Registry Monitor comparison

I am collecting and comparing the list of monitored keys and other capabilites of current registry monitor apps. Mostly of the free ones. The list of monitored keys may or may not be the most important feature of an application, but this thread mainly discusses this aspect.

'+' means: Key (group) is monitored by the app
'L' means: Key is monitored by the app only in the HKLM subtree
'U' means: Key is monitored by the app only in the HKCU subtree
'HK**' means: The same key is monitored in both HKLM and HKCU
*** means: Recurse into all immediate subkeys here, 1 level depth

List entry types:
(K) is a key, contained values/subkeys are watched
(v) is a single value watched for changes
(M) multiple values in different keys
(?) entry type unknown. Please provide information

1 SM: Mike Lin's Startup Monitor (free)
2 RP: DiamondCS Registry Prot 2.0 (free)
3 RD: RegDefend 1.0 (shareware) [Wilders forum]
4 RR: Regrun 4 Gold Pro (shareware) [see also]
5 TT: Spybot Search and Destroy Teatimer (free)
6 SS: System Safety Monitor (free)
7 GA: Microsoft Antispyware = Giant Antispyware (free)
8 WP: Winpatrol
9 MJ: MJ Registry Watcher 1.2.3.8 (free) [Wilders thread]

Links are provided to reports about malwares using the specific key. Isn't that cool!

Autostarts
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
+ + + + + + + + + (K) HK**\SW\MS\Windows\CV\Run(Once) link
- + - + - - - - + (K) HKLM\SW\MS\Windows\CV\RunEx
- + - - - - - - + (K) HKLM\SW\MS\Windows\CV\RunOnce\Setup link
- + + + - + + + + (K) HKLM\SW\MS\Windows\CV\RunOnceEx link
- - - + + + L + + (K) HK**\SW\MS\Windows\CV\RunServices(Once) link
- - + + - - + - + (v) HKCU\SW\MS\Windows\CV\Explorer\Shell Folders\Startup link
- - - + - - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\User Shell Folders
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Explorer\ShellExecuteHooks link
- - - + - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\SharedTaskScheduler link
- - - + - - - - + (K) HKLM\SW\MS\Windows\CV\ShellServiceObjectDelayLoad link
- - - - - - - - + (?) HKLM\SW\MS\Windows\CV\app management\arpcache\ link
- - - + - - - - + (K) HKLM\SW\MS\Active Setup\Installed Components link
- - - ? - - - - + (M) HKLM\SW\MS\Active Setup\Installed Components\***\StubPath link
- + - + + + + - + (K) HKLM\Software\CLASSES\#file\shell\open\command (#=exe,com,pif,bat) link
- - - + - + + - + (K) HK**\SW\MS\Windows\CV\policies\Explorer\Run link
- - + + - - - - + (v) HKLM\System\CCS\Control\Session Manager\BootExecute link
- - - + - - - - + (K) HKLM\System\CCS\Control\Session Manager\FileRenameOperations link
- - - - - - - - + (K) HKLM\System\CCS\Control\Session Manager\KnownDLLs link
- - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\PendingFileRenameOperations link
- - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\environment\path
- - - - - - + - + (K) HKLM\System\CCS\Control\lsa link
- - + + - + - - + (K) HKLM\System\CCS\Services link
- - - + - + - - + (M) HKLM\System\CCS\Services\***\Image Path
- - - - - - - - + (K) HKLM\System\CCS\Services\vxd link
- - - + - - + - + (K) HKLM\System\CCS\Services\WinSock2 link
- - - - + - + - + (K) HKLM\SW\MS\Code Store Database\Distribution Units\ link
- - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
- - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup link
- - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logon
- - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
- - - + - - - - + (v) HKCU\Control Panel\Desktop\scrnsave.exe link
- - - - - - - - - (K) HK**\SW\MS\Windows NT\CV\Extensions
- - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\load
- - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\run
- - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\Winlogon
- - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell
- - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Run link
- - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Load link
- - L + - - - - + (K) HK**\SW\MS\Windows NT\CV\Winlogon link
- - L + - - L - + (v) HK**\SW\MS\Windows NT\CV\Winlogon\UserInit link
- - + + - + + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Shell link
- - + - - - - - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Taskman
- - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Winlogon\Notify link
- - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Svchost link
- - + + - + - - + (v) HKLM\SW\MS\Windows NT\CV\Windows\APPINIT_DLLs link
- - - - - - - - + (M) HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager\***\Application path
- - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\WOW\boot link
- - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\Shell Extensions\Approved link
- - - - - - - - + (K) HKEY_CLASSES_ROOT\Protocols\Filter link
- - - - - - - - + (K) HKLM\SW\Classes\Protocols\Filter link
- - - - - - - - + (K) HK**\SW\classes\mailto\shell\open\command link
- - - - - - - - + (v) HKCU\SW\MS\Command Processor\AutoRun link
- - - - - - - - + (K) HK**\SW\MS\ole link
- - - - - - + - - (v) HKCR\ftp\shell\open\command\(Default)
- - - - - - + - - (v) HKCU\ftp\shell\open\command\(Default)
- - - - - - - - + (K) HKLM\System\CCS\Control\MPRServices link
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J

