Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hojtsy, you need to get someone to try that program :D Is it really 59 dollars? Of course I don't mind paying for something,but. :doubt:
     
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I'm going to give it a try. Will let you know!
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    You go for it D+C :D Let us know what happens.
     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hojtsy,I'm trying a program Prevx . One of its features is monitoring the Registry Run keys,though I don't know which.
     
  5. Amerk_5

    Amerk_5 Registered Member

    Joined:
    May 22, 2003
    Posts:
    78
    Location:
    Dansville, NY
    I've just found another another registry monitor program. It's called MJ Registry Watcher. It was created by a user of Startup Monitor who wanted a program just as simple but more configurable. Here's the thread at the MLin.net message board, Really simple configurable version of Startup Monitor

    By default it watches only the following keys. However, you can set it to watch whatever keys you want.

    hkey_local_machine\software\microsoft\windows\currentversion\run
    hkey_local_machine\software\microsoft\windows\currentversion\runonce
    hkey_local_machine\software\microsoft\windows\currentversion\runonceex
    hkey_current_user\software\microsoft\windows\currentversion\run
    hkey_current_user\software\microsoft\windows\currentversion\runonce
    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
     
  6. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I am new here and I was just wondering. How does one add new Registry entries to System safety Monitor?
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Welcome to the forums Starrob,

    In Preferences/Plugins/Registry/Configuration, right-click on any entry in the main window and select "Add new item...". SSM's Help includes instructions on this and some details on the values you can set.
     
  8. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    This sounds promising. Reasonable size and "Rollback,"plus custom keys. Mj's open for options on this, with some fine tuning he's on to a very useful program.(Good chuckle on "Scary Dude" post!)
     
  9. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    P.S.- "Very fine thread start hojtsy, appreciate your efforts, and member input." ;)
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    It appears that more and more security apps these days are getting into the business of monitoring the registry. For example, Spybot S&D's "Teatimer" process apparently monitors a few registry keys. And Webroot's SpySweeper monitors changes made to keys where startup entries are placed.

    I was getting ready to try MJ Registry Watcher, but first have a couple questions for those of you more familar with this subject.
    1. Considering the abilities of S&D's Teatimer, and SpySweeper, do I really need more?
    2. If I do install MJ, should I disable Teatimer and SpySweeper's registry monitoring capabilites? Will all of these apps present a conflict?
    Thanks.
     
  11. Amerk_5

    Amerk_5 Registered Member

    Joined:
    May 22, 2003
    Posts:
    78
    Location:
    Dansville, NY
    I'd recommend only using one program at a time to monitor the registry to prevent a conflict. There's bound to be some overlap on the entries that are watched.

    I'm not sure which entries TeaTimer & SpySweeper monitor but if they monitor all the same entries as MJ Registry Watcher you don't need another program unless you want to use just MJ RW instead.

    One of the main things about MJ RW that I like compared to the other programs is that you can have it watch Any key you want.
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Great thread Hojtsy!

    Perhaps it could be improved by adding resource usage of the running apps.
    For example, Spybot Search and Destroy 1.3 Teatimer (on XP Pro): ~ 6K
    The number seems to change a little over time.
    If any of you are interested, post the memory usage for registry monitor resident processes and maybe hojtsy will add it in post 1 in a row, a paragraph, or in parenthesis next to the description:
    TT: Spybot Search and Destroy Teatimer (free) (~6K) .

    Also that paragraph that you had in another thread where you explain the difference between poller, listener, and proxy would be beneficial in post 1.
    You could also add a row to compare them like this:
    SM¦ RP¦ PG¦ RR¦ TT¦ SS¦ GR¦ WP¦
    _P ¦ P ¦ PR ¦ P ¦ P_ ¦ P ¦ P _¦ P _ ¦ Monitor Type: P=Poller, L=Listener, PR=Proxy​
    Note the above are unknown, just an example way to put it. (underscores are just to help me place them)
    This would cover the current pollers and future proxies.

    Please add the MJ RW, it looks promising.
    If you keep adding programs, you may need to change the format to accomodate the long registry key lengthes. (no idea on how to)
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Ditto. Lots of good info. :)
     
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    @Amerk 5, this app. is currently new and probably being updated as time permits for Mj, correct? It's good you have a stable app. to include in Hojtsy's comparison tests, the more the better. Again, all this input is going to keep you busy Hojtsy, I'm sure all involved acknowledge your time and effort. ;)
     
  15. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The list of keys monitored by Teatimer is, well, quite limited. I don't know about SpySweeper, and would gladly welcome the list of monitored keys. If they won't tell, then you can almost be sure that they miss some of the interesting keys. Every app miss some: just look at the list in post 1. But MJ is customizable and that is a completely different class! You can add any keys you want. (Hint: you want all the keys which I listed)

    I would not advise to disable TeaTimer. It has an other very usefull feature: checking for spyware in the memory. Unfortunately you can not disable the reg monitoring feature separately.
    Depends on what you call a conflict. I am quite sure that you will not get crashes just because you have more than 1 registry monitor running. But if an important key changes, both apps will alarm, and it may be tricky to answer both dialogs in a way which result in the desired registry state. I suggest to run both, and you can still disable one of them later, if problems occur.

    Just post them and I will include them.
    Regarding the reg monitor categories, your list is mostly correct. Process Guard is a Proxy, Greyware Registry Rearguard I don't know and all else is Poller. Once a real usable Proxy emerges I will put this important info into post 1, until then it is just complication. <Daydreaming>The silver bullet would be a Proxy with customizable list of monitored keys. Ahh. </Daydreaming>
    BTW I don't except problems with more and more apps in the list. I will only include the most powefull ones - why would you waste your time with the rest.

