MJ Registry Watcher

Thanks.

This is even better than installing a separate program. As far as I can tell, it doesn't conflict with any of my application hotkeys.

 

You are right about the sound files not working as documented ("out of the box", orgalert.wav should be the same as mjrwalert.wav but it isn't). Re-extracting the wav from the zip file is the only way to get it back. I will correct this in the next release (1.2.6.5 out in a few days time). However, it is worth downloading the extra sounds zip file (720K). From the MJRW help file under the section OTHER OPTIONS :-

You can change the alert audio settings. You can switch off the alert sound, or set it to any .WAV file you like. When you select a new .WAV file for the alerts, the file you picked is copied over the file mjrwalert.wav in the installation directory. To restore the original alert sound, use Explorer (or whatever) to copy the file orgalert.wav over the file mjrwalert.wav in the installation directory. I have provided a free alert sound add-on pack with 33 different alert sounds to choose from. It is available at http://www.jacobsm.com/rgwsndz.zip (720K).

To get other alert sounds, use the zip file at the link cited. You will find klaxon.wav in that zip is the same as mjrwalert.wav. I may bundle the extra WAVs into the MJRW distribution zip and just have a larger 1.3MB download for the next release. Any objections?

I Googled for the key combo Ctrl+Alt+F6 and it only came up with Linux distros and the occasional esoteric app nobody has ever heard of! I'll stick with that if nobody here shouts out.

 

It all "sounds" fine to me!

 

Groan!

 

OK Graphic, in that case...
How about having the config file MJRegwatcher.cfg display names and values
(instead of just numbers), so it can also be hand-edited (more readily); something like:

Code:

Throttle Timing = ...
Lines per Throttle = ...
Enable Logging = ..

etc

 

Not a good idea,

1) Because I don't see any advantage to making the configuration file legible. It already has a user-friendly interface through the Options menu currently.
2) Because changing it to something legible would not be backwardly compatible with existing config files without a lot of coding, which I'm loath to do because of 1)

P.S. Hope to have a 1.2.6.5 release ready later tonight (very late!).

 

I just thought you needed to be burdened with more work
It won't be late where I am when this is released. Many thanks.

 

I've just released version 1.2.6.5 at http://www.jacobsm.com/mjsoft.htm#rgwtchr - it has the following changes :-

Changes 1.2.6.4 to 1.2.6.5
1) Corrected bug with trailing space being left in registry key to autostart MJRW at logon.
2) Added a new section of additional keys and filespecs to tighten up all entry points to the PC. Also changed every instance of "open\command" to "\command" to protect all possible actions. If you have tailored keyspecs, please make sure they are backed up before overwriting the files
with these new ones. Then simply add in the new section, entitled ## Additional Security, to your tailored keyspecs, and globally change "open\command" to "\command" if you want.
3) Added extra output information when running in debug mode (right-click up/down arrows on timer) like the line it is checking when a trigger is noted.
4) Augmented the exemption keys and filespecs file. If you have altered your own, again, please make a backup copy before overwriting with this new one.
5) Added hkey_local_machine\system\\services\tcpip\parameters to all sets.
6) Made polling interval indicator editable, and made it take any value between 0 and 9999 seconds.
7) Set a system hotkey so that pressing Ctrl+Alt+F6 will restore the MJRW window if it is currently minimised to the tray.
Bundled extra WAV alert sounds into the distribution zip, rather than as a separate download.

Phew! I need a rest!

Enjoy!

 

Thank you very much! Your efforts are much appreciated!

 

Excellent. A no-bloat program that does just what it says!
And you do deserve a rest . Thanks GE

 

It seems to still work OK. Thank you, Mark. I think I may publicize MJRW over in the Avast forums. I haven't heard it mentioned there.

 

@Graphic Equaliser

Since it;s been some time since this new release, are there any to your knowledge, other security programs that in your opinion might would be suggested removed to better accommadate this nice app you know of at this point?

For example, HIPS, AV's w/spyware guards, MBAM w/Resident protections so that nothing interferes unexpectingly with any others.

And congratulations again on a continued development in this product and making it freely available for all at this time.

EASTER

 

cool,i think this tool will stop trojans and spywares dead in their tracks it protects the registry,runing this tool with avira will cover antivirus and spyware protection too

 

As mentioned on the website, I have tried to collate 3 different exhaustive tables of attack vectors on a typical Windows PC :-

1) Hojtsy's list at https://www.wilderssecurity.com/showthread.php?t=32823&page=1&pp=25

2) Gladiator AV's list at http://gladiator-antivirus.com/forum/index.php?showtopic=24610

3) Silent Runners' list at http://www.silentrunners.org/sr_launchpoints.html

Personally, I have a hardware firewall, Windows firewall, hardware DEP on every application, and MJRW. I do not use anything else. From my own experience, I would say that KAV is good at spotting advanced stealth techniques like TCP/IP traffic pollution, DLL injection, hooking, memory space injection and others, in real time, but with the cost of a slowed PC. There are free on-demand scanners that do the same job, like Injected DLL from http://www.nirsoft.net/utils/injected_dll.html and others that will list system hooks, like Sanity Check at http://www.resplendence.com/sanity . Memory space injection is handled by hardware DEP (supported by only the latest generation of processors, 45nm usually). TCP/IP traffic pollution is much harder to spot, but I tend to avoid heavily pornographic sites and P2P downloads!

Easter, in answer to your question, I don't run anything else so I cannot comment on other products' stability alongside each other, including MJRW. Sorry! However, if you have problems with MJRW and other security products at startup, you can set MJRW to have an Initial Sweep delay to stall MJRW's first sweep until the system has settled. It's under Options, Settings, Set First Sweep Delay.