Security settings
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - - - - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\Advanced link
- - - - - - - - - (K) HKLM\SW\MS\Windows\CV\WindowsUpdate link
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Explorer link
- - - - - - + - - (K) HKLM\SW\MS\Windows\CV\policies\Explorer\RestrictRun link
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\System link
- - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Network link
- - - - - - - - - (K) HKLM\SW\MS\Security Center link
- - - - - - - - - (K) HKLM\SW\Policies\Microsoft\Windows\WindowsUpdate link
- - - - - - + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\DefaultPassword

Internet Explorer hijacks and parasites
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - + + + - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects link
- - - - - - L - + (K) HK**\SW\MS\Internet Explorer\Toolbar link
- - - - U - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\WebBrowser link
- - - - - - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\ShellBrowser
- - - - U - + - + (K) HK**\SW\MS\Internet Explorer\Explorer Bars\ link
- - - - U - - - + (K) HK**\SW\MS\Internet Explorer\MenuExt\ link
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Local Page link
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Page link
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Bar link
- - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Start Page link
- - - - U - L - + (K) HK**\SW\MS\Internet Explorer\Search\ link
- - - - U - - - + (K) HK**\SW\MS\Internet Explorer\SearchUrl\ link
- - - - - - - - + (K) HK**\SW\MS\Internet Explorer\Styles link
- - - - - - L - + (K) HKLM\SW\MS\Internet Explorer\AboutURLs link
- - - - - - + - + (K) HK**\SW\MS\Internet Explorer\extensions
- - - - - - - - + (K) HKCU\SW\MS\Internet Explorer\extensions\cmdmapping link
- - - - - - + - - (K) HKCU\SW\MS\Internet Explorer\URLSearchHooks link
- - - - - - - - - (K) HK**\SW\MS\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN link
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Internet Settings\SafeSites link
- - - - - - + - - (M) HKCU\SW\MS\Windows\CV\Internet Settings\Zones\***\CurrentLevel
- - - - - - + - - (K) HKCU\SW\MS\Windows\CV\Internet Settings\ZoneMap\Domains
- - - - - - - - + (K) HKU\.default\SW\MS\Internet Explorer\extensions\cmdmapping
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\DefaultPrefix link
- - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\Prefixes link


Keys of questionable relevance:
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- + - - - - + + + (K) HKCU\SW\MS\Windows\CV\RunOnceEx
- - - - - - - - + (K) HKCU\SW\Policies\Microsoft\Windows\safer\codeidentifiers
- - - - - - - - + (K) HK**\SW\MS\Windows NT\CV\IniFileMapping
- - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\
- - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\Main\
- - - - - - - - + (K) HKLM\System\CCS\Services\WinSock2\Parameters
- - - - - - - - + (K) HKCU\SW\MS\Windows\CV\Explorer\fileexts
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\OpenWithList
- - - - - - - - + (M) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\Application
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Run(Once)
- - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\RunServices(Once)
- - - - - - - - + (K) HKCR\Protocols\Filter\Class Install Handler


