U - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\WebBrowser link (http://www.sophos.com/virusinfo/analyses/trojstartpame.html)
- - - - - - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\ShellBrowser
- - - - U - + - + (K) HK**\SW\MS\Internet Explorer\Explorer Bars\ link (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078521)
- - - - U - - - + (K) HK**\SW\MS\Internet Explorer\MenuExt\ link (http://www.sophos.com/virusinfo/analyses/trojiestartk.html)
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Local Page link (http://www.sophos.com/virusinfo/analyses/trojesearcha.html)
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Page link (http://www.sophos.com/virusinfo/analyses/trojesearcha.html)
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Bar link (http://www.sophos.com/virusinfo/analyses/trojesearcha.html)
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Start Page link (http://www.sophos.com/virusinfo/analyses/trojesearcha.html)
- - - - U - L - + (K) HK**\SW\MS\Internet Explorer\Search\ link (http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.c.html)
- - - - U - - - + (K) HK**\SW\MS\Internet Explorer\SearchUrl\ link (http://it.trendmicro-europe.com/consumer/security_info/ve_detail.php?id=56281&VName=TROJ_WINSHOW.A&VSect=T)
- - - - - - - - + (K) HK**\SW\MS\Internet Explorer\Styles link (http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.b.html)
- - - - - - L - + (K) HKLM\SW\MS\Internet Explorer\AboutURLs link (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129590)
- - - - - - + - + (K) HK**\SW\MS\Internet Explorer\extensions
- - - - - - - - + (K) HKCU\SW\MS\Internet Explorer\extensions\cmdmapping link (http://www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp)
- - - - - - + - - (K) HKCU\SW\MS\Internet Explorer\URLSearchHooks link (http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=SPYW_BDPLUGIN.A)
- - - - - - - - - (K) HK**\SW\MS\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN link (http://www.sophos.com/virusinfo/analyses/trojpadodort.html)
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Internet Settings\SafeSites link (http://www.sophos.com/virusinfo/analyses/trojstartpgg.html)
- - - - - - + - - (M) HKCU\SW\MS\Windows\CV\Internet Settings\Zones\***\CurrentLevel
- - - - - - + - - (K) HKCU\SW\MS\Windows\CV\Internet Settings\ZoneMap\Domains
- - - - - - - - + (K) HKU\.default\SW\MS\Internet Explorer\extensions\cmdmapping
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\DefaultPrefix link (http://www.sophos.com/virusinfo/analyses/trojstartpahb.html)
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\Prefixes link (http://www.sophos.com/virusinfo/analyses/trojstartpabn.html)


Keys of questionable relevance:
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- + - - - - + + + (K) HKCU\SW\MS\Windows\CV\RunOnceEx
- - - - - - - - + (K) HKCU\SW\Policies\Microsoft\Windows\safer\codeidentifiers
- - - - - - - - + (K) HK**\SW\MS\Windows NT\CV\IniFileMapping
- - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\
- - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\Main\
- - - - - - - - + (K) HKLM\System\CCS\Services\WinSock2\Parameters
- - - - - - - - + (K) HKCU\SW\MS\Windows\CV\Explorer\fileexts
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\OpenWithList
- - - - - - - - + (M) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\Application
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Run(Once)
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\RunServices(Once)
- - - - - - - - + (K) HKCR\Protocols\Filter\Class Install Handler


Some features:
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - + + - + - - + ¦ *** Monitors any user configured reg. keys ***
- - - - - - - - + ¦ Monitors user configured keys based on wildcards
- - + + - + - + + ¦ Monitors any user configured file associations
+ + - - + + - - + ¦ Is free
- - + - - + - - + ¦ Displays complete list of monitored keys
- - - + - - - + + ¦ Displays the content of autostart entries
+ + - + + + + + + ¦ Works by polling the registry content every x seconds
- - + - - - - - - ¦ Works by intercepting registry change attempts
- - ? + + + - - + ¦ Also monitors deletions from registry
- - - - - + + - + ¦ Auto-undos the change before displaying popup dialog
- - + - - + ? - - ¦ Is also a kind of sandbox
+ + ? + + - + + + ¦ Monitors some files for changes
- - ? ? - + - - - ¦ Survives certain termination attempts


Most of these are auto-start locations. The others are some keys you do not want to be changed by malware.

If you find errors or have some app or key to add (such as Ad-Watch) please post.
Please avoid holy wars in this thread, I would like it to remain focused.

You may also be interested in listing the autostarting applications on-demand. For this I suggest the free Sysinternals Autoruns (www.sysinternals.com/ntw2k/freeware/autoruns.shtml). Warning: this is not a registry monitor.

See also these places for more regkey lists, and explanations:
http://forums.subratam.org/index.php?showtopic=1063
http://www.diamondcs.com.au/index.php?page=autostarts
http://www.giantcompany.com/antispyware/research/doc_howto_spywaremanifests.aspx
http://research.pestpatrol.com/Whitepapers/AutoStartingPests.asp
http://www.cpcug.org/user/clemenzi/technical/Parasites/BrowserHijackers.html
The NT booting process (http://www.comptechdoc.org/os/windows/ntwsguide/ntwsbooting.html)

Note that this post #1 keeps growing with new keys, and information added from time to time.
-hojtsy-

Hi,

I think that RegRun Gold should be added ;)
A very good program !
See the nice review by Root:
http://www.wilderssecurity.com/regrungold.html

The site is:
http://www.greatis.com/regrun3.htm


Edited :
RegRun is not free.

FanJ,
I added Regrun, but the list entries are just assumptions. Could you please check that it is correct. I suggest to post the list of monitored keys when suggesting apps.
-hojtsy-

Here are also good discussions about registry monitor.
http://www.dslreports.com/forum/remark,6686853~root=security,1~mode=flat
http://www.dslreports.com/forum/remark,6721512~root=security,1~mode=flat

Personally, I like SSM(System Safety Monitor) as a registry monitor program, because SSM can monitor many registry entries normally, and it can also add your optional registry entries.

Best Regards

First of all:
I do applaud Hojtsy for trying to get such a list !!! :D

Also thanks to Sumire for those links !
At the moment I haven't read them all, but I was very pleased at a first look to see NISFileCheck mentioned.
It ain't no secret that I'm a BIG fan of NISFileCheck.

Maybe it is a good idea to point to the difference of:
- file-integrity-checkers, like NISFileCheck, FileChecker from Javacool, etc.;
- registry-integrity-checkers like RegRun.

With respect to auto-start places on your system, some of those utilities have some "overlap", but it can't hurt to have more than one program to watch them.

Wow Sumire, there are mighty lots of infos in those threads.

I updated the table with explicit locations and more keys. Unfortunately there are lots of assumtions in the table. I don't have time to test all this out: please help!

-hojtsy-

Hi HoJtsy, You have picked a difficult task. Well done! Though I do not think that Process Guard should be classed as a registry checker as it only checks the on e entry you have shown. :)

Of the commercial programmes, AdWatch from Lavasoft also monitors Reg run changes as does TDS3.

{QUOTE->
Of the commercial programmes, AdWatch from Lavasoft also monitors Reg run changes as does TDS3. <-QUOTE}
TDS does not actively monitor, so it does not classify here. I would love to include AdWatch, if somebody could please list the keys it watches.
-hojtsy-

By using Sysinternals Registry monitoring utility(Regmon)....I monitored TeaTimer.exe thru a few cycles and compiled it into the below results. This is by no means official and is solely based on an observation by an interested user of Spybot.


HKCU\Test-Dummy\Test-Resident\....Cycle starts

HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\exefile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\regfile\shell\open\command

HKCU\batfile\shell\open\command
HKCU\comfile\shell\open\command
HKCU\exefile\shell\open\command
HKCU\piffile\shell\open\command
HKCU\scrfile\shell\open\command
HKCU\regfile\shell\open\command

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
HKCU\Software\Microsoft\Internet Explorer\MenuExt\
HKCU\Software\Microsoft\Internet Explorer\
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Microsoft\Internet Explorer\MenuExt\
HKLM\Software\Microsoft\Internet Explorer\
HKLM\Software\Microsoft\Internet Explorer\Main\
HKLM\Software\Microsoft\Internet Explorer\Search\
HKLM\Software\Microsoft\Internet Explorer\SearchUrl\

HKCU\Test-Dummy\Test-Resident\....Cycle starts again

Hi,hojtsy

I also respect your efforts.
With SSM's normal setting, it seems that SSM can monitor the following entries.

