MJ Registry Watcher

I just started to test this software and I have couple of questions.

This version is free. How about next and all after that? Price is very low so if I donate some amount now can I use possible non free versions too? Earlier donated persons got registered version (or key). That's why I like to know.

What Quarine file(s)/Directory actually means? How it affect to added file(s) and folders?

In MJ Registry Watcher home pages reads Latest Features : Folder and File Hooking and so on. Where I can add folders and files? Does that mean that program monitor all changes and modification in chosen place? Same way like very old program FileChangeAlarm.

 

you could choose accept mode, then all the changes would be accepted and logged.

 

Hammerman, you can right-click the tray icon and put MJRW into Accept mode from there, just prior to installing something. Remember to set it back to the mode you were in afterwards.

MikeNAS, all subsequent versions of MJRW will be free, and I will rely on donations being made from time to time, to drive forward improvements to the application. Donations are entirely voluntary and do not affect the functionality of any of my free software. There will be no further need for licence files. Quarantining of keys, files and directories, allows suspicious entries to be put aside for further investigation. They are renamed to become harmless (no accidental launch with Explorer double-click). Manual quarantining allows you to, for example, move the index.dat file that stores your history of websites visited, at the next reboot. While Windows is running, this file is usually locked tight so that nothing can be done to it. The quarantine directory is called MJQuarantine and resides off of the MJRW installation directory. For folder and file hooking, you simply add the paths to your list of keys in the top window. First, you have to "Enable Keys List Editing" from the Options menu. Then type in the paths you want to monitor in an appropriate place in the top window. Try to use the generic directory names when specifying a path, like %system% or %windir%. Then save the list (using the Save button) and start the monitor sweeps again. Any folder specified, is monitored for changes to it, but not its subdirectories. If the path contains wildcards, all matching paths are monitored. This is very much like FileChangeAlarm.

HTH,

 

So because it doesn't monitor subdirectories can I add whole c, d, e and so on drives with easy way? I also like to add whole registry but maybe that is too slow to do?!

I'm using Shadow Defender in all drives so I want to monitor changes and be sure that all goes back in reboot. BTW Where MJ Registry Watcher store current settings? I'm going to start shadow mode first and then configure MJ RW and I need to commit settings to the drive.

 

For more thorough protection of the registry, you can try using the highest security set (under Options, Settings). The filespec protection is not easily extended to protect all subdirectories without specifying exactly which paths you want to monitor. Certainly, I could trigger a sweep when a subdirectory changes, but finding exactly which subdirectory/file changed on a drive with, say, 50,000 directories and half a million files (common on networked NTFS drives) would take so much digging, and storage of before/after events, it would be unfeasible with MJRW as it currently stands. Sorry, but you would have to specify each directory and subdirectory you need to protect. Remember, you can use a filespec like e:\ to monitor changes to the modification date and time of any of the directories coming off of the root of e, for example.

If you want to see all activity on a drive (with optional filtering on filenames) then use the freeby Process Monitor from http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx or a related application.

All key sets and configuration settings are stored in the same directory that you installed MJRW in. The key set filenames are detailed at the top of the help file. For example, MJRegWatchKeys.1 is the highest security set, and MJRegWatchKeys.txt is the custom one (used when no other is specified).

 

Thanks a lot! I didn't realize that c:\? ? ? and so on actually monitors what I need (date and time). It's enough to me because I use Md5Checker to check all files in reboot. Of course I can add some extra important places in Quarantine directories and I will do that. Didn't realize that help file is so good... my mistake Yes I'm using Highest Security Set but probably building my own soon which mostly covers startup places only.

 

Awesome GE, (Greets) and let me just say that you are right there with the other developers here, who all of you are equally generous and so attentive to users concerns, issues, etc. and bring forward an excellent security product.

For me anyway the registry is always been such a sore point of contention because a single changed line in but one in any various many places of those branches have an immediate impact on these Windows systems, and i might add for some of us can be quite complicated due to the mere numbers of entries it uses to tether to files and file activities on a computer.

Hats off and thumbs up because the registry is a very sensitive area and XP ($M) is left it so wide open for manipulation that it doesn't take much for malware to tamper with systems control and/or disable a normally functional computer once affected.

Protecting the registry is Vital! and am glad you made it your own special field in which to create and introduce users to MJ Registry Watcher.

EASTER

 

Thanks for the update!

 

I have updated MJRW to version 1.2.6.2 available at http://www.jacobsm.com/mjsoft.htm#rgwtchr

Changes 1.2.6.1 to 1.2.6.2
1) Corrected bug when file/directory hooking failed (like under Win9x sometimes), so that it quietly returns to polling for changes to these, rather than going haywire.
2) Made the top window row remain selected after an exempted change occurs on another row.

 

The update is much appreciated!

 

What does the "Checking Lines ### to ### of ###" message mean? If its the sweeping, than it seems to be happening too often. I set sweeping for 60 secs but the checking lines message appears more often than that.

 

A sweep is either triggered by the polling time limit reached, or by a hook firing. The sweep can therefore occur more often than just by the timer interval you set. If more than one hook fires within 20 seconds, only the first one triggers a sweep. The 20 is set by the "hook release time" (set under the engine parameters section).

Other software can cause the registry to be in a state of constant update (for example, Opera when it is downloading something). Under such conditions, with a hook release time of 20 seconds, the sweeps will occur every 20 seconds. Some software maybe updating certain files and directories constantly, and if they are protected by MJRW, they will also cause sweeps every 20 seconds.

