MJ Registry Watcher

Umm -- or maybe some fish & chips. I'm not sure, but I don't think they celebrate Thanksgiving in the UK.

In any event, Graphic -- rest a while. MJRW is absolutely splendid, superb, magnificent!!!

 

Thanks for your support everyone.

 

I have a question. How much do you have to deal with, while executing programs or downloading programs. I don't want popups jumping at me all the time.

 

Hello again, WilliamP. It's been a while since we last talked.

I run quite a lot of activity on my PC, and don't see that many warnings. I assume because most programs don't change registry keys as they run. The only time I really see MJRW say anything is when I install a new program or upgrade another. The excpetion to that is WindowsWasher - when it cleans the system it deletes a couple of registry values (most recent docs, etc). It's a great program. Give it a try!

 

You can add any keys or values that keep popping up, and which are not important to you, into an exemption list, from the alert pop-up itself, so it is easy to select these and stop them from popping up again.

A new default set of keys (dated 24/11/2004 11:51:08 pm) is available at http://www.jacobsm.com/MJRegWatchKeys.txt . It contains a very important omission (Winlogon itself!) and some new keys to cover Win9x platforms and every stage of boot-up on a Windows PC. Basically, every startup location in Windows is covered by this set.

Daisey, I just checked the code, and it definitely should stop the notification about a *VALUE* being deleted. However, subkeys that are added or deleted, are always reported. I could change this (aaaaaaaaaaaaarrrrrggghhhhh!) so that exemptions can include subkeys, although this may not be such a good idea. You see, it's OK to exempt particular values, but I think subkeys are more tricky, in that they can contain other subkeys and values that may themselves contain nasties. I therefore suggest that you switch MJRW to Auto-Accept mode when you run Windows Washer, and switch it back again afterwards. If WW is not started manually (it is scheduled, for example), then let me know, and I'll try to think of something.

Best regards,

 

Watching and waiting...
Watching and waiting...
Watching and waiting...

Lovely

Thankyou GE
Love the website

 

I appreciate the offer, GE. But it's not really that worth the trouble. I only run it once or twice a week. And it's just as easy to press the ALLOW button when the MJRW warning window appears. Thanks anyway!

 

The key set for MJ Registry Watcher keeps changing, and I have just put up a new set on my site. Some of the keys that are commented out, are there because it would be nice to protect them, but resource usage may be an issue. I have to err in favour of low PC specs. However, I have tested this current set full throttle (all comments off), and my 1.4GHz Athlon pulls 25% resource usage every 5 seconds. Absolutely no problem at all if you're browsing the net or word processing, but intolerable if you are playing an intense game of Quake 3 Arena! It looked like this :-

Loaded 1,794 Values (72K) and 959 Subkeys (13K) and 19 File Stats

Values are the most costly item to monitor because they have to be fetched individually from the key, whereas the names of all the subkeys can be got in one hit. With the comments back in, the number of values goes down, and it looks like this :-

Loaded 572 Values (29K) and 959 Subkeys (13K) and 19 File Stats

with utilisation back down to 5% every 5 seconds.

Hence, my mind is turning to a couple of new features I would really like :-

1) A radiogroup with different levels of security, so you can switch more easily to different configurations, like intense set (all uncommented), or light set (the current default set) etcetera.

2) A search facility so that you can type in a key phrase and it will hunt in both top and middle windows for that text, with a search again facility too.

P.S. Little known fact about MJRW - you can supply a command line argument specifying a different file with the keys to load at startup.

 

I have just released version 1.2.2.2 of MJ Registry Watcher at http://www.jacobsm.com/index.htm#sft

It has the above features implemented in an Options menu, which you can see a picture of, on my website.

This version allows easy switching to and from different key list configurations, and allows searching for strings in either the top or middle windows.

Enjoy.

 

Thanks, Graphic!

I was about to ask you which keys in your list I should exclude from checking, because MJRW is pulling between 11% and 14% every 5 seconds. I guess now I should switch to "Medium" to decrease keys monitored.

Edit: Graphic - I guess my machine is just outdated - I'm still showing 14% utilization every 5 seconds with the default settings, which I see IS the minimum. Well, I don't want to go without the minimum protection, so I guess I'll have to live with 14%.

 

Just downloaded it, still version 1.2.2.1 (in the zip); still 1.2.2.1 for the picture.
I refresh the page twice to be sure.

 

Sorry, now it's OK
Thanks a lot for this "masterpiece" !