 

I revel GE in experimentations so i will simply run your really well thought application along with whats in place right now IN Which includes, MAMUTU, EQS, AND basically those two are the only 2 REAL resident apps i depend on BESIDES A FIREWALL and occasionally ProcessGuard 3.5. So i don't foresee at this point any real clash with them at all, and thanks for your response GE and boy you have been a Methusula in all the years that you've stayed glued to your project.

AVIRA (FREE) runs resident on other units. About all else is simply On-Demand here.

Thanks: EASTER

 

Donated. Thanks again for MJRW.

 

Windows Automatic Updates and Prompt Mode

I see it's recommended to temporarily switch MJRW to Accept Mode while doing a Windows Update. But what happens during a Windows Automatic Update if it takes place while the user is away from the computer? Auto Update's default and recommended configuration is Automatic, i.e. it "automatically downloads recommended updates for my computer and installs them." This is incompatible with Prompt Mode, isn't it?

I imagine the work around is "don't do that", i.e. if Automatic Updates are desired, then MJRW should be running in Accept Mode. Personally, the question is academic. I have Automatic Updates set to "Notify me but don't automatically download or install them.", and I run MJRW in Accept Mode. I'm introducing MJRW to the Avast forums, and I'd like to be prepared if someone asks about this.

TIA, and pardon me if I overlooked this in the Help/FAQ.

 

No problem. MJRW ought to be in Accept mode for Windows auto-updates to occur automatically. If you are away from the PC but still want to be informed if MJRW detects stuff (including changes to the system made by Windows auto-updates), then put it in Accept mode, set up the alert email parameters, and have it send you any alerts by email.

If you are in Prompt mode and are installing something, and MJRW prompts you, but you want to switch it to Accept mode, then right-click the system tray icon and put it into Accept mode from there. Then accept the alert that is showing. Subsequent alerts will Auto-accept.

I hope that's clear. P.S. Thanks for the mention in the Avast forum.

 

Crystal clear. Thanks.

 

No prompt while adding a subkey

A user in the Avast forum was trying out MJRW and brought this issue to my attention. Tried it myself and verified. Apparently Malwarebytes' Anti-Malware (MBAM) adds a subkey during its scan. MJRW is in Prompt Mode using the default security set.

The MJRW alert window that came up displayed only the OK button. I expected it to show "Quarantine Added SubKeys" and maybe something like "Exempt Certain SubKeys", as well as an Accept button. From the help file:

Yeah, I know it doesn't mention an "Exempt Certain SubKeys" option, but wouldn't that be nice? Is there something wrong, or am I misunderstanding when the "Quarantine Added SubKeys" will be displayed?

BTW, the subkey is deleted at the end of the scan. The MJRW alert box has just an OK button in this alert, as expected.

 

1) Quarantine added subkeys should appear as an option. I will look into this as I have just experienced the same problem myself.
2) "Exempt Added Subkeys" seems a good idea. In the past I have done this manually, as can be gleaned from the list of exempted keys and filespecs, for example, all possible versions of CPUZ with :-
hkey_local_machine\system\\services\cpuz
3) I discovered appinit_dlls is duplicated in all sets - not a big problem, but something I need to correct.

I'll post to this thread as discoveries and developments take place. Thanks for your help, Alan.

 

I've just released version 1.2.6.6 at http://www.jacobsm.com/mjsoft.htm#rgwtchr - it has the following changes :-

Changes 1.2.6.5 to 1.2.6.6
1) Corrected bug with it not prompting to Quarantine added subkeys.
2) Added an alert option to put added subkeys into the Exempt Keys and Filespecs list.
3) When adding keys or values to the exemptions lists during an alert, it now puts them in with any wildcard that was specified in the original keys list.
4) Increased the width of the buttons on an alert so the texts are more legible.
5) Removed duplicate definition of appinit_dlls from all keys lists.

 

Thanks once again!

 

MJ Registry Watcher - exclusion list

Hi,

Could you give an elementary lesson using the exclusion list ?
If I get one right, I should be able to get many.

In prompt mode , Windows XP - SP2.
The Alert I want to eliminate is the change of the removeany.log file:

Important Executables and Driver Files
File Details Changed from
c:\windows\system32\drivers\RemoveAny.log - Size=872,829 Date=Mon Mar 30 16:52:34 2009 Attributes=---A-
to
c:\windows\system32\drivers\RemoveAny.log - Size=873,004 Date=Mon Mar 30 16:53:06 2009 Attributes=---A-

So I go into :

Options-->
Edit exempt keys and Filespec List and add both methods.

%system%drivers\removeany.log
c:\windows\system32\drivers\removeany.log

And hit save.
(I don't think we are case-sensitive ?).

Yet the prompt foghorn continues. ( And have to switch that to something a bit more pleasant until I have this trained.)

What Am I missing ? Excellent program, however I need a bit more gestalt And it would be nice to be able to add an exclusion directly from the warning..

Shalom,
Steven Avery

 

You are indeed correct. There should be an option to exempt certain files. I will incorporate this into the next release. The current options are :-

"Accept" "Quarantine Added Files" "Prefix the Key/FileSpec"

I'll add "Exempt Certain Files" to the choices. I did test out the "Exempt Keys and Filespecs" List and added %system%drivers\removeany.log to the list. It worked fine and didn't alert me or make a noise. Did you accidentally add your filespec to the wrong list (Exempt Values List)? Perhaps there are trailing spaces (or other invisible characters) after the end of your filespec. I don't what else to suggest. As for case-sensitivity, it always saves as lower case, so it's never case-sensitive.