MJ Registry Watcher

Always greets GE. Great Registry Program! you generously offer all of us as well as stay in touch with it's users as well as update it as needed.

I am curious though and hopefully you might shed some light over this curiosity one way or the other.

It's obvious with the very sharply talented and thoughtful efforts that you've gone to some great lengths to put into this excellent registry monitor, as well as the staying power you seem to possess in keeping continuous vigil on this creation & users of it of yours

Could you possibly consider also at some point to fashion a Folder/File monitor of sorts also, on the order of a say a FileChangeAlarm that affords users to enter in addition to the defaults, extensions that an app would watch and alert to immediately on any change such as created, deleted, renamed and so forth that also at-once sounds a user-defined .WAV file alert as well as Blink the tray icon or even devise a MSN roll-up type notification at the system clock tray? Or anything along those lines.

In all honesty and with deep respect for all your efforts with MJ Reg Watcher, i can't think of a single other developer better qualified who has just the right balance of the skills and enthusiasm to create such a Folder/File Monitor app than yourself seeing how well you've developed MJ.

IMHO, i think something like this would also highly compliment MJ and go over very well with users and really is long BEEN sorely needed.

EASTER

 

Easter, why re-invent the wheel? There is a freeby called Monidir (http://www.contactplus.com/products/freestuff/monidir.htm) which does what you ask. MJRW can monitor individual files/directories and user-specified filespecs with wildcards on a polling basis, but if you want to catch a change to a directory immediately, use Monidir.

 

Because if anyone could reinvent the wheel with added usefullness it would be you as evident by MJ Reg Watcher. Because thats also kind of re-inventing the registry monitoring that HIPS already employ but you take it to an independent point of being a single app for a single purpose. That's kind of what i was hinting at, but if it's no of any interest to you, thats cool too.

Have you even tried that program you linked to? It's way too archaic. Even if you set a WAV file to alert you get the whole crappy windows media player program right up on the screen, not only that, but it "polls", very unlike FileChangeAlarm.

Listen, i'm only trying to help stir at least some interest that something on this order would be worthwhile and infinitely more up-to-date than what we have now. Can you imagine relying on a Windows 98/Me hobby project that was released and abandoned in today's circles? Most would dismiss it right off the bat, and some have like ErikAlbert's try at ScriptDefender by AnalogX because it just needs some minor improvements but is been neglected.
Sorry for my fervor over what are considered now old hat apps like these, but personally i find at least some of them still COULD BE just as useful as a full blown HIPS in some ways, like for instance your MJ RegWatcher alerts to changes & blocks change attempts that could affect normal settings.

With that same sort of idea at heart, a folder/file watcher that logs plus alerts IMMEDIATELY is also a very useful & invaluable tool for any security conscious enthusiast and i just thought someone of your motivation might could take up that torch also.

Maybe i was wrong to bring suggestion to this, i dunno.

Regards EASTER

 

I've just looked at Moanidir, and there's a lot to moan about! It does not alert immediately, and it has a minimum poll time of 5 seconds. Perhaps I will incorporate something into MJRW. I'll have a play...

 

Courtesy member Expresso taken from Wilder's Topic in September 2007 this year, theres a lone and perhaps only version left on any server anyplace on the net, if it might be worth an exam or two to help get an idea about it's usefulness.

File Change Alarm 1.0 beta6 here

http://www.divshare.com/download/2075433-50b

Regards EASTER

 

Thanks for the link. I have had a look at the basic programming requirement for a directory change notifier, and it may patch into MJRW's current registry hooker event processing fairly well. I'll need to look more thoroughly at this, but it may be a transparent change, in that there will be no apparent interface changes at all, just that the file/directory protection also becomes "instantaneous" as per the registry changes. I hope this proposal is satisfactory. Regards,

 

Glad you were able to have a look and try it. I'm using it right now, it's really a nice monitor in that you can add other file extensions. Just for personal observations, i added .txt and .dat so it throws up alerts (Audibly/Blink Tray Icon) quite regularly while logging to saved text files.

Another oldie but goodie is Process Logger

It's really not so hidden as the author's description claims, but it does do a great job of creating timestamped logs of processes each time one runs, but this is simply a process monitor, somewhat parallel to ProcView except you review the findings at your own random time.

I have run both of these now abandoned monitors and am pleased they also run great on XP systems.

 

I have released version 1.2.5.8 of MJ Registry Watcher at http://jacobsm.com/mjsoft.htm#rgwtchr - it has the following changes :-

Changes 1.2.5.7 to 1.2.5.8
1) Added file and directory hooking techniques to allow almost instantaneous reporting of any changes to files and directories (OS cache permitting).
2) Added option to reset engine parameters to their defaults. The defaults have been changed to take into account the hooking mechanisms. The polling is now set to sweep every 30 seconds by default, instead of every 10 seconds.
3) When a hooked sweep is triggered, any filespec prefixed with & is checked immediately, rather than once every 50 sweeps.

This last point (3) may lead to higher CPU usage on Pentium systems. On AMD systems, it seems to use less CPU time than 1.2.5.7 - go figure!

This new version offers the best system protection yet. &-prefixed filespecs now get checked whenever a change happens anywhere on the drive(s). You can add your own filespecs on other attached drives (for example, USB hard disks or pen drives) and they will be monitored using hooks too.

For those of you with a licence file, simply extract the new version to the usual directory, and the licence there will continue to work.

 

I knew you were a master craftsman at programming like this, but the speed at which you're able to make improvements in this manner is simply Brilliant! GE!

Am on my way to install this latest version and see just what magic you've done again this time.

Really, thanks ever so much for the constant attention you bring to these and any other concerns and also the correspondences like this with your users which is simply invaluable and really gives us all a huge lift of excitement and we appreciate every moment of it, thats for sure.

