Help needed from *registry weenies*

Discussion in 'other anti-malware software' started by bellgamin, Nov 13, 2005.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I am running RegRun's Watchdog on my WinME partition. Using RegRun's Registry Tracer, I have set Watchdog to alert me to registry changes based on hojtsy's list on THIS Wilder's thread.

    One of the monitored registry entries is...
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    PROBLEM: Every time I boot up, Watchdog pops-up an alert that RegRun has added a certain entry to the above named registry item. On RegRun's forum, I asked how to stop that useless alert. Until I get a solution (if there is one) it's annoying to have that pop-up alert delay me every time I boot or restart.

    INTERIM SOLUTION?? I right-clicked on the above named registry entry & there was an option. I have attached the option's window below. I clicked on "Trace Values Only" & that caused the pop-up alerts to cease.

    QUESTIONS: What the heck does "trace values only" mean? By clicking in that box, have I killed the usefulness of having Watchdog monitor this registry entry to ensure that a nasty won't get into startup?

    I ask this question here at Wilders because... Wilders is where I think I have the best chance of getting a timely answer (if you get my drift).

    Any help or comments will be appreciated.

    aloha... bellgamin
     

    Attached Files:

  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    If I am not mistaken this means that it does not trace keys but only values.

    Actually I do not get your drift. I missed a question of yours back in June when I was working 70-90 hours a week and for this I apologized and sent you a pm one day after you reminded me. You should have an answer to your question http://greatissoftware.com/forums/index.php?board=5;action=display;threadid=122 very soon. Hopefully in the am. Again I apologize for the delay but most questions have been answered fairly promptly since my hours have decreased due to switching jobs.

    Thanks,

    Chris
     
  3. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Actually, Chris, what I don't know about the Windows registry would fill a book. What little I do know I learned right here at Wilders from reading posts by hojtsy, Bubba, Graphic Equaliser, et alia. That's the main reason I asked my *technical* question here.

    The question I asked at RegRun's forum deals specifically with configuring RegRun to eliminate the pop-ups. The question I am asking here at Wilders has to do with registry-in-general.

    Sorry if I offended you, Chris. The "catch-my-drift" comment was unfair. I apologize.

    Question: For HKCU\SW\MS\Win\CV\RunOnce -- will monitoring values only (as opposed to monitoring values AND keys) catch an attempt to insert a nasty into this registry item?
     
  4. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    I don't use Regrun, but seems obvious that to insert a nasty into THIS key would need one value: so the answer is YES (new items/softwares in this key are values).

    Cheers,
    nicM
     
  5. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    No problem at all. This is a great place to learn and I myself am always trying to learn more.

    No need to explain. You seem to have done what you think is best and no doubts from me at all.

    Accepted. I also am sorry for not seeing your post sooner, This was my mistake and I take full responsability for it. I hope that in the future I will be more on the ball and not miss these things. I mean users shouldn't suffer because of my offline time.

    nicM seems to be correct with his answer.

    Thanks,

    Chris
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    There's actually a few different points to consider here. RegRun already handles this key by default, without needing to add it to the registry tracer list. It's handled by WatchDog, so it wouldn't be in the registry tracer list. Next is that anything adding itself to that registry key, will be adding itself as a value.. so typically using the setting to only monitors values, although unnecessary, should work.. it does not appear that adding a new sub-key to hkcu\..\RunOnce will run anything, so you're not in any danger. You can see from the screenshot, however, what it's detecting. I'm not sure exactly what that key is for, but my guess is that it's what RegRun uses for it's own additions to that key without bothering you with WatchDog alerts. (I added notepad.exe in there to check that it alerts with the default settings, and it does.)
     

    Attached Files:

  7. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  8. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I just now *got back* from reading Dimitry's reply over at RegRun forum. As noted by Chris, he answered my question. I am greatly encouraged that my choice to use Watchdog to guard the registry is indeed a good one.

    I also appreciate Chris's forgiving heart. Me & my biiig mouth -- when will I ever cease to periodically munch on my own foot?:blink:

    See! I DID learn a lot from this exchange. As a consummate paranoid, I very very much appreciate Notok's test with notepad.exe. Proof of the pudding, doncha know.:D
     
  9. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I'm glad you are pleased with RegRun as it is a good product with many useful tools. Also please check your post about a shorcut at greatis forum the next day or so I should have an answer soon.

    Thank you for your words as usual. You will cease to munch on your foot when you are not hungry anymore :)

    Yes thanks Notok you are appreciated ;)

    Thanks,

    Chris
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Hehe, well you just happened to stumble upon the realm of some of the projects I'm working on :) I've been doing a lot with the registry lately.

    Beta testing RR has given me a much greater appreciation for the product, and I can't wait to see the final (except that then the beta will be over :() It really is an awesome tool, and only getting better. It's become indispensible to me in many ways, and I don't see that ever changing.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.