To remove mscorsvw.exe or to remove Tiny Watcher?

[pajenn]

Tiny Watcher is a small program that reports changes in important system files at start up. Usually it gives you the option to either remove or confirm those changes, but today following a regular Windows Update restart, it's only giving me the 'Remove' option:

Quote:

Process mscorsvw.exe <C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe> :
Another process is using the same name but a different executable file: <C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe>

Available actions for this item: 'Remove'
** 'Confirm' action is not available because this item is never normal **

My instinct would be to confirm the changes since the Windows update included updates to .Net Frameworks, but with Tiny Watcher that's not an option, so I'm thinking removing Tiny Watcher unless someone here happens to know that it's right in this case. Otherwise, any good (up-to-date) alternatives to Tiny Watcher?

[Cudni]

I would confirm it too but if you want to keep TW then why not reset it?

[pajenn]

Quote:

Originally Posted by Cudni

I would confirm it too but if you want to keep TW then why not reset it?

not sure if i want to keep it anymore... i'd prefer a program that just reports the changes but leaves the deciding to the user (without hoop jumping).

[jmonge]

winpatrol plus then is for you to use buddy

[bellgamin]

mscorsvw.exe is a notorious cpu-eater. I never see it because I killed it a long time ago. For me dot net works okay without it.

Do a Google search on mscorsvw.exe & you will get tons of hits such as THIS - which tells how to get rid of this Microsoft piece of crap.

Quote:

Originally Posted by jmonge

winpatrol plus then is for you to use buddy

WinPatrol monitors in real-time & covers only a small slice of the sensitive registry files & system files. TW runs on-demand & covers a MUCH broader spectrum of sensitive registry & system files.

Registry monitoring
TW's registry list is largely based on research done by Kees1958, Tony Klein, & hojtsy. By the way -- these same superb sources also form one of the primary bases for registry watch lists used by Online Armor, MJ Registry Watcher, RegRun, et alia.

System files monitoring
TW's system files monitoring uses wild cards (*) that cause it to cover extremely critical system files with just a few entries as follows. . .

Quote:

c:\*
$windows\*%
$windows\system32\*%
$windows\system32\drivers\*%
$windows\system\*%
$windows\system\iosubsys\*%
$windows\system\vmm32\*%
$windows\wininit.ini
$windows\system\autoexec.nt
$windows\system\config.nt
$windows\system32\drivers\etc\hosts

Because of TW's broad spectrum of monitored key files, I disabled TW's quick scan from startup & instead I run TW's deep scan daily at startup, called as follows . . .

Quote:

C:\Program Files\Watcher\watcher.exe*-deep

Bottom Line
Give up TW for some bit of Microsoft's intrusive, cpu-eating, ill-conceived mscorsvw.exe? NOT me!

As for WinPat -- if someone wants to run a real-time HIPS, I recommend Malware Defender (it's free) or Online Armor-free. They cover MANY more threat behaviors than does WP.

[jmonge]

good explanation bell buddy thanks

[whitedragon551]

Take those areas watched by Tiny Watcher and import them to Winpatrol and your set.

I have a detection by TinyWatcher on my laptop with something similar.

Quote:

Process svchost.exe <unretrievable path> :
Another process is using the same name but a different executable file: <C:\Windows\SysWOW64\svchost.exe>

Available actions for this item: 'Remove'
** 'Confirm' action is not available because this item is never normal **

I traced it to a service for HP Printers. I reported the false positive to the Tiny Watcher developer over 3 weeks ago and still not even a confirmation email saying that they have received it and are looking into it.

[bellgamin]

Quote:

Originally Posted by whitedragon551

I reported the false positive to the Tiny Watcher developer over 3 weeks ago and still not even a confirmation email saying that they have received it and are looking into it.

Check HERE. It's a known issue that has been reported & replied MANY times. Perhaps the proponent is weary of answering the same question. Why hasn't he fixed it yet? Wakaranai.

[whitedragon551]

Quote:

Originally Posted by bellgamin

Check HERE. It's a known issue that has been reported & replied MANY times. Perhaps the proponent is weary of answering the same question. Why hasn't he fixed it yet? Wakaranai.

Doesnt exactly make one want to use a program. Especially when something has been reported numerous times, it hasnt been fixed, and the coder wont even respond to emails.

[bellgamin]

Quote:

Originally Posted by whitedragon551

Doesnt exactly make one want to use a program.

I agree, but the alternatives are very limited. There are LOTS of powerful (& expensive) integrity checkers for servers, but the only 3 that I know of for home computers are:

(1) TW (free. Highly configurable)

(2) Sentinel (free - not nearly as configurable as TW)

(3) ADInf Pro ($14.95 - extremely powerful, interfaces nicely with several antivirus programs, equally as configurable as TW but a bit more complicated to learn. Concerning which, Wilders has a very detailed tutorial HERE.)