SSM
+ HKLM\SW\MS\Windows\CurrentVersion\Run
- HKLM\SW\MS\Windows\CurrentVersion\RunEx
+ HKLM\SW\MS\Windows\CurrentVersion\RunOnce
- HKLM\SW\MS\Windows\CurrentVersion\RunOnce\Setup
+ HKLM\SW\MS\Windows\CurrentVersion\RunOnceEx
+ HKLM\SW\MS\Windows\CurrentVersion\RunServices
+ HKLM\SW\MS\Windows\CurrentVersion\RunServicesOnce
+ HKCU\SW\MS\Windows\CurrentVersion\Run
+ HKCU\SW\MS\Windows\CurrentVersion\RunOnce
- HKCU\SW\MS\Windows\CurrentVersion\RunOnceEx
+ HKLM\SW\MS\Windows NT\CurrentVersion\Winlogon\Shell
- HKCU\SW\MS\Windows\CurrentVersion\Explorer\Shell Folders
+ HKCU\SW\MS\Windows\CurrentVersion\Explorer\User Shell Folders
- HKCU\SW\MS\Internet Explorer\Main\...
- HKLM\SW\MS\Active Setup\Installed Components\KeyName
- HKU\...\SW\MS\Windows\CurrentVersion\Run...
+ HKLM\Software\CLASSES\exefile\shell\open\command
- ...\SW\MS\Windows NT\CurrentVersion\Winlogon\UserInit
+ HKLM\SW\MS\Windows NT\CurrentVersion\Windows\APPINIT_DLLs
- ...\SW\MS\Windows\CurrentVersion\policies\Explorer\Run
- HKLM\SW\MS\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\SW\MS\Windows NT\CurrentVersion\IniFileMapping
- HKLM\System\CCS\Control\Session Manager\BootExecute
- HKLM\System\CCS\Control\Session Manager\FileRenameOperations
- SharedTaskScheduler
+ Common_Startup_Folder
+ User___Startup_Folder
- Other_User_Startup_Folder
- screensaver
- NT_logon_script
+ NT_wininit_ini
- User_stylesheet
- User configured reg. keys


In addition to this, I added the following registry entries to the SSM's monitor.

HKCR\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

I think preventing ITW threat is the most important thing so I added the above entries. Please look at the below screen shot. It is the screen shot of the backdoor MiniMo's auto-start editor.

And backdoor Beast and Subseven use ActiveX startup as a start up method, so I added ActiveX startup.
http://www.nsclean.com/psc-bst.html

Any suggetions and recommendations are really appreciate. :)

Best Regards.

This is a very good thread! Thanks everybody.

Sumire and Bubba: thanks very much. I updated the table.
Bubba could you be so kind to do the same registry monitoring to the DiamondCS RegProt with the regmon. I am unable to get any official info about it, so the table contains only assumptions: some confirmation would be fine.
In the meantime I will start a thread discussing specific keys and apps.
-hojtsy-

Sumire, can SSM's monitor be used with out SSM to watch the registry? You see I have Process Guard and don't feel the need for the execution protection as that is built into PG. Thank you.

SSM can be used without it's additional registry monitoring capabilities. As a matter of fact that's the way i use it and have been for quite some time now and i think it's great.

Lonewolf I think I confused you on SSM. I would like to have the the reg. protection without the Execution Protection.

{QUOTE-> Sumire, can SSM's monitor be used with out SSM to watch the registry? You see I have Process Guard and don't feel the need for the execution protection as that is built into PG. Thank you. <-QUOTE}

Hi,WilliamP

At first, I haven't used Process Guard ,so I can't say anything about Process Guarud.

As for the SSM, SSM can turn the Execution Protection off, so you can use only SSM's registry protection.

Best Regards.

Hi,hojtsy

I was using RP(Registry Prot) on my old Win98box, if my memory is correct, I think RP can't monitor (Common_Startup_Folder) and (User___Startup_Folder).

May I ask you a question? What is "screensaver" start-up method on your table? Would you please let me know more details?

{QUOTE-> Windows XP Screensaver Vulnerability

Windows XP has a default screen saver called logon.scr, which runs even if no screen saver has been selected. This can present a security risk, as it can allow a local user to replace logon.scr with another program and have it launched with system privileges.
To Disable this Locally open regedit to the following key
Key: [HKEY_USERS\.DEFAULT\Control Panel\Desktop]
Name: ScreenSaveActive
Type: REG_SZ (String Value)
Value: (0 = disabled, 1 =enabled)

Restart Windows for the change to take effect.

Note: An alternative screen saver can be used, if disabling is not an option, simple change the value of 'SCRNSAVE.EXE' in the same to key, to equal the full path of the screen saver you wish to use.
Note2: this Vulnerability is Present in All Windows NT based Machines But the Screensaver name is Login.scr instead of Logon.scr <-QUOTE}

I've found this vulnerability, so I tested this vulnerability on my WinXp box, but this vulnerability doesn't work correctly on my WinXp box, so microsoft already fixed this vulnerability. Is this the "screensaver" start-up method?

I've found another ITW start-up method which SSM can't monitor perfectly. The below screen shot is the backdoor CIA's start-up editor.

Windows NT Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Explorer Run(edit.SSM can monitor this entry)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

I think there are many start-up methods which I don't know of. :(

Best Regards

Hi Sumire,
The danger of any screensaver is that it is started withouth user intervention.
One of them is the logon screensaver in: HKU\.DEFAULT\Control Panel\Desktop\scrnsave.exe
Other one is user specific screensaver in HKCU\Control Panel\Desktop\scrnsave.exe
Any changes to these entries should be confirmed by the user. The vulnerabilty you mentioned instructs to replace the file logon.scr. But did you also tried changing the registry to point to your app instead? It will work of course.

I will also add the keys you mentioned.
See also http://www.wilderssecurity.com/showthread.php?t=33418
-hojtsy-

I added some more startup entries. I am still unable to find an app which monitors more than half of these startup entries by default, so the clear winners are the apps which enable the user to add custom registry keys to monitor.
-hojtsy-

{QUOTE-> ...so the clear winners are the apps which enable the user to add custom registry keys to monitor. <-QUOTE}
Hojtsy - Fantastic thread. :o Can you note which apps allow the user to add custom registry entries?

{QUOTE-> Can you note which apps allow the user to add custom registry entries? <-QUOTE}
That is the last line in the table. Of these apps only RegRun and SSM is customizable.
-hojtsy-

Now this is a good thread!

{QUOTE-> That is the last line in the table. Of these apps only RegRun and SSM is customizable. <-QUOTE}
Thanks. I see it now. :)

An interesting discussion this! I would suggest adding HKLM\SYSTEM\CurrentControlSet\Services - this is monitored by SSM even though it is not listed in the Plugins/Registry/Configuration key list (anyone know why?). This contains the startup details of all Services and would be a target for rootkits and other kernel-mode trojans.

Also should it be worth including the monitoring of files that allow startup programs? (e.g. system.ini, win.ini)

Edit: Answered my own question :o SSM monitors this under Plugins/Services which is a separate plugin. Still worth noting IMHO.

I understand that SSM allows the addition of additonal registry keys for monitoring. Please escuse my lack of knowledge here, but why would the developer not include many more (if not all) registry keys by default? Is there a downside to adding additional keys?

{QUOTE-> ...but why would the developer not include many more (if not all) registry keys by default? Is there a downside to adding additional keys? <-QUOTE}The full Windows Registry can take up dozens of megabytes on some systems and there are some entries that are continuously updated. Keeping track of all Registry changes would therefore kill performance on virtually any system.

Paranoid2000,
I will add the HKLM\SYSTEM\CurrentControlSet\Services key now. Files and folders were intentionally not included, because I focus on registry monitoring features, and not startup monitoring. In an other thread perhaps?

Dazed,
SSM could possibly monitor all the registry keys listed here. It seems that this list was never collected, only parts of it, so the SSM author might not had the info at the time of release. Note that process protection features of SSM are outdated. They are no match for DCS Advanced Process Termination, so you should still use DCS Process Guard for this purpose.

-hojtsy-

{QUOTE-> Note that process protection features of SSM are outdated. They are no match for DCS Advanced Process Termination, so you should still use DCS Process Guard for this purpose. <-QUOTE}Hojtsy. Thanks. :D

Just to confirm - Your saying that SSM's registry monitoring capabilities are worthwhile, considering its ability to allow the user to add additional critical registry keys. But its Process Protection capabilities are outdated (as evidenced by the fact it is no match against DCS APT disabling capabilities) , and that a user should disable this feature of SSM and rely on DCS PG for this protection?

{QUOTE-> The full Windows Registry can take up dozens of megabytes on some systems and there are some entries that are continuously updated. Keeping track of all Registry changes would therefore kill performance on virtually any system. <-QUOTE}
P2K - Understood - Thanks! I'm assuming the most critical ones are listed in the #1 post by Hojtsy.

Hojtsy,in your post you said that only SSM and Regrun could be configured to add registry keys. If I'm not mistaken Grr is also configureable.

While I'm at it ,I have a question. Why does different programs monitor different keys? By the way Hojtsy, you did a great service putting this together. Which keys would be the most important to monitor? ???

{QUOTE-> Which keys would be the most important to monitor? ??? <-QUOTE}
WillieP - I was wondering the same thing. I'm going to start out by adding everything in post #1. I'll bet the list in post #1 will grow as others visit...