 

Out of interest, what CPU does your PC have? And how many users are registered under HKEY_USERS in the registry on it?

Also, you can also slim down the default set to a slim custom set by commenting out the following keys :-

hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\\application

hkey_lmcu\software\microsoft\windows nt\currentversion\winlogon\\\dllname

hkey_local_machine\software\microsoft\active setup\installed components\\stubpath

hkey_users\\software\microsoft\windows\currentversion\explorer\fileexts\\application

HTH,

 

I was wrong again
On the site : 1.2.2.2 (and picture is 1.2.2.2)
In the zip : RegWatcher.exe date: 22-11-04 23.49 still 1.2.2.1

 

Regarding CPU, see PIC. Under HKEY_USERS there are 8 subfolders, including DEFAULT. All other folders start with S-1-5-....

 

Now it's OK !
That's lightning fast reaction
It's like chatting....
Thanks again

 

Thanks, Graphic. That took it down to 12%. 514 values from 692 before.

 

Hi Graphic,

The values under hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\? ? ?\application
are double covered by
hkey_users\? ? ?\software\microsoft\windows\currentversion\explorer\fileexts\? ? ?\application
I suggest to comment out the second one from the Default config, and the first one from the High security config.

The values under
hkcu\software\microsoft\windows\currentversion\run
are double covered by
hkey_lmcu\software\microsoft\windows\currentversion\run
and
hkey_users\? ? ?\software\microsoft\windows\currentversion\run
I again suggest to comment out the second one from the default, and replace the first one with hkcu\... in the high security lists. It is best to avoid double coverage. I further suggest to comment out every entry from my "Entries of questionable relevance" in the default protection list.
Would it be possible to put a Regedit button onto the excemptions list dialog, which I can use to jump to the excempted reg entry? Also it would be better to replace the exception list shortcut from the "right click on Log" to an entry in the options pulldown menu. Would be less cryptic for beginners.
The new key creation popup still lacks a regedit button, which you told to be planned. Would it be possible to put it there?

May I ask you to list any new keys not comming from my list, when you put them into RegWatcher? It becomes too long to compare the two lists.
-hojtsy-

Edit: two more ideas for performance improvement:
1) would it be possible to keep all keys open, and only query the values repeadetly?
2) I strongly believe that performance can be improved by replacing the full registry tree traversal for each entry by partial traversals. Example:
You can get a handle to "hkcu\software\microsoft\windows\currentversion" with one RegOpenKeyEx, and then further use this handle to dive into subkeys of this key, by further calls to RegOpenKeyEx, passing the first handle. It should be faster then starting from hkcu all the time. Of course this would need a tricky algorithm which can find the common roots in the key list. This tricky algorithm would run only once per startup. Hmm, quite interesting problem: I may try to construct the algorithm myself.

 

There is a new version 1.2.2.3 up on the site now - here are the changes :-

Changes 1.2.2.2 to 1.2.2.3
1) When the key set is changed, any subsequent changes are saved to the new key set, rather than
always saving it to the Custom Set.
2) Better Options menu positioning.
3) Keys now protect from Trojan.Riler and such-like attacks on the Winsock2 binary data values.
4) Maximum individual value data length increased from 25K to 65K (arpcache was too big on some PCs!).
5) Introduced a light security key set, for less powerful PCs to run without using up too many resources.
6) Moved Exempt Values editor from right-click on Log button to Options menu.
7) Command Line Parameters - Instead of the key list filename (which no longer works now), MJRW takes
an extension to the MJRegWatchKeys file name (defaulting to "txt" if not specified). This can be :-
a) txt custom list of keys
b) 1 highest security set
c) 2 high security set
d) 3 medium security set
e) 4 light security set
f) def default security set

Hojtsy :-

hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\? ? ?\application is not duplicated - it does exists along with the corresponding hkey_users key. When a new user logs on, all the relevant keys from hkey_users are copied into hkey_current_user. So, you have to monitor both if you want to avoid problems in either. Also, the new light security set does not include either of these keys.

hkcu\software\microsoft\windows\currentversion\run is not in any of the current key set files.

Also, I am not happy about exposing a Regedit button, when the loop is halfway through checking the list, since the changes done during regedit could cause more alerts, which would cause more regedits, etcetera. Of course, it is up to the user whether they are going to **** it up, but MJRW already highlights the key causing the last alert, so how much effort is it to Accept/Decline/OK the alert, and then click the proper Regedit button?