Some features:
1 2 3 4 5 6 7 8 9
S R R R T S G W M
M P D R T S A P J
- - + + - + - - + ¦ *** Monitors any user configured reg. keys ***
- - - - - - - - + ¦ Monitors user configured keys based on wildcards
- - + + - + - + + ¦ Monitors any user configured file associations
+ + - - + + - - + ¦ Is free
- - + - - + - - + ¦ Displays complete list of monitored keys
- - - + - - - + + ¦ Displays the content of autostart entries
+ + - + + + + + + ¦ Works by polling the registry content every x seconds
- - + - - - - - - ¦ Works by intercepting registry change attempts
- - ? + + + - - + ¦ Also monitors deletions from registry
- - - - - + + - + ¦ Auto-undos the change before displaying popup dialog
- - + - - + ? - - ¦ Is also a kind of sandbox
+ + ? + + - + + + ¦ Monitors some files for changes
- - ? ? - + - - - ¦ Survives certain termination attempts


Most of these are auto-start locations. The others are some keys you do not want to be changed by malware.

If you find errors or have some app or key to add (such as Ad-Watch) please post.
Please avoid holy wars in this thread, I would like it to remain focused.

You may also be interested in listing the autostarting applications on-demand. For this I suggest the free Sysinternals Autoruns. Warning: this is not a registry monitor.

See also these places for more regkey lists, and explanations:
http://forums.subratam.org/index.php?showtopic=1063
http://www.diamondcs.com.au/index.php?page=autostarts
http://www.giantcompany.com/antispyware/research/doc_howto_spywaremanifests.aspx
http://research.pestpatrol.com/Whitepapers/AutoStartingPests.asp
http://www.cpcug.org/user/clemenzi/technical/Parasites/BrowserHijackers.html
The NT booting process

Note that this post #1 keeps growing with new keys, and information added from time to time.
-hojtsy-

 

Hi,

I think that RegRun Gold should be added
A very good program !
See the nice review by Root:
https://www.wilderssecurity.com/regrungold.html

The site is:
http://www.greatis.com/regrun3.htm


Edited :
RegRun is not free.

 

FanJ,
I added Regrun, but the list entries are just assumptions. Could you please check that it is correct. I suggest to post the list of monitored keys when suggesting apps.
-hojtsy-

 

Here are also good discussions about registry monitor.
http://www.dslreports.com/forum/remark,6686853~root=security,1~mode=flat
http://www.dslreports.com/forum/remark,6721512~root=security,1~mode=flat

Personally, I like SSM(System Safety Monitor) as a registry monitor program, because SSM can monitor many registry entries normally, and it can also add your optional registry entries.

Best Regards

 

First of all:
I do applaud Hojtsy for trying to get such a list !!!

Also thanks to Sumire for those links !
At the moment I haven't read them all, but I was very pleased at a first look to see NISFileCheck mentioned.
It ain't no secret that I'm a BIG fan of NISFileCheck.

Maybe it is a good idea to point to the difference of:
- file-integrity-checkers, like NISFileCheck, FileChecker from Javacool, etc.;
- registry-integrity-checkers like RegRun.

With respect to auto-start places on your system, some of those utilities have some "overlap", but it can't hurt to have more than one program to watch them.

 

Wow Sumire, there are mighty lots of infos in those threads.

I updated the table with explicit locations and more keys. Unfortunately there are lots of assumtions in the table. I don't have time to test all this out: please help!

-hojtsy-

 

Hi HoJtsy, You have picked a difficult task. Well done! Though I do not think that Process Guard should be classed as a registry checker as it only checks the on e entry you have shown.

Of the commercial programmes, AdWatch from Lavasoft also monitors Reg run changes as does TDS3.