{QUOTE-> Just to confirm - Your saying that SSM's registry monitoring capabilities are worthwhile, considering its ability to allow the user to add additional critical registry keys. But its Process Protection capabilities are outdated (as evidenced by the fact it is no match against DCS APT disabling capabilities) , and that a user should disable this feature of SSM and rely on DCS PG for this protection? <-QUOTE}Disabling this would mean losing SSM's application monitoring capability altogether (at least I cannot see how you can configure SSM to ignore termination attempts otherwise) - if you have other software that monitors which applications get executed (and gives you the same level of control that SSM does) then this application monitoring would be unnecessary duplication but otherwise it should be a valuable feature.

Also SSM maintains a checksum of monitored applications and will warn if any change - this acts to "inoculate" these files against virus infection so you should only consider disabling this if you have it covered elsewhere (some anti-virus/anti-trojan software does this, a firewall will do also but only for applications requesting Internet access).

Admins,
I suggest this thread to be sticky. Many could benefit from the info collected here.

WilliamP,
Grr is not truly customizable. You can not add freely any registry keys, only monitored extension associations, and files. All of these keys are important to monitor. If you monitor 20 out of 30 autostart methods, you can be quite sure that the next trojan variant will use those non-monitored keys.

{QUOTE-> Disabling this would mean losing SSM's application monitoring capability altogether (at least I cannot see how you can configure SSM to ignore termination attempts otherwise) - if you have other software that monitors which applications get executed (and gives you the same level of control that SSM does) then this application monitoring would be unnecessary duplication but otherwise it should be a valuable feature.
<-QUOTE}

If you need that precise control over execution where you specify which app could start which one, then you need SSM application monitoring, as nothing else provides this. But if you just would like to control which apps could be executed: that is provided by Process Guard. I personally don't need that granularity of control here, so I disable the app protection of SSM, and enable the registry protection plugin. I use Process Guard for application protection.

{QUOTE->
Also SSM maintains a checksum of monitored applications and will warn if any change - this acts to "inoculate" these files against virus infection so you should only consider disabling this if you have it covered elsewhere (some anti-virus/anti-trojan software does this, a firewall will do also but only for applications requesting Internet access). <-QUOTE}

AFAIK, the same checksums are provided by Process Guard.

I requested the authors of DCS Registry Prot, Teatimer, Grr, and Ad-Watch to state the list of monitored keys. None of them did. This seems to be a secret. Are we dancing into illegality?

-hojtsy-

Hi hojtsy, Regarding autostart entries, DCS's Free Autostart viewer is a useful tool but as far as I know there is no complete list of autostart methods available.

Autostart viewer covers over 50 methods and these are listed here:

http://www.diamondcs.com.au/index.php?page=autostarts

Agreed this would make a good sticky :)


HTH Pilli

off topic post removed

I'm sure that if you sent the author of SSM an email and point him to this thread he will add the registry keys to SSM, he sometimes frequents here so maybe he will see this.

Anyway this is a very informative thread, and I think that it should be stickied.

I fully agree ,on both counts.

I was under the impression that nothing could change the registry without executing. Consequenly, if Process Guard keeps the baddies from executing, why the need to monitor the registry? ::)

WilliamP,
-consider the example of CoolWebSearch. Initially it is not a separate executable on your computer, just some web component downloaded and executed by iexplorer. Process Guard will not stop it from executing, and it can freely overwrite any registry area.
-Alternatively VBScript or Java application executions are only visible to Process Guard as execution of the VB engine, and Java virtual machine. It can not distinguish between different java applications, so either it blocks the engine completely, or allows all without any checksum or whatever. Of course VBScript or Java can freely write into your registry.
-If any of your trusted applications are successfully attacked with buffer overflow attack (either internal or external attacker), the trusted app could be commanded to make any registry modifications.
And the list goes on and on...
Process Guard can not stop all malware from execution! It can only decrease the unwanted effects of already running malware.
Similarily registry protection is only decreasing the unwanted effect of already running malware.
Anyway we are going off-topic. If you would like to continue this discussion about Process Guard please start a new thread.

-hojtsy-

Hojtsy,thank you for your reply. I didn't mean to get off course. I had been told in another post that something has to execute to change the registry. the registry is not "a file".

the registry is an in-memory database which has backing store (for persistent keys) in one or more files on disk.

Why the nit-picking? Because the only agent that opens the registry hive files is the registry-management code in the exec. Programs that modify the registry do not open files, they open registry keys by issuing system calls to the registry manager. the files are already open (they're part of the exec's address space) and do not need to be re-opened for each user.

therefore, nothing you do to the hive files will restrict the ability of user programs to access registry keys in those files.

registry keys have their own security descriptors, enforced by the security reference monitor just as it enforces file security (the registry, the file system, and everything else that maintains secureable objects just store the security descriptor 'somehow' and then call the security monitor to actually interpret it, thus the whole system has consistent security behaviour).

the usual 'do not run as an administrator' advice should protect the entire HKLM subtree.

Back to the question:

Something has to execute to modify the registry, since something has to execute in order to cause any actions at all. the registry does not spontaneously change.

So you may or may not be ok by restricting process execution. Me, I think that's intolerable in the same way I think that software firewalls are intolerable - they require familiarity with each and every program's internal behaviour. the registry is where programs are supposed to store certain data. Programs might very well modify the registry several times a second.

there are probably registry-monitoring tools that offer that level of micromanagement for registry ops.

I go for the "don't take software from strangers" approach myself.

Come on ,someone please respond to my post. I didn't write it. I only copied and pasted. I would like to have been smart enough to write it. ;D

Well, since you asked...{QUOTE-> the usual 'do not run as an administrator' advice should protect the entire HKLM subtree. <-QUOTE}There are several techniques (known as "escalation of privilege vulnerabilities") that malware can use to gain administrator access. Running as a restricted user (power users can amend many of the HKLM entries) will add an extra obstacle but is not a universal fix - and can be pretty inconvenient in some cases.{QUOTE-> So you may or may not be ok by restricting process execution. Me, I think that's intolerable in the same way I think that software firewalls are intolerable - they require familiarity with each and every program's internal behaviour. the registry is where programs are supposed to store certain data. Programs might very well modify the registry several times a second.

I go for the "don't take software from strangers" approach myself. <-QUOTE}Well that pretty much rules out doing anything useful on your system, does it not? After all, when you purchase software from a vendor, how sure can you be that one of their systems has not been compromised allowing an outsider to add "a little extra" to their product? (few vendors will have the security knowledge shown by many on this board).

Assuming that you do choose to run software, you then need to be able to judge whether it is "safe" or not. Signature-based scanners (anti-virus and anti-trojan) can detect much (but not all) malware so "behaviour monitors" (firewalls, registry monitors, process protection) need to be the next line of defence in securing your system.

In the case of registry monitors, those listed here will warn you of changes in key parts of the Registry which you then need to decide to allow or deny. While this does require technical expertise (just as using a firewall requires experience in judging what network access programs need), most entries are straightforward and attempted abuse (a Java applet named "xyaedlt.jar" that tries to add itself to the startup list for example) easy to spot.

Thank you Paranoid 2000 for the reply. In the first post by hojtsy is the list of the keys that are watched by different programs. Which ones are the keys that need to be watched? Thank you for the help.

{QUOTE-> In the first post by hojtsy is the list of the keys that are watched by different programs. Which ones are the keys that need to be watched? <-QUOTE}
You already asked this and I already answered.
{QUOTE->
All of these keys are important to monitor. <-QUOTE}
-hojtsy-

Hojtsy, I humbly apologize for my mistake. I hadn't taken your post literally when you said to watch them all.

Hi,

I wanted to throw another program into the mix...

WinPatrol (http://www.winpatrol.com) handles the following keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Microsoft\Windows\CurrentVersion\Run
HKCU\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Thanks,

Bill

Sysinternals released version 4.2 of Autoruns today (http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml). I would include their list in the consensus list, if any items are missing (I have not had time to compare).

Nick

Thanks WYBaugh,
{QUOTE->
HKCU\Microsoft\Windows\CurrentVersion\Run
HKCU\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Microsoft\Windows\CurrentVersion\RunServicesOnce
<-QUOTE}
Those keys don't exist for me on Win2k. Are they present on Win9x or what??
The others will be added soon.

Thanks nick s,
The new Sysinternals Autoruns 4.2 is very recommended. They just added several new keys, some of which was already listed here. Others will be added soon. Suprisingly they also removed some keys as compared to 4.03. I would be more satisfied to see an explanation for the removal of those.