 

OK, I will try to be clearer.

To my best knowledge, HKCU is just a shortcut, (alias, symlink, or whatever you want to call it) into one of the subtrees of HKU. Any changes in the HKU/userId is immediately visible in HKCU and vica-versa. They are just two names for the same location. So covering both HKU/? ? ? and HKCU for the same subkey is redundant. Go on and change a monitored value in hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\? ? ?\application, and you will see two alerts indicating duplicated, redundant coverage.

Yes. This string do not appear in the files. But the key is covered by hkey_lmcu\software\microsoft\windows\currentversion\run PLUS it is covered by
hku\? ? ?\software\microsoft\windows\currentversion\run. Go and change a value in hkcu\software\microsoft\windows\currentversion\run, and you will get two (2) alerts, one for the hkey_lmcu entry, the other one for the hku\? ? ? entry. It already happened for me. This is confusing and not desirable.

thanks,
-hojtsy-

 

Hojtsy, I'm with you. I see what you mean. Feel free to change entries in all 6 key lists, so that this duplication is side-stepped. And it happened to me today, and I could not believe how the setting seemed to hit both registry branches simultaneously.

I was under the impression that a sensible design would have been to copy the relevant HKEY_USERS branch to the HKEY_CURRENT_USER branch at logon, and store the changes at logoff/reboot/power off. This is obviously not the case. I will post up revised key lists later on this evening.

Surely, this means that the HKEY_CURRENT_USER keys are just not worth monitoring at all, if they have counterparts in the HKEY_USERS branch. What are the duplicates I should clear from all lists? Which ones do I have to be careful of? What's your advice for some quick tweaks to these 6 files? TIA,

 

1) It would be "unfriendly" to other apps to keep all keys open. What if a valid write needed to occur? I have also looked at "hooking" the registry key change notification, but Windows can only handle one of these at a time, so no go.

2) RegOpenKeyEx has to specify the exact branch within the base key you want to open. There is then a RegistryGetValues to list the names of all the values for that key. To get any value, you have to query that value name, and that takes a fraction of a second on the open key. There is also RegistryGetSubkeys (names changed to protect the innocent!) to get the names of all the subkeys. I am pretty sure now that I am using the fastest, accurate, possible method on any Windows system. It is blazingly fast on most PCs, and we can work on the light set to see what balance we can achieve in terms of coverage.

I have also noticed that MJRW detects changes in the type of any value.

 

Thanks for thinking of me, Graphic.

 

Daisey, I've done better than that. I hope you don't mind, but I researched the performance and utilisation problems, and have come up with version (yes, you guessed!) 1.2.2.4 at http://www.jacobsm.com/index.htm#sft

It is head and shoulders above anything before it, because even you could probably run the highest security set, with little or no impact on your resources.

Anyway, here are the most recent changes from the help file :-

Changes 1.2.2.2 to 1.2.2.3
1) When the key set is changed, any subsequent changes are saved to the new key set, rather than
always saving it to the Custom Set.
2) Better Options menu positioning.
3) Keys now protect from Trojan.Riler and such-like attacks on the Winsock2 binary data values.
4) Maximum individual value data length increased from 25K to 65K (arpcache was too big on some PCs!).
5) Introduced a light security key set, for less powerful PCs to run without using up too many resources.
6) Moved Exempt Values editor from right-click on Log button to Options menu.
7) Command Line Parameters - Instead of the key list filename (which no longer works now), MJRW takes
an extension to the MJRegWatchKeys file name (defaulting to "txt" if not specified). This can be :-
a) txt custom list of keys
b) 1 highest security set
c) 2 high security set
d) 3 medium security set
e) 4 light security set
f) def default security set
So, you could always start RegWatcher up in high security mode by using the command line :-
c:\mjregwatcher\regwatcher.exe 2

Changes 1.2.2.3 to 1.2.2.4
1) Improved performance by only opening the keys once instead of twice per key, and by making
the monitoring loop less severe on the CPU - you can now load the highest security key list and
it only takes 3% every 5 seconds.
2) Corrected the arpcache key in all lists to use windows and not windows nt (which doesn't exist).

This is really uncanny - I am running the highest security set at the moment, and I have not noticed anything at all - the 5 second periodic utilisation blip is at 2%, occasionally breaking into 3% !!!

 

Wow! That's great, Graphic. I'll give it a try. Do you ever take a rest??