EASTER (#&##? tripping over my keyboard to get to the new D/L)

 

Version 1.2.5.9 of MJ Registry Watcher has been released at http://www.jacobsm.com/mjsoft.htm#rgwtchr

The changes are as follows :-

Changes 1.2.5.8 to 1.2.5.9
1) Reduced CPU usage by hooking only the directories specified in the filespecs, rather than the whole drive.
2) Added debug output, toggled by right-clicking timer up/down arrows.

 

GE, thanks for the update! It has noticeably lower CPU impact!

However, I did run into a problem. Version 1.2.5.8 and earlier have always ran perfect under my Limited User accounts (on 2 PCs.) But with 1.2.5.9, the licensing check will no longer function under the Limited accounts. It works fine on the Admin accounts and if I temporarily change the Limited accounts to Admin privileges, 1.2.5.9 then works ok.

The error message I get is attached. (At this point, I am running 1.2.5.9 on the Admin accounts and 1.2.5.8 on the Limited accounts.)

Any help you can give would be much appreciated!

 

I have posted a correction to this. It is still the same version number, because nothing else has changed, just the access level for opening the aforesaid key. Let me know if there are still problems. Cheers for the call.

 

GE: Awesome response time!

That did it. My Limited accounts are once again running normally.

As I noted earlier, the CPU usage reduction is very noticeable. On one PC, it's approx. half what it was before...

 

well, i am here.. i am new to using mjregwatcher.. one issue that i am having is that it "regularly" flags a couple of reg-"subkeys" that i would like for it to ignore.. i tried adding the keys to the "exempt values list", but that didn't seem to work..the reg-subkeys are still being flagged.. i could use a "prefix" when the alert pops up but i don't want mjrw to ignore everything relating to "explorer", just the two (or three) subkeys.. here are the subkeys that i am trying to get mjrw to ignore:

hkey_users\s-1-5-21-602162358-838170752-725345543-1005\software\microsoft\windows\currentversion\explorer\recentdocs

hkey_users\s-1-5-21-602162358-838170752-725345543-1005\software\microsoft\windows\currentversion\explorer\bitbucket\c

hkey_users\s-1-5-21-602162358-838170752-725345543-1005\software\microsoft\internet explorer\typedurls

incidentally, i tried using "wildcard-keys" the first time, but that didn't work, so i tried using the ones posted above, instead...

another think is that mjrw is flagging these keys that other regprotectors do not flag, but it does not flag some of the regkeys that other regprotectors do flag, like when i am adding something to IE's "trusted sites zone", in IE's "security".. also, when i open "internet options", in control panel, i think mjrw should be flagging a regkey, there, for "rundll32", i think..

i imagine that there is some what to get mjrw to ignore reg-subkeys, if desired, but adding the keys to the "exempt values list" doesn't seem to result in the reg-subkeys' being ignored.. i don't want to use a "prefix" where everything-explorer will be ignored..

 

I had the same problem with TypedURL's. I added the following in the "Exempt Keys and Filespecs List".

hkey_users\s-1-5-21-2117542951-1439701620-476712757-1010\software\microsoft\internet explorer\typedurls

 

thanks, hammerman.. i will try adding the regkeys to "exempt keys and filespecs list".

 

redwolfe_98: Which Security Set are you using? You mentioned that Registry Watcher doesn't look at some of the keys you want it to. Those keys may be in a more secure set...

 

If I recall (from some previous threads), the following should work too:

hkey_users\\software\microsoft\internet explorer\typedurls

soccerfan

 

For what it's worth, I noticed that, in the past, everytime you ran CCleaner it would delete the typedurls Key (depending on configuration) and then recreate it again. However the latest version of CCleaner just deletes the Key without putting it back again, which means other apps (usually IE) are constantly having to restore the typedurls Key after you run CCleaner. Thus Reg protection progs covering the Key (and not all do) are always flagging some app or other over that Key.

 

Thanks for helping redwolfe_98 out there guys. You can certainly wildcard exemptions, an example that is in the default set supplied being :-

hkey_users\\software\microsoft\windows\currentversion\explorer\runmru

Also, you do have to put exempt registry keys in the keys and filespecs section, and exempt registry values in the values section. Sorry about the confusion, but that's the way the program works!

I'm not sure what you want protecting under the security key of IE (hkey_lmus\software\microsoft\internet explorer). Perhaps you could expand on that. Certainly, it is protected under the "high" and "highest" settings, but not at lower security levels.

 

Does anybody come across opera(9.5 beta build 9745) crashes very often with MJRW(1.2.5.9) while trying to download files? My system is winxp pro sp2.

 

Shek, Opera constantly updates the registry while it downloads files. This can trigger MJRW fast sweeps over and over. To relax the "paranoia" a bit, try resetting the engine parameters (under the options menu - Reset Engine Parameters) and see if that alleviates the problem.

 

I have released a new version of MJ Registry Watcher, version 1.2.6.1 which is now free of charge again! No licence file is required for this new version.

Changes 1.2.5.9 to 1.2.6.1
1) The application is now free of charge and does not require a licence file any more. If you find this software useful, please use the Paypal and Google Checkout buttons at http://www.jacobsm.com/mjsoft.htm to make a donation.
2) Tray hint now has no limit to the length of the text presented.
3) Added exempted discoveries to the debug log.
4) Once triggered, debug now stops re-reporting trigger until reset.
5) Made alerts for the winlogon key always prompt the user, whatever the mode is.

"MJRW saving PCs' necks since the invention of the computer virus"

 

Thanks Graphic

soccerfan

 

I second that.
I find this application invaluable.
It can be a little annoying at times when installing new software and I have to resort to shutting it down sometimes. I would prefer to have a temporary installation mode where changes are accepted automatically but still logged.