-hojtsy-

-hojtsy-

{QUOTE-> Paranoid2000,
I will add the HKLM\SYSTEM\CurrentControlSet\Services key now. <-QUOTE}Based on the information given in Windows 2000 Registry: System and Startup Settings (http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/systeman.mspx) and a root through Usenet, it may be worth including the following: HKLM\SYSTEM\ControSet001-003 - one of these sets is copied into the CurrentControlSet on startup (which one will depend on the type of startup chosen). This could produce a big list of changes though if a different startup type is chosen! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - the AppInit, Shell and UserInit fields of this key are already included on your list. In addition, "System" can contain applications that are started with system privileges and "VMApplet" determines what is run when you right-click on the My Computer icon and select Properties. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager - the Utility Manager can be configured to start accessibility programs on Windows startup so a trojan could be slipped in here by altering the Application Path and setting the Start with... field. HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - processes to be run by svchost on startup could be added here.There's doubtless dozens more possibilities, some needing more user intervention (e.g. modifying the Control Panel so that one of the options there runs a trojan instead). MS sure know how to make securing a system awkward... :(

Hi,
I added several more keys to the table, from the posts here and from Sysinternals Autoruns 4.2.

Interesting app here: Registry Protector (http://www.real-protect.com/register.htm). Customizable keys and system driver level checking. This means dialog is displayed *before* the change is entered into the registry as compared to most other softwares discussed here. Support forum seems totally empty. ??? Maybe the first released version of the app. If anyone evaluates post your experiences.

-hojtsy-

Hojtsy, you need to get someone to try that program ;D Is it really 59 dollars? Of course I don't mind paying for something,but. :-\

{QUOTE-> Hojtsy, you need to get someone to try that program ;D <-QUOTE}
I'm going to give it a try. Will let you know!

You go for it D+C ;D Let us know what happens.

Hojtsy,I'm trying a program Prevx . One of its features is monitoring the Registry Run keys,though I don't know which.

I've just found another another registry monitor program. It's called MJ Registry Watcher (http://www.jacobsm.com/#downloads). It was created by a user of Startup Monitor who wanted a program just as simple but more configurable. Here's the thread at the MLin.net message board, Really simple configurable version of Startup Monitor (http://www.mlin.net/ultraboard/UltraBoard.cgi?action=Read&BID=2&TID=611&SID=99347)

By default it watches only the following keys. However, you can set it to watch whatever keys you want.

hkey_local_machine\software\microsoft\windows\currentversion\run
hkey_local_machine\software\microsoft\windows\currentversion\runonce
hkey_local_machine\software\microsoft\windows\currentversion\runonceex
hkey_current_user\software\microsoft\windows\currentversion\run
hkey_current_user\software\microsoft\windows\currentversion\runonce
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon

I am new here and I was just wondering. How does one add new Registry entries to System safety Monitor?

Welcome to the forums Starrob,

In Preferences/Plugins/Registry/Configuration, right-click on any entry in the main window and select "Add new item...". SSM's Help includes instructions on this and some details on the values you can set.

{QUOTE-> Posted by Amerk 5: I've just found another registry monitor program. It's called MJ Registry Watcher. <-QUOTE}
This sounds promising. Reasonable size and "Rollback,"plus custom keys. Mj's open for options on this, with some fine tuning he's on to a very useful program.(Good chuckle on "Scary Dude" post!)

P.S.- "Very fine thread start hojtsy, appreciate your efforts, and member input." ;)

It appears that more and more security apps these days are getting into the business of monitoring the registry. For example, Spybot S&D's "Teatimer" process apparently monitors a few registry keys. And Webroot's SpySweeper monitors changes made to keys where startup entries are placed.

I was getting ready to try MJ Registry Watcher (http://www.jacobsm.com/#downloads), but first have a couple questions for those of you more familar with this subject.

Considering the abilities of S&D's Teatimer, and SpySweeper, do I really need more?
If I do install MJ, should I disable Teatimer and SpySweeper's registry monitoring capabilites? Will all of these apps present a conflict?
Thanks.

I'd recommend only using one program at a time to monitor the registry to prevent a conflict. There's bound to be some overlap on the entries that are watched.

I'm not sure which entries TeaTimer & SpySweeper monitor but if they monitor all the same entries as MJ Registry Watcher you don't need another program unless you want to use just MJ RW instead.

One of the main things about MJ RW that I like compared to the other programs is that you can have it watch Any key you want.

Great thread Hojtsy!

Perhaps it could be improved by adding resource usage of the running apps.
For example, Spybot Search and Destroy 1.3 Teatimer (on XP Pro): ~ 6K
The number seems to change a little over time.
If any of you are interested, post the memory usage for registry monitor resident processes and maybe hojtsy will add it in post 1 in a row, a paragraph, or in parenthesis next to the description:
TT: Spybot Search and Destroy Teatimer (free) (~6K) .

Also that paragraph that you had in another thread where you explain the difference between poller, listener, and proxy would be beneficial in post 1.
You could also add a row to compare them like this:
SM¦ RP¦ PG¦ RR¦ TT¦ SS¦ GR¦ WP¦
_P ¦ P ¦ PR ¦ P ¦ P_ ¦ P ¦ P _¦ P _ ¦ Monitor Type: P=Poller, L=Listener, PR=Proxy
Note the above are unknown, just an example way to put it. (underscores are just to help me place them)
This would cover the current pollers and future proxies.

Please add the MJ RW, it looks promising.
If you keep adding programs, you may need to change the format to accomodate the long registry key lengthes. (no idea on how to)

{QUOTE-> Great thread Hojtsy! <-QUOTE}
Ditto. Lots of good info. :)

@Amerk 5, this app. is currently new and probably being updated as time permits for Mj, correct? It's good you have a stable app. to include in Hojtsy's comparison tests, the more the better. Again, all this input is going to keep you busy Hojtsy, I'm sure all involved acknowledge your time and effort. ;)

{QUOTE->
Considering the abilities of S&D's Teatimer, and SpySweeper, do I really need more?
<-QUOTE}
The list of keys monitored by Teatimer is, well, quite limited. I don't know about SpySweeper, and would gladly welcome the list of monitored keys. If they won't tell, then you can almost be sure that they miss some of the interesting keys. Every app miss some: just look at the list in post 1. But MJ is customizable and that is a completely different class! You can add any keys you want. (Hint: you want all the keys which I listed)

{QUOTE-> If I do install MJ, should I disable Teatimer and SpySweeper's registry monitoring capabilites?
<-QUOTE}
I would not advise to disable TeaTimer. It has an other very usefull feature: checking for spyware in the memory. Unfortunately you can not disable the reg monitoring feature separately.
{QUOTE-> Will all of these apps present a conflict? <-QUOTE}
Depends on what you call a conflict. I am quite sure that you will not get crashes just because you have more than 1 registry monitor running. But if an important key changes, both apps will alarm, and it may be tricky to answer both dialogs in a way which result in the desired registry state. I suggest to run both, and you can still disable one of them later, if problems occur.

{QUOTE->
Perhaps it could be improved by adding resource usage of the running apps.
<-QUOTE} Just post them and I will include them.
Regarding the reg monitor categories, your list is mostly correct. Process Guard is a Proxy, Greyware Registry Rearguard I don't know and all else is Poller. Once a real usable Proxy emerges I will put this important info into post 1, until then it is just complication. <Daydreaming>The silver bullet would be a Proxy with customizable list of monitored keys. Ahh. </Daydreaming>
BTW I don't except problems with more and more apps in the list. I will only include the most powefull ones - why would you waste your time with the rest.

{QUOTE->
It's good you have a stable app. to include in Hojtsy's comparison tests, the more the better. Again, all this input is going to keep you busy Hojtsy, I'm sure all involved acknowledge your time and effort. <-QUOTE}
Thanks. ;D MJ starts with a very limited list of keys, so it may not be worthwile to include in the table, but I will soon modifiy post 1 to mention it in some other way.

-hojtsy-

Hojtsy - Thanks for the info. I'm giving it a try. Regarding your list of registry keys:

I do NOT have these registry keys (running XP Home):

HKLM\SW\MS\Windows\CV\RunEx
HKLM\SW\MS\Windows\CV\RunOnce\Setup
HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects (I do have HKLM\...)
HKLM\System\CCS\Control\Session Manager\BootExecute
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
HKU\*\Control Panel\Desktop\scrnsave.exe
HKU\*\SW\MS\Windows NT\CV\Windows\Run
HKU\*\SW\MS\Windows NT\CV\Windows\Load
HK*\SW\MS\Windows NT\CV\Winlogon\UserInit
HKLM\SW\MS\Windows NT\CV\Winlogon\Shell
HKU\*\SW\MS\Windows NT\CV\Winlogon\Shell
HKLM\SW\MS\Windows NT\CV\Winlogon\System
HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet

Am I to assume the keys you posted in post #1 are the only ones I need to monitor? Thanks again!

{QUOTE-> Posted by hojtsy : "The silver bullet would be a Proxy with customizable list of monitored keys. Ahh." <-QUOTE}
Hmmm, that would be something. Daydreaming?