In actuality integrity checkers need little or no updating IF & ONLY IF they are readily configurable. AFAIK their ONLY *major* weakness, as a security app, is that they are not self-protected. Thus, a malware can easily target them, to screw up their database or kill them altogether. I protect TW with my HIPS (any good HIPS can be configured to strongly protect any given app from mutilation or deletion or spoofing).

Is an integrity checker worth the effort? My answer -- you will rarely find a commercially-based server that lacks one. Many ITs consider integrity checkers to be indispensable. So do I. This is especially true since my own philosophy of strong but non-intrusive layered security is heavily centered on an integrity checker plus imaging.

I happen to prefer TW, but would switch to ADInf in a heartbeat if TW was no longer available.

[whitedragon551]

You can import the registry settings that TW watches into Winpatrol free or paid and have just as good of protection with more added features.

[lordraiden]

Quote:

Originally Posted by bellgamin

I agree, but the alternatives are very limited. There are LOTS of powerful (& expensive) integrity checkers for servers, but the only 3 that I know of for home computers are:

(1) TW (free. Highly configurable)

(2) Sentinel (free - not nearly as configurable as TW)

(3) ADInf Pro ($14.95 - extremely powerful, interfaces nicely with several antivirus programs, equally as configurable as TW but a bit more complicated to learn. Concerning which, Wilders has a very detailed tutorial HERE.)

In actuality integrity checkers need little or no updating IF & ONLY IF they are readily configurable. AFAIK their ONLY *major* weakness, as a security app, is that they are not self-protected. Thus, a malware can easily target them, to screw up their database or kill them altogether. I protect TW with my HIPS (any good HIPS can be configured to strongly protect any given app from mutilation or deletion or spoofing).

Is an integrity checker worth the effort? My answer -- you will rarely find a commercially-based server that lacks one. Many ITs consider integrity checkers to be indispensable. So do I. This is especially true since my own philosophy of strong but non-intrusive layered security is heavily centered on an integrity checker plus imaging.

I happen to prefer TW, but would switch to ADInf in a heartbeat if TW was no longer available.

Thanks for the details, I didnt know that there was specific software for this.

There is also a command in windows that automatically checks the integrity of system files, is quite recommended to run it after malware cleaning:

sfc /scannow

If any file is not original the program automatically will replace the file with the original one from a backup or from the CD/DVD

[bellgamin]

Quote:

Originally Posted by whitedragon551

You can import the registry settings that TW watches into Winpatrol free or paid and have just as good of protection with more added features.

You are correct about the registry, but WP is very deficient when it comes to full-scope protection of Win system files -- files that are fully covered by integrity checkers. Further, WP is largely non-configurable with respect to files other than start-ups. Also, WP lacks advanced hashes such as SHA-1; a critical shortfall. Yet another major deficiency is that WP must run in real-time (see Note 1 below), whereas a file integrity checker needs only to run on-demand.

Don't get me wrong. WP is a nice little HIPS. However, comparing WP to a file integrity checker is comparing apples to lawn mowers. They simply are not designed to do the same thing in the same way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note 1: Since the subject of HIPS has been introduced into the discussion, I might add that WP is a narrow-spectrum HIPS-type app with zero capability for stopping kill apps & rootkits, AND (except for autoruns et alia) is not set-up or configurable to protect other types of files.

For fewer cpu cycles than are needed to run WP, you can run any one of several broad-scope HIPS which are light-years more powerful than WP. Malware Defender is one example. D+ is another. OSSS is yet another; & the list goes on.

However, I am OT. This thread is about TW vs mscorsvw.exe -- not about WP vs other HIPS.

[pajenn]

Quote:

Originally Posted by whitedragon551

You can import the registry settings that TW watches into Winpatrol free or paid and have just as good of protection with more added features.

I decided to give Winpatrol a try. Can it be set to only run during start-up, or to only monitor the areas that Tiny Watcher monitors during start-up? And if so, how?

[HAN]

Quote:

Available actions for this item: 'Remove'
** 'Confirm' action is not available because this item is never normal **

Whenever I get this message, if I am ok with the issue in question, I just close TW by "X"ing out of it. Doesn't seem to hurt anything and solves the issue (since confirm is not available.)

[bellgamin]

Quote:

Originally Posted by pajenn

I decided to give Winpatrol a try. Can it be set to only run during start-up, or to only monitor the areas that Tiny Watcher monitors during start-up? And if so, how?

No and no.

[pajenn]

ok, so suppose i let WinPatrol run in real time; how can I make it monitor the same registry keys that Tiny Watcher monitors? I mean, below is a picture of WinPatrols's "Registry Monitoring" tab, and it appears to require registry value and data names, as opposed to just registry key names... so how do I make WinPatrol Monitor the whole registry keys that Tiny Watcher monitors instead of just individual registry entry values/data?