 

TDS does not actively monitor, so it does not classify here. I would love to include AdWatch, if somebody could please list the keys it watches.
-hojtsy-

 

By using Sysinternals Registry monitoring utility(Regmon)....I monitored TeaTimer.exe thru a few cycles and compiled it into the below results. This is by no means official and is solely based on an observation by an interested user of Spybot.

Code:

[u]HKCU\Test-Dummy\Test-Resident\[/u]....Cycle starts	

HKCR\batfile\shell\open\command			
HKCR\comfile\shell\open\command			
HKCR\exefile\shell\open\command			
HKCR\piffile\shell\open\command			
HKCR\scrfile\shell\open\command			
HKCR\regfile\shell\open\command

HKCU\batfile\shell\open\command			
HKCU\comfile\shell\open\command			
HKCU\exefile\shell\open\command			
HKCU\piffile\shell\open\command			
HKCU\scrfile\shell\open\command			
HKCU\regfile\shell\open\command	

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\		
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce		
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\		
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\		
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser		
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\		
HKCU\Software\Microsoft\Internet Explorer\MenuExt\		
HKCU\Software\Microsoft\Internet Explorer\		
HKCU\Software\Microsoft\Internet Explorer\Main\		
HKCU\Software\Microsoft\Internet Explorer\Search\		
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\		
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\		
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\		
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\		
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\		
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Microsoft\Internet Explorer\MenuExt\
HKLM\Software\Microsoft\Internet Explorer\		
HKLM\Software\Microsoft\Internet Explorer\Main\		
HKLM\Software\Microsoft\Internet Explorer\Search\		
HKLM\Software\Microsoft\Internet Explorer\SearchUrl\

[u]HKCU\Test-Dummy\Test-Resident\[/u]....Cycle starts again		

 

Hi,hojtsy

I also respect your efforts.
With SSM's normal setting, it seems that SSM can monitor the following entries.

SSM
+ HKLM\SW\MS\Windows\CurrentVersion\Run
- HKLM\SW\MS\Windows\CurrentVersion\RunEx
+ HKLM\SW\MS\Windows\CurrentVersion\RunOnce
- HKLM\SW\MS\Windows\CurrentVersion\RunOnce\Setup
+ HKLM\SW\MS\Windows\CurrentVersion\RunOnceEx
+ HKLM\SW\MS\Windows\CurrentVersion\RunServices
+ HKLM\SW\MS\Windows\CurrentVersion\RunServicesOnce
+ HKCU\SW\MS\Windows\CurrentVersion\Run
+ HKCU\SW\MS\Windows\CurrentVersion\RunOnce
- HKCU\SW\MS\Windows\CurrentVersion\RunOnceEx
+ HKLM\SW\MS\Windows NT\CurrentVersion\Winlogon\Shell
- HKCU\SW\MS\Windows\CurrentVersion\Explorer\Shell Folders
+ HKCU\SW\MS\Windows\CurrentVersion\Explorer\User Shell Folders
- HKCU\SW\MS\Internet Explorer\Main\...
- HKLM\SW\MS\Active Setup\Installed Components\KeyName
- HKU\...\SW\MS\Windows\CurrentVersion\Run...
+ HKLM\Software\CLASSES\exefile\shell\open\command
- ...\SW\MS\Windows NT\CurrentVersion\Winlogon\UserInit
+ HKLM\SW\MS\Windows NT\CurrentVersion\Windows\APPINIT_DLLs
- ...\SW\MS\Windows\CurrentVersion\policies\Explorer\Run
- HKLM\SW\MS\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\SW\MS\Windows NT\CurrentVersion\IniFileMapping
- HKLM\System\CCS\Control\Session Manager\BootExecute
- HKLM\System\CCS\Control\Session Manager\FileRenameOperations
- SharedTaskScheduler
+ Common_Startup_Folder
+ User___Startup_Folder
- Other_User_Startup_Folder
- screensaver
- NT_logon_script
+ NT_wininit_ini
- User_stylesheet
- User configured reg. keys


In addition to this, I added the following registry entries to the SSM's monitor.