{QUOTE->
I do NOT have these registry keys (running XP Home):


HKLM\SW\MS\Windows\CV\RunEx
HKLM\SW\MS\Windows\CV\RunOnce\Setup
HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects (I do have HKLM\...)
HKLM\System\CCS\Control\Session Manager\BootExecute
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
HKU\*\Control Panel\Desktop\scrnsave.exe
HKU\*\SW\MS\Windows NT\CV\Windows\Run
HKU\*\SW\MS\Windows NT\CV\Windows\Load
HK*\SW\MS\Windows NT\CV\Winlogon\UserInit
HKLM\SW\MS\Windows NT\CV\Winlogon\Shell
HKU\*\SW\MS\Windows NT\CV\Winlogon\Shell
HKLM\SW\MS\Windows NT\CV\Winlogon\System
HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet


Am I to assume the keys you posted in post #1 are the only ones I need to monitor? <-QUOTE}
Yes you need to monitor the keys present in post 1. Most of these keys listed by you are also absent for me on Win2000. Of these I only have:

HKLM\SW\MS\Windows\CV\RunEx
HKLM\SW\MS\Windows NT\CV\Winlogon\Shell
HKLM\SW\MS\Windows NT\CV\Winlogon\System
HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet

I believe that lacking these keys is normal. But if they are created by any app they can as well be used to start-up nasty applications. So you need to monitor them too.
-hojtsy-

Well, been using MJ RegistryWatcher for over a week now, with mixed results.

The only real problem I am having is that it seems to close (stop working) for no reason. Must be a conflict with some other software I'm running. Unfortunately, I get no error message. I just notice the icon is missing from my system tray, and I am forced to restart. ???

On the positive side, when it's on the job, it works really well. :) But then, so is TeaTimer. Whenever MJRW alerts me to a change, TT is there as well raising a flag. In other words, MJRW has not alerted me to a change that TT has not caught, but it's early. And I have added all the keys suggested above (that I have).

hkey_local_machine\software\microsoft\windows\currentversion\run
hkey_local_machine\software\microsoft\windows\currentversion\runonce
hkey_local_machine\software\microsoft\windows\currentversion\runonceex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
hkey_current_user\software\microsoft\windows\currentversion\run
hkey_current_user\software\microsoft\windows\currentversion\runonce
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

{QUOTE-> Hi,
I wanted to throw another program into the mix...
WinPatrol (http://www.winpatrol.com) handles the following keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Microsoft\Windows\CurrentVersion\Run
HKCU\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Thanks,
Bill <-QUOTE}

Hey Bill,

I'd like to thank you for setting the record straight regarding WinPatrol and the registry keys that WinPatrol monitors. You are correct that Scotty will detect both changes and additions to the keys you list above.

We haven't publicly published all the registry entries that are monitored. I'd rather keep this information from those people who want to circumvent our security. In return for some silence, I give up any claims to monitor more locations than anyone else.

I can say that we monitor all the obvious locations listed above. We also monitor the Startup folders for shortcuts which is pretty obvious too. Anyone who uses WinPatrol knows we check the locations where BHOs and IE Toobars are stored. We monitor changes in the HOSTs file, Scheduled Tasks, Start Pages, Search pages and a few other locations which are quick indicators of an infiltration of some kind.


The newly released WinPatrol 8.0 has added a few more locations and indeed we saw the need for monitoring of file type associations. In the case of file type associations we have a default list that we monitor but users can add more or remove any file extensions that Windows uses.

I am very glad I found this thread because it has some great information that I haven't seen in other forums. The comments and questions I've read here will keep me thinking and will keep WinPatrol on target.

Thanks to all and to theWolf for pointing me here.

Bill Pytlovany
BillP Studios

Hey BillP,

Very many thanks to you and your team for Win Patrol and Scotty,
a superb program in the never ending war against right and wrong.

Kind Regards.

{QUOTE-> We haven't publicly published all the registry entries that are monitored. I'd rather keep this information from those people who want to circumvent our security. In return for some silence, I give up any claims to monitor more locations than anyone else. <-QUOTE}An interesting point of view indeed. How would a list of monitored entries compromise security? Malware cannot just create Registry entries on the fly to exploit, it has to target those keys used by Windows or other applications. The only way a registry monitor can be circumvented is to either disable it or misdirect it.

In addition, if any vendor has found a hitherto unknown key that could be used to run programs on startup, wouldn't disclosure be the better option to allow everyone to protect themselves? (like anti-virus vendors share details on new viruses).

{QUOTE-> Malware cannot just create Registry entries on the fly to exploit, it has to target those keys used by Windows or other applications. The only way a registry monitor can be circumvented is to either disable it or misdirect it. <-QUOTE}

exactly Paranoid, it would be a great way to win potential customers if they play open card with this. and winpatrol wins credibility doing this. it is a great freebie but I don't think this either.

{QUOTE-> You are correct that Scotty will detect both changes and additions to the keys you list above. <-QUOTE}Can you confirm that Scotty will detect and alarm for a removal of a startup entry from the registry?
{QUOTE-> We haven't publicly published all the registry entries that are monitored. I'd rather keep this information from those people who want to circumvent our security. <-QUOTE}For all Pollers, any determined hacker can discover the monitored keys by the free Sysinternals Registry Monitor in a few minutes. This means that attempting to keep the monitored list secret only result in it being secret for the customers, not for the hackers! It depends on your market strategy if keeping this secret from customers is beneficial or not.
-hojtsy-

Just curious Hojtsy if Reg Mon can be used to find out the monitored keys, and it's so easy, why aren't you using it to accurately determine which reg keys are monitored by which products? You could then accurately list which keys are monitored by all the products on your list and wouldn't need to ask BillP to confirm anything. Also you could list what other programs like Adwatch monitor that aren't yet on the list.

{QUOTE-> Just curious Hojtsy if Reg Mon can be used to find out the monitored keys, and it's so easy, why aren't you using it to accurately determine which reg keys are monitored by which products? <-QUOTE}Currently the only reason for that is that I do not have or want every one of these tested softwares to be installed on my machine. About the ease of Reg Mon: You do not need to believe me, just try it yourself.
{QUOTE-> You could then accurately list which keys are monitored by all the products on your list and wouldn't need to ask BillP to confirm anything.
<-QUOTE}The weakness of Reg Mon is that it only lists the registry keys which are repeadetly read by the software, it does not tell what does it do with the read values. So to be sure that the software correctly reports removals of startup entries you need to check it by removing entries and waiting for an alert. Ideally this should be repeated for each startup location which is monitored. I have a real life, and I don't have that much time for this, so I rather asked for this specific information to be obtained by somebody else.{QUOTE-> Also you could list what other programs like Adwatch monitor that aren't yet on the list. <-QUOTE}Yes, if would have or want Adwatch installed on my computer. But if any of you have or want Adwatch I would be grateful if he could send in the list of monitored keys, obtained from Sysinternals Registry Monitor. About other, yet unlisted softwares: I will include them of course if they are worthy of mention here.
-hojtsy-

{QUOTE-> Can you confirm that Scotty will detect and alarm for a removal of a startup entry from the registry?
<-QUOTE}
I can confirm that WinPatrol will not alert users when a typical startup entry is removed. Its not something we've addressed but its not a bad idea since historically some virus programs have been know to remove popular an anti-virus programs. It would be one symptom of an infiltration but I suspect other obvious conditions would cause Scotty to alert our users.

The list of reg entries found here are great and I'm grateful to hotsy for getting the discussion going. It's given me a lot to think about but I'd rather not get into a competition over reg entries as the holy grail for evaluating a products value.

I'm a big fan of the free products that have been mentioned in this thread. I consider them as colleagues in our efforts to fight mysteryware. Our competition are the b%^#*%ards who use scare tactics on unsuspecting users. They claim to be free, then warn users they have 100 serious infections (usually tracking cookies) followed by an offer to help only if they are paid $49.

I may not be right but its the way my brain works.

Thanks again,
Bill

Does anyone knows what keys are watched by Ad-Watch, Spy Sweeper and PrevX?

Thank you,
Atomas31

Note: there is a new and even better Sysintenals Autoruns 5.01. If you are using an older version check it out! A new key to chew on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Will add this key soon to the big table, no software monitors it yet.
__________________________________
{QUOTE-> I'd rather not get into a competition over reg entries as the holy grail for evaluating a products value. <-QUOTE}I agree that the list of reg entries should not be the only measurement of the products value. You should also consider stability, resource usage, ease-of-use, support, other features, costs, compatibility, etc. I believe that the perceived importance of these factors, and thus the perceived value of specific products will differ from person to person. I did not intended to compare the value of specific products. That each of you should do yourself, based on your preferences. My goals with the thread are:
- I intend to help the product comparison with some not-so-well-known information.
- I was interested myself in the key lists, which could help me to select a software. I am always looking for an even better one.
- I hoped to pressurize any of the authors to improve the monitored key list: up to now this was failure, as none of them did a change for a long time.