    Thanks. :D MJ starts with a very limited list of keys, so it may not be worthwile to include in the table, but I will soon modifiy post 1 to mention it in some other way.

    -hojtsy-
     
  16. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hojtsy - Thanks for the info. I'm giving it a try. Regarding your list of registry keys:

    I do NOT have these registry keys (running XP Home):

    HKLM\SW\MS\Windows\CV\RunEx
    HKLM\SW\MS\Windows\CV\RunOnce\Setup
    HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects (I do have HKLM\...)
    HKLM\System\CCS\Control\Session Manager\BootExecute
    HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
    HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup
    HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logon
    HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
    HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logon
    HKCU\SW\Policies\Microsoft\Windows\System\Scripts\Logoff

    HKU\*\Control Panel\Desktop\scrnsave.exe
    HKU\*\SW\MS\Windows NT\CV\Windows\Run
    HKU\*\SW\MS\Windows NT\CV\Windows\Load

    HK*\SW\MS\Windows NT\CV\Winlogon\UserInit
    HKLM\SW\MS\Windows NT\CV\Winlogon\Shell
    HKU\*\SW\MS\Windows NT\CV\Winlogon\Shell
    HKLM\SW\MS\Windows NT\CV\Winlogon\System

    HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet

    Am I to assume the keys you posted in post #1 are the only ones I need to monitor? Thanks again!
     
  17. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hmmm, that would be something. Daydreaming?
     
  18. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Yes you need to monitor the keys present in post 1. Most of these keys listed by you are also absent for me on Win2000. Of these I only have:

    HKLM\SW\MS\Windows\CV\RunEx
    HKLM\SW\MS\Windows NT\CV\Winlogon\Shell
    HKLM\SW\MS\Windows NT\CV\Winlogon\System
    HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet

    I believe that lacking these keys is normal. But if they are created by any app they can as well be used to start-up nasty applications. So you need to monitor them too.
    -hojtsy-
     
  19. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Well, been using MJ RegistryWatcher for over a week now, with mixed results.

    The only real problem I am having is that it seems to close (stop working) for no reason. Must be a conflict with some other software I'm running. Unfortunately, I get no error message. I just notice the icon is missing from my system tray, and I am forced to restart. o_O

    On the positive side, when it's on the job, it works really well. :) But then, so is TeaTimer. Whenever MJRW alerts me to a change, TT is there as well raising a flag. In other words, MJRW has not alerted me to a change that TT has not caught, but it's early. And I have added all the keys suggested above (that I have).

    hkey_local_machine\software\microsoft\windows\currentversion\run
    hkey_local_machine\software\microsoft\windows\currentversion\runonce
    hkey_local_machine\software\microsoft\windows\currentversion\runonceex
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    hkey_current_user\software\microsoft\windows\currentversion\run
    hkey_current_user\software\microsoft\windows\currentversion\runonce
    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
     
  20. BillPStudios

    BillPStudios Security Expert

    Joined:
    Sep 15, 2004
    Posts:
    23
    Location:
    Scotia, NY
    Hey Bill,

    I'd like to thank you for setting the record straight regarding WinPatrol and the registry keys that WinPatrol monitors. You are correct that Scotty will detect both changes and additions to the keys you list above.

    We haven't publicly published all the registry entries that are monitored. I'd rather keep this information from those people who want to circumvent our security. In return for some silence, I give up any claims to monitor more locations than anyone else.

    I can say that we monitor all the obvious locations listed above. We also monitor the Startup folders for shortcuts which is pretty obvious too. Anyone who uses WinPatrol knows we check the locations where BHOs and IE Toobars are stored. We monitor changes in the HOSTs file, Scheduled Tasks, Start Pages, Search pages and a few other locations which are quick indicators of an infiltration of some kind.


    The newly released WinPatrol 8.0 has added a few more locations and indeed we saw the need for monitoring of file type associations. In the case of file type associations we have a default list that we monitor but users can add more or remove any file extensions that Windows uses.

    I am very glad I found this thread because it has some great information that I haven't seen in other forums. The comments and questions I've read here will keep me thinking and will keep WinPatrol on target.

    Thanks to all and to theWolf for pointing me here.

    Bill Pytlovany
    BillP Studios
     
  21. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Hey BillP,

    Very many thanks to you and your team for Win Patrol and Scotty,
    a superb program in the never ending war against right and wrong.

    Kind Regards.
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    An interesting point of view indeed. How would a list of monitored entries compromise security? Malware cannot just create Registry entries on the fly to exploit, it has to target those keys used by Windows or other applications. The only way a registry monitor can be circumvented is to either disable it or misdirect it.

    In addition, if any vendor has found a hitherto unknown key that could be used to run programs on startup, wouldn't disclosure be the better option to allow everyone to protect themselves? (like anti-virus vendors share details on new viruses).
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    exactly Paranoid, it would be a great way to win potential customers if they play open card with this. and winpatrol wins credibility doing this. it is a great freebie but I don't think this either.
     
  24. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Can you confirm that Scotty will detect and alarm for a removal of a startup entry from the registry?
    For all Pollers, any determined hacker can discover the monitored keys by the free Sysinternals Registry Monitor in a few minutes. This means that attempting to keep the monitored list secret only result in it being secret for the customers, not for the hackers! It depends on your market strategy if keeping this secret from customers is beneficial or not.
    -hojtsy-
     
  25. hacker7

    hacker7 Guest

    Just curious Hojtsy if Reg Mon can be used to find out the monitored keys, and it's so easy, why aren't you using it to accurately determine which reg keys are monitored by which products? You could then accurately list which keys are monitored by all the products on your list and wouldn't need to ask BillP to confirm anything. Also you could list what other programs like Adwatch monitor that aren't yet on the list.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.