HKCR\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

I think preventing ITW threat is the most important thing so I added the above entries. Please look at the below screen shot. It is the screen shot of the backdoor MiniMo's auto-start editor.

And backdoor Beast and Subseven use ActiveX startup as a start up method, so I added ActiveX startup.
http://www.nsclean.com/psc-bst.html

Any suggetions and recommendations are really appreciate.

Best Regards.

 

This is a very good thread! Thanks everybody.

 

Sumire and Bubba: thanks very much. I updated the table.
Bubba could you be so kind to do the same registry monitoring to the DiamondCS RegProt with the regmon. I am unable to get any official info about it, so the table contains only assumptions: some confirmation would be fine.
In the meantime I will start a thread discussing specific keys and apps.
-hojtsy-

 

Sumire, can SSM's monitor be used with out SSM to watch the registry? You see I have Process Guard and don't feel the need for the execution protection as that is built into PG. Thank you.

 

SSM can be used without it's additional registry monitoring capabilities. As a matter of fact that's the way i use it and have been for quite some time now and i think it's great.

 

Lonewolf I think I confused you on SSM. I would like to have the the reg. protection without the Execution Protection.

 

Hi,WilliamP

At first, I haven't used Process Guard ,so I can't say anything about Process Guarud.

As for the SSM, SSM can turn the Execution Protection off, so you can use only SSM's registry protection.

Best Regards.

 

Hi,hojtsy

I was using RP(Registry Prot) on my old Win98box, if my memory is correct, I think RP can't monitor (Common_Startup_Folder) and (User___Startup_Folder).

May I ask you a question? What is "screensaver" start-up method on your table? Would you please let me know more details?

I've found this vulnerability, so I tested this vulnerability on my WinXp box, but this vulnerability doesn't work correctly on my WinXp box, so microsoft already fixed this vulnerability. Is this the "screensaver" start-up method?

I've found another ITW start-up method which SSM can't monitor perfectly. The below screen shot is the backdoor CIA's start-up editor.

Windows NT Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Explorer Run(edit.SSM can monitor this entry)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

I think there are many start-up methods which I don't know of.

Best Regards

 

Hi Sumire,
The danger of any screensaver is that it is started withouth user intervention.
One of them is the logon screensaver in: HKU\.DEFAULT\Control Panel\Desktop\scrnsave.exe
Other one is user specific screensaver in HKCU\Control Panel\Desktop\scrnsave.exe
Any changes to these entries should be confirmed by the user. The vulnerabilty you mentioned instructs to replace the file logon.scr. But did you also tried changing the registry to point to your app instead? It will work of course.

I will also add the keys you mentioned.
See also https://www.wilderssecurity.com/showthread.php?t=33418
-hojtsy-

 

I added some more startup entries. I am still unable to find an app which monitors more than half of these startup entries by default, so the clear winners are the apps which enable the user to add custom registry keys to monitor.
-hojtsy-

 

Hojtsy - Fantastic thread. Can you note which apps allow the user to add custom registry entries?

 

That is the last line in the table. Of these apps only RegRun and SSM is customizable.
-hojtsy-

 

Now this is a good thread!

 

Thanks. I see it now.

 

An interesting discussion this! I would suggest adding HKLM\SYSTEM\CurrentControlSet\Services - this is monitored by SSM even though it is not listed in the Plugins/Registry/Configuration key list (anyone know why?). This contains the startup details of all Services and would be a target for rootkits and other kernel-mode trojans.

Also should it be worth including the monitoring of files that allow startup programs? (e.g. system.ini, win.ini)

Edit: Answered my own question SSM monitors this under Plugins/Services which is a separate plugin. Still worth noting IMHO.

 

I understand that SSM allows the addition of additonal registry keys for monitoring. Please escuse my lack of knowledge here, but why would the developer not include many more (if not all) registry keys by default? Is there a downside to adding additional keys?