-hojtsy-

{QUOTE-> HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Will add this key soon to the big table, no software monitors it yet. <-QUOTE}

I believe the final release (1.0) of Prevx watches this. Don't quote me on that. :P I'm not too sure.

{QUOTE-> - I hoped to pressurize any of the authors to improve the monitored key list...
<-QUOTE}

Authors are funny about stuff but you did accomplish a great discussion on what keys need to be monitored and why. You've also pressured me to look more closely at our keys and which ones should be included in future versions. WinPatrol 8.0 didn't add a lot of new keys with the exception of the file type association list.

Our biggest problem this year hasn't been in detecting threats but in making it easy for users to remove them. So much mysteryware comes in multiples that its a real challenge. In the past, I've referred people to CWShredder when all else fails but I read we won't be seeing updates in the near future.

You can bet WinPatrol 9.0 will include more registry keys and it will be thanks to your thread here.

Thanks!
Bill

{QUOTE-> I can confirm that WinPatrol will not alert users when a typical startup entry is removed. Its not something we've addressed but its not a bad idea since historically some virus programs have been know

Thanks again,
Bill <-QUOTE}
Hi Bill
I love WinPatrol-a great program
Rita

Hi,

Good news!
RegRun 4 Gold automatically traces all keys in the list.
Please download the latest version trial version and see what you think:
http://www.greatis.com/regrung400b2.exe
Home page:
http://www.regrun.com

After reading this thread I decided to take some of your suggestions and I have added all items that are important for startup.
Here some changes and other info on entries that were discussed here as well as other I added that were not mentioned.

1. HKLM\SW\MS\Windows\CV\RunOnce\Setup
"Setup" key contains information for Microsoft setup.
It is not used for start programs.

2. HKCU\SW\MS\Windows\CV\Explorer\Shell Folders.
I added only Startup value for tracing.
Note!
Some of the values "Cache", "Cookies" are changed during Windows session to LocalService account. After finishing Internet connection they are switched back.

3.HKLM\SW\MS\Active Setup\Installed Components
Active Setup is traced by RegRun internally.
Active Setup option in Control Center, Options, Registry Tracer.
Also you can trace any file extension using RegTracer.
The Add/Remove commands are in the same place.

4.HKLM\System\CCS\Control\Session Manager\FileRenameOperations
This was already included and is called Anti Replacement in RegRun.

5. HKLM\SYSTEM\CurrentControlSet\Services
Services are monitored internally.
This key is added to trace list under Windows 98/Me.

6. HKLM\SW\MS\Windows NT\CV\IniFileMapping
Added traces for win.ini and to system.ini.
Other .ini files are not important.

7. Winlogon values:
Run, Load, Shell are contolled by RegRun Start Control internally.

8. HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet
Typo!
It must be
HKLM\SW\MS\Windows NT\CV\Winlogon\VmApplet
Vitrual Memory manager for Winlogon.
Used only if no page file on boot volume and the user needs to set it up.

9. HKLM\SW\MS\Windows NT\CV\Winlogon\System
Looks like it's not used for startup.

Here are some other items that were not discussed here that I have added:
HKLM\SW\MS\Windows NT\CV\Winlogon\Taskman
This value is used to launch Task Manager.
Anyone can specify any program to run instead of Taskman.exe which could be dangerous.
By default this value does not exist.
Format is REG_SZ.
I added "Procman.exe".
It is successfully executed during startup.
Note!
This is Winlogon Taskman.
After finishing startup Windows uses standard task manager.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
This key is very important.
Spyware often uses this key to install its own components.

Comments, suggestions are appreciated:
http://www.greatis.com/regrun3support.htm

Best regards,
Dmitry Sokolov
RegRun's developer

Thanks Dmitry RegRun is a great program that is a part of my everday security.

Thanks,

Chris

RegRun looks like a serious bit of kit. How regularly does it monitor these keys though? I mean Tea Timer is pretty quick to warn of a change while WinPatrol can take a minute or two to get round to looking?

{QUOTE-> RegRun looks like a serious bit of kit. How regularly does it monitor these keys though? I mean Tea Timer is pretty quick to warn of a change while WinPatrol can take a minute or two to get round to looking? <-QUOTE}
Watchdog which is the monitor can be cusomized to however many minutes you want. It is set at default to check every 10 minutes.

It is a nice suite of utilities. Hopefully you will d/l the NIVA 4 beta and give it a test.

Thanks,

Chris

Thanks Dmitry,
FINALLY an Author catches up with The List! Now we got one step before the spyware writers by already monitoring several less obvious keys which were not yet widely used for attacks.
I will query to update post #1 soon, but you know it's much more hassle now that direct editing of old posts are disabled.
-hojtsy-

{QUOTE-> I will query to update post #1 soon, but you know it's much more hassle now that direct editing of old posts are disabled. <-QUOTE}Why not just start a new thread - link to it from your last post here (also include a link to this thread in it for review purposes) and send a PM to one of the mods asking them to stick the new and de-stick the old.

I have just found this thread as recently I have been giving serious consideration to this type of software as I realise that not every monitor is watching the same keys. I am very interested in this whole discussion especially the 'new to me' Regrun. I have some back reading to do but I have certainly found a lot of information to digest and try to work out which one is the next to add to my security.

It would be great to have a new thread with the information gathered from this one to have a comparison list to help others who are trying to source the best tool. I don't mind paying for a program if it does the task it is meant to just need to study how to use it first :-[ I value all the opinions already posted in this thread.

hi,
If I would start a new thread every time The List needs to be updated the information you found in this thread would be scattered between 20 threads, and I would definitely be unable to follow them.
Regrun will be updated in post #1 in a few hours, based on my understanding of post by Dmitry. Dimitry could you please check post #1, if I understood your post correctly.

I would like to broaden the topic now: if somebody discovers a spyware in one of the more exotic registry autostart locations (that means NOT HK*\SW\MS\Windows\CV\Run*), could you please post the location and the spyware name. Such experiences would justify the monitoring of those keys even for those cozy guys who tend to believe in statements like "this exploit is not yet used so it is not dangerous". ;D

best regards
-hojtsy-

Thanks guys. Remarkable thread. I dont understand a lot of what you are referring to but know that this sort of collaboration when taken up by vendors such as greatis can only help. As greatis/Dimitri seem to be the only vendors actively participating and acknowledging so; and as I am on the search for this type of software, I will almost certainly be heading off their way. Thanks again.

Hi everyone,

I downloaded a trial of RegRun Gold, but I have to admit I am pretty comfused about the primary benefits of the product. Are there any specific areas of the program that I should be looking at? For protection at this point I use: KAV 4.5.104, ZoneAlarm Pro, Ewido, Giant Anti-Spy, Ad-aware, Spybot, SpywareGuard, SpywareBlaster, and I use CCleaner for registry cleaning. I am waiting for ProcessGuard 3.0 to try it out. Do I need RegRun for anything? I think RegRun needs a specific highlights paper to point potential buyers to the key features. But it looks like a very interesting product.

Thanks,
Rich

Hi richrf,

The primary benefit of Regrun is protecting your registry. Websites (using exploits) are able to alter your registry even with all your other security.
If regrun detects something changing your registry, it can alert you and let you restore it immediately. There are other benefits, but that is the main one.

Hi Devinco,

As always, thanks for your quick response.

I currenlty have RegProt, TeaTimer, and Adaware Watch. I've turned off RegProt, and TeaTimer becasue they appear to overlap with Adaware Watch, and all of the alterts were getting a bit annoying. Please correct me if I am wrong.

Insofar as RegRun is concerned, it appears that it amplifies on the protection that the other programs that I have mentioned provide. Am I correct? If so, how do I turn on this protection in my trial version so that I can verify. There are som many features in this program, it is like finding a needle in a haystack.

Any further information or advice is appreciated.

Rich

Hi richrf,

You can enable Watch Dog (the registry monitor component) under Options in the RegRun Control Center.

Nick

Rich,

You should only need/use one registry monitor. AdWatch is not listed here and I don't know if it can monitor user configured registry keys. That is the important thing so you can add all the keys that hojtsy listed to monitor. If adwatch can add custom keys, then add the list of keys in post 1. If not, then I would go for regrun.

Thanks Nick and Devinco for your help. I will check out the configurability of Adware Watch.

Cya,
Rich

I have been running Registry Watcher for several days now. I got it from HERE (http://www.jacobsm.com/#downloads).

RegWatcher is configurable. That is, you can add or delete registry items that you want this program to monitor. It maintains this list on a simple, easily edited text file.

RegWatcher uses only 2 threads occupying 671.1K of memory. It is a polling scanner. Scans every 10 seconds. When it scans it uses just 1.5% of my 233Mhz cpu's cycles. Each scan is done in the blink of an eye. Between scans, RegWatcher's cpu usage is below measurable levels.

To uninstall simply delete the file folder where you put RegWatcher. It adds no files other than those in its own folder.

I really like RegWatch, & I am very grateful to this thread for having put me onto it, & for giving me the registry items that it should monitor.

Mahalo...... bellgamin

Hmmm! Another contender!

I've been running WinPatrol for the last few weeks and I must say I really like it. It not only keeps you informed about changes to your autostarts, BHOs, IE helpers and running processes etc, it also gives you the opportunity to do something about it by terminating malware processes simultaneously.

Thus if you get hit by several 'alien' processes that work in tandem with each other (thus preventing you from terminating each of them on an individual basis) you can select all of them together (by using the control key in the usual way) and then kill them all at once. You can also get WinPatrol to simultaneously delete them at reboot if all else fails.

I'm not sure if the other contenders have this multiple kill ability.

Hi all,

I downloaded WinPatrol and Registry Watcher. Both seem very simple and to the point. Just a quick - and very simple-minded question.

It looks like with Registry Watcher I can just plop in the keys that I want to monitor and that's it. Is there any reason to use RegProt, Ad-Watcher, Tea Timer, or any of these other programs if Registry Watcher is doing the same thing and more? Am I missing something?

Thanks.
Rich

What about just using prevx--seems to me that would be enough.Even though RegWatcher seems pretty cool too.

I'm confused as to why you would use anything besides RegRun considering it monitors all the main keys to be concerned with by default as well as being able to add any others you may need. If someone can explain this I would be interested.

Thanks,

Chris

Hi Chris,

I tried out RegRun and it kept blowing up all over the place so I figure there is some incompatibility on my system. For me, registry monitoring is a medium priority since I already have Ad-Watch running and I will be probably getting Process Guard when it is out of beta. So I really don't won't to spend too much time figuring out how to get RegRun up and running. The other registry monitors run without any problems - including RegProt, Tea Timer, Ad-Watch, and RegWatcher. For me, anyone of these are O.K though RegWatcher seems to be surprisingly simple and straightforward. I wonder why all of the vendors don't just do this? Does monitoring all of the suggesting registries consume too much resources?

Rich

Hi BrainWarp,

Thanks for the headsup on prevx. I will be looking at it.

Rich

Well Brainwarp. Prevx looks too kewl. Ad-Watch has just been forced out in order to make room for Prevx in the highly coveted spot in my system tray - where only the very best get to stay. Thanks for the rec.

For those interested, my system tray now has prevx, zap, spysweeper, kaspersky 4.5.104, ewido, and watchdog - and lots of commonsense. There is a place reserved for Process Guard 3.0.

Rich

:P What is a Registry monitor for? It seems to me that it is an additional line of defence AFTER your AV/FW defence has been breached, by which time you're already in trouble!

It's all very well a monitor popping up and telling you that changes have been made and offering you the possibility of denying them, but the fact is that if you have 'alien' processes/services running they are simply going to make the change again at the first opportunity. So you need something that will give you a chance to tackle these underlying processes.

WinPatrol, with its multiple kill and simultaneous delete ability gives you the the chance to fight back! Do the others (eg RegRun) have this facility? Individual sqashing of processes simply may not work with groups of 'nasties' that work together as a team - they just keep resurrecting each other!

{QUOTE-> Do the others (eg RegRun) have this facility? Individual sqashing of processes simply may not work with groups of 'nasties' that work together as a team - they just keep resurrecting each other! <-QUOTE}System Safety Monitor can not only block/monitor registry changes, but it can prompt you when a new executable runs (suspending it pending your reply) - giving you the chance to block malware from even starting. And it's currently free (the author is planning a shareware version sometime next year - but a free version should still be available).

{QUOTE-> I'm confused as to why you would use anything besides RegRun considering it monitors all the main keys to be concerned with by default as well as being able to add any others you may need. If someone can explain this I would be interested. <-QUOTE}
I can't get RegRun' WatchDog to cycle more often than once in 3 minutes. I think that's too slow for a polling scanner. Also, RR's WatchDog's load is heavier than RegWatcher -- that's a significant consideration for my decrepit computer. Also, RR's Registry Tracer's configuration menu for adding or removing registry items to be scanned is a tedious, item-By-item process, compared to the fact that RegWatcher uses a simple text file. However, I do like & use RR for other purposes.

Oh, forgot to add that I am experimenting with WinPatrol on my system tray also. It is getting a little more crowded than I would like, but so far everything is behaving pretty well and I do not notice too much overlap in function.

It seems like Prevx is preforming very similar functions as SSM and PG. Is anyone familiar with the basic differences between these three programs? Thanks.

Rich

Prevx protects files on the drive, Process Guard protects objects in memory. Take a quick look through the Prevx protection settings and click on each option to read the description. They're both great programs that compliment each other perfectly, IMO.

Bellgamin: I've noticed that with RR you have to restart the program for it to lower the amount of time it does it's checks. I've got mine set at 1 min right now. You're right, though, it really is too bad it isn't real-time protection and the registry tracer really should have an option to easily add every preset option at once, like it does with file protection. It's a great app, but the security options are almost secondary to me.

Hi Notok,

Thanks for the explanation. Right now I am very pleased with Prevx and I have zero problems running all of my system tray programs side-by-side - which is great by me. I even have BOClean running right now for some addtional protection but it is probably redundant with Ewido. I have to turn them of when I do a full system scan with KAV.

I think that PG will be the last program I will put in my system tray once it is out of beta and it looks like it will also run smoothly with the existing set of programs. Glad to hear that it will complement Prevx.

Thanks,
Rich

{QUOTE-> Prevx protects files on the drive, Process Guard protects objects in memory. <-QUOTE}Process Guard and SSM both also act as "application firewalls" allowing you to create rules to permit or block programs from running as well as restricting them from certain operations (physical memory access, driver/service installation, DLL injection). SSM offers registry, start menu startup and Windows .ini file (win.ini, system.ini) monitoring also.{QUOTE-> You're right, though, it really is too bad it isn't real-time protection and the registry tracer really should have an option to easily add every preset option at once, like it does with file protection. <-QUOTE}None of the registry monitors seem to be real-time (in the sense of catching/blocking changes as they are made) unfortunately. SSM's default setting of checking every 7 seconds (17 for services) doesn't seem at all heavy on CPU usage though (3 minutes out of over 9 hours uptime so far on my 1Ghz PIII system) so maybe other monitors could be run more frequently?

{QUOTE-> Process Guard and SSM both also act as "application firewalls" allowing you to create rules to permit or block programs from running as well as restricting them from certain operations (physical memory access, driver/service installation, DLL injection). SSM offers registry, start menu startup and Windows .ini file (win.ini, system.ini) monitoring also. <-QUOTE}Right, but Prevx stops a process from adding/modifying/deleting the actual file itself. Process Guard is focused on memory, so it checks the file when it starts, it doesn't stop anything from actually accessing the file itself. It intercepts the attempt in real time, so you know BEFORE the file is changed, rather than just knowing that the file has somehow changed.

{QUOTE-> ...so maybe other monitors could be run more frequently? <-QUOTE}True, more often would probably suffice. I'm actually kind of torn on the issue, actually, there's advantages to both sides. When installing something it's check will show everything at once, rather than a series of pop-ups, so it's less intrusive in some instances.

{QUOTE-> Process Guard is focused on memory, so it checks the file when it starts, it doesn't stop anything from actually accessing the file itself. It intercepts the attempt in real time, so you know BEFORE the file is changed, rather than just knowing that the file has somehow changed. <-QUOTE}It's probably worth noting (for those unfamiliar with PG or SSM) that both will flag file changes the next time it is run.{QUOTE-> True, more often would probably suffice. I'm actually kind of torn on the issue, actually, there's advantages to both sides. When installing something it's check will show everything at once, rather than a series of pop-ups, so it's less intrusive in some instances. <-QUOTE}With SSM, you get one popup window for all its plugins which then gets updated with multiple entries, so you do get the best of both worlds there. A monitor that could intercept changes before they were made would be a more secure option but SSM does block many changes by default (i.e. it removes the changes and you have to permit them manually to restore them). This can be adjusted though.

{QUOTE-> It's probably worth noting (for those unfamiliar with PG or SSM) that both will flag file changes the next time it is run. <-QUOTE}Then it's also probably worth noting that I refrain from talking about SSM because I don't know a lot about it. I just couldn't get it working right with my setup and uninstalled it after only a day or two of tinkering. So it's not that I don't like SSM, I just can't really say much about it at this point. :)

{QUOTE-> With SSM, you get one popup window for all its plugins which then gets updated with multiple entries, so you do get the best of both worlds there. A monitor that could intercept changes before they were made would be a more secure option but SSM does block many changes by default (i.e. it removes the changes and you have to permit them manually to restore them). This can be adjusted though. <-QUOTE} I'm betting that this will become more refined in some product at some point in the future, I think the concept is still relatively new. My initial experience with an earlier beta of this was that it kept going and stealing focus. I changed the settings to make it a little better, but I still found it a bit akward at times (in the short time I had it.)

{QUOTE-> Then it's also probably worth noting that I refrain from talking about SSM because I don't know a lot about it. <-QUOTE}Shhhh...I'm trying to refrain from talking about any other registry monitors for the same reason - don't out me here! ;)

:-X ;) :lurking:

;D

Hi,

Same here. SSM looked like a darn good product but it kept crashing. I had similar problems with PG 2.5, but less so. Now I am just going to wait for pG 3.0 and see what happens. I think PG 3.0 will also help me fill in any keyloogger holes that I might have in my security defenses. I don't get the sense that any the security programs are really targetting keyloggers though I would think it would be fairly straightforward to monitor keyboard and monitor hooks a Keylogger Killer does. I could load Keylogger Killer but I haven't read too much about it and I have a stable system at this time.

Rich

This has been a very interesting thread :)

Regarding keyloggers Process Guard stops them dead it blocks .dll injection into other programs process memory space and also Blocks any Registry .dll injection providing .dll blocking is enabled in the General tab.

{QUOTE-> ....None of the registry monitors seem to be real-time (in the sense of catching/blocking changes as they are made) unfortunately.... <-QUOTE}
Hello, P2K. :)

I believe your familiar with MJ Registry Watcher (http://www.jacobsm.com/#downloads), and it does seem to catch changes real-time...or at least it seems to. I've been using it for months, and it works great.

From my own experimentation, it seemed like Tea Timer, Ad-watcher, and Premx were all more or less real-time. They would all shoot up on the screen practically at the same time. Right now I have settled on Premx which seems like a darn good product as does WinPatrol.

Rich

{QUOTE-> Same here. SSM looked like a darn good product but it kept crashing. <-QUOTE}If you haven't already done so, give the latest version (1.9.5) a shot - it's currently in beta but is a substantial improvement over 1.9.4. If you encounter problems with this, enable logging (create a file ssmlog.log in your C:\ folder and ensure your user account has Write access to it - SSM will write to this automatically if it is present) and email the results to DivineGlitch (at) mail.ru (if the logfile is large, compress it first please). Reported problems are being fixed (1.9.5 is on beta 3 now) but the more people that give detailed bug reports, the better the final release should be.{QUOTE-> I had similar problems with PG 2.5, but less so. <-QUOTE}PG 2.5?! Hey, I missed a version! :D{QUOTE-> I believe your familiar with MJ Registry Watcher, and it does seem to catch changes real-time...or at least it seems to. I've been using it for months, and it works great. <-QUOTE}Hello again D&C - long time no see! I'm not familar with MJ's program so thanks for the pointer - according to the page though, it does not intercept Registry changes but detects them after they have been made. To that extent it seems much like all the others although it may well respond more quickly.{QUOTE-> I have settled on Premx... <-QUOTE}May we take it that you mean Prevx or have you found a new toy for us to play with? ;D

I recall a post a while back, I think by Blackspear, reporting a conflict between SSM and Prevx that may explain richrf and Notok's experiences.

{QUOTE-> Right now I have settled on Premx which seems like a darn good product as does WinPatrol. <-QUOTE}
I think that a registry monitor should list exactly WHAT it is monitoring, and should be configurable so that the user can readily add or subtract from that list. Registry Watcher meets these criteria. WinPatrol does not. Other than this, WinPatrol is a superb program (I have the *PRO* version).

Thanks for all of the suggestions guys. I will give SSM a try and see what happens.

I agree that Registry Watcher has a very nice approach, but I decided on Prevx (sorry about the previous typo) because it appeared to have additional functions besides registry monitoring and they seemed to be very useful. Correct me if I am wrong.

If you guys had a choice between Process Guard 3.0 and SSM for additional registry and program protection, would it be a toss-up or do you have specific reasons to choose one or the other. On my system, PG 2.5 was slightly more stable than SSM (current full-release version) but neither was as stable as the other programs in my system tray at this time, which is why I decided to uninstall both until the next full-releases. What have you guys been experiencing. I sort of like it now that my system has pretty good protection and isn't crashing from the protection software.

Just for the fun of it, I am trialing NOD32 as a backup AV scan for KAV, though I doubt it will be necessary. I may be getting bored now that everything is so stable. :)

Cya,
Rich

{QUOTE-> If you guys had a choice between Process Guard 3.0 and SSM for additional registry and program protection, would it be a toss-up or do you have specific reasons to choose one or the other. <-QUOTE}There is a lot of overlap between the two but also significant differences. Process Guard is more "set it and forget it" requiring little involvement after the initial configuration - but you need to remember to check its logs if any problems arise with installing (or running) new software. It's settings are somewhat simplified in this vein (you can allow a program to install any driver or no drivers at all - you cannot limit it to a specific driver which has raised an issue about svchost.exe which does do driver installation for third parties).

SSM prompts you for everything - you essentially (constantly at first, sporadically thereafter) create its rules by answering popups. It offers a finer degree of control (you can specify that application X is allowed to run program Z but that application Y is blocked from doing so) including being able to limit driver installation to specific drivers only. However this makes it more difficult to use on a shared computer (it does offer a restricted user mode where prompts cannot be answered - but you need to spend time defining what is then to be allowed). The plugins (registry, service, IE settings) are useful in that they give more information on program activities which can help you decide whether a program is benign or not - but other software can also cover their function if you use PG.

Process Guard's main role is that of process protection - SSM's is program control. SSM can provide a good degree of process protection by intercepting terminate, debug or DLL injection attempts - but it cannot cover all the bases like PG can. PG on the other hand cannot offer SSM's level of control over program actions.

For simplicity and unattended use I would suggest Process Guard. For control and program activity monitoring I would advise SSM. For paranoids and control freaks ;D I would recommend both. :)

Hi Paranoid,

Thanks for the detailed explanation. I think I will try both out and see which on works better. If I buy both, it will not be because I am Paranoid, it will be because I am bored with tooooo much stability on my system. :)


Thanks again,
Rich

{QUOTE->
For simplicity and unattended use I would suggest Process Guard. For control and program activity monitoring I would advise SSM. For paranoids and control freaks ;D I would recommend both. :) <-QUOTE}

Wrong. The true paranoids run SSM+Processguard+PrevX

nillr2, You forgot Abtrusion Protector ;D

Pilli

Sorry if this was asked before; does Prevx and Tea Timer do basically the same thing? If you had a choice of one of these, which one would it be?

I have Spywareblaster, Spywareguard, Ad-Aware, SpyBot, BOClean, Win Patrol, NAV2005, ZA free and I will probably get PG 3.0 when it comes out. Am I pretty well covered? I'm running XP with SP2. 8)

{QUOTE-> From my own experimentation, it seemed like Tea Timer, Ad-watcher, and Premx were all more or less real-time. They would all shoot up on the screen practically at the same time. Right now I have settled on Premx which seems like a darn good product as does WinPatrol. <-QUOTE}Ad-watch, Teatimer, Regrun, Winpatrol, RegProt, RegWatcher - all are pollers, meaning they repeadetly read and check the registry in every x seconds. They do not block the change of the registry in the first place, they only undo the detected change if you choose so. The questionable marketing/GUI of these application tend to oversimplify the explanation of the working method making the false statement that the application "blocks changes".
BUT Process Guard protects a few selected registry keys with a completely different way: it blocks any changes from happening in the first place by being in between the user applications and the registry. That is what we call "real time". BTW it is the primary reason for PG being present in the Registry Monitor list. DiamondCS already developed the framework for this kind of registry protection for PG - yes, they told so. I hope it is only a question of time until they release a full featured registry protection application.
As for Prevx - I don't know. For what I know it could as well block the changes in the first place, or it could be a poller. Anyone with specific technical information is welcome. It is easy to check: Sysinternals Registry Monitor shows repeating registry reads for every poller.

-hojtsy-

If DiamondCS makes a Registry Guard (whatever they decide to call it), I will buy it.

(not RegProt, I mean a configurable Registry Guard that would include all these keys by default and allow others)

{QUOTE-> The questionable marketing/GUI of these application tend to oversimplify the explanation of the working method making the false statement that the application "blocks changes". <-QUOTE}

How about Regrun with the blacklist in block all mode , that would count as being able to block certain registry changes , without needing to prompt the user first.

{QUOTE-> Black List allows automatically filtering newest detected startup tasks. Tasks listed in Black List will be automatically blocked.
<-QUOTE}

So far I've seen it work well to auto-protect these registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

{QUOTE-> How about Regrun with the blacklist in block all mode , that would count as being able to block certain registry changes , without needing to prompt the user first. <-QUOTE}
The incorrectly called "block" here is actually only an "auto-undo" or "unconditional undo". Pollers detects the registry change only after it was successfully made and completed by the malware, and then they attempt to undo it. Let me explain the weakness