You can turn off registry hooking by setting the hook throttle to zero milliseconds.

HTH,

 

Ok thanks for that explanation.

 

I've just released MJRW version 1.2.6.3 with the following changes :-

Changes 1.2.6.2 to 1.2.6.3
1) Added filespec mnemonics %mydocs% (My Documents), %alldocs% (Shared Documents) and %userwin% (Under XP = c:\windows\ but different under Vista 64!).
2) Improved log and help search facilities.
3) Other cosmetic and efficiency improvements.

Not a lot of stuff, but it makes a difference to Vista 64-bit installs, plus there's more variety of mnemonics to protect your own filespecs now. Regards,

 

Thanks Graphic! This really is a nifty little application. Off to get it now.

soccerfan

 

Just happened to check your website and saw the new update date. As always, thanks!

 

Newbie Questions Please

Greetings folks

I have only recently joined your Wilders forum and have only just become aware of the MJ Registry Watcher. As all of you are giving it such a very high rating, I downloaded it last night.

Now, I'd really appreciate a little help with these questions please :

1. When I first launced MJRW the rule settings were on "Custom" - I changed that to "Default" - is that correct?

2. I'm running Windows 98se. I'm sure a lot of the rules are designed for XP - for example in the rules there is reference to the folder "documents and settings" which does not exist on Win 9x. So, is a Win98 box covered by using the "Default" rules?

3. In the bottom panel is the line (in red) :

WaitForMultipleObjects : The handle is invalid.
: Filespec Hook Turned Off

I have no idea what that means. Any suggestions? Do I need to turn it on? How does one do that?

4. After the program was setup, over the next two hours I got about five pop-ups telling me that a new registry value had been added at HKLM \etc. etc.\Explorer ... called BitBucket. I have no idea what that is or where it comes from. Any feedback on this?

Thanks folks - I do appreciate your help.

Best wishes,

Dr. Mac

 

@Dr. Mac

Here's what I did. I got the freeware registry backup/restore app ERUNT from snapfiles.com, and then I experimented with the various settings of this app. Give yourself time as do we to learn about any software. But you're OK with default. MJ is a good code writer.

Dave

Forgot! RegWatcher can also backup the registry.

 

Welcome to Wilders! The developer of RegWatcher (RW) has user name "Graphic Equaliser" -- he posts here from time to time. Hopefully he will answer your questions with regard to Win98.

Fact is, RW covers a very broad spectrum of sensitive registry hives. When it reports changes, only a very experienced user will know which changes are okay & which are not. Basically, UNLESS you just installed, uninstalled, or made some other *significant* change to your computer set-up, any registry changes reported by RW should be regarded as suspicious.

Instead of an application like RW, perhaps you might be better off to base your computer's security on something broader in perspective and "friendlier" to use than RW. As a Win98 user, your choices are somewhat limited. However, the good news is that most malware nowadays targets later versions of Windows than Win98.

One good HIPS-type app that works well with Win98 is WinPatrol. It "patrols" many of the key registry hives, as well as other sensitive areas in your computer's set-up. I recommend the Plus (non-free) version for adequate coverage. WinPat offers Plus users a detailed look-up capability for checking out any alerts it gives you, so it's a good app for new users as well as those with more experience.

 

i agree 100% and plus you get to know your system more,and know and get control of your computer.this is a must have tool.

 

Not to get OT here, but WinPatrol was discussed briefly here: https://www.wilderssecurity.com/showthread.php?t=218050&highlight=winpatrol

 

Greetings folks

Thanks for your replies.

Yes, I do hope the inventer of MJRegWatch will be able to answer my questions, especially regarding the pop-up saying that BitBucket is trying to create a new registry value. This is still happening frequently throught today as well.

I shall take another look at WinPatrol - thanks for the reminder.

Regarding ERUNT - I agree this is a brilliant registry backup and restore tool. It was based on the really good registry and system file backup provided by Microsoft way back with Win 95 called ERU (Emergency Recovery Utility) and it worked extremely well. Unfortunately, it appears that ERUNT is only for Win XP. However, for years I've been using the superb backup program ERS 9x.

Thanks again for your replies folks ... and in the meanwhile, if anybody DOES know anything about that BitBucket thing, I'd appreciate your feedback.

Take care and go well ...

Dr. Mac

 

1. You can choose to run any Security Set you want. They can be viewed by looking at them in Notepad (they are just text files) or by loading them up one at a time in RegWatcher and looking at them there. The higher the Set, the longer it takes to scan but the overall range of protection is higher (because it looks deeper into your PC.)

2. It's my understanding that if something in a Security Set does not apply, RegWatcher skips it and moves on. So using Win 98 with it should not have any issues.

3. Not sure here. My guess is that it is related to Win 98 and is not a supported function. I didn't have this message with my 98 machine but I used RegWatcher on it before GE added registry and file hooking.

4. BitBucket reference... Does the entry look like this "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket" ? If so, it is likely an entry that auto deletes anything sent to the Recycle Bin. Why it keeps getting reset, I don't know.

I understand where Bellgamin is coming from ( I like WinPatrol alot!) but my feeling is that RegWatcher still has a place for newbies. Just initially set it to Accept all changes. This way, nothing gets blocked when it shouldn't, but it will still alert for system changes that it is monitoring.

For my own use of RegWatcher... I use 2 accounts on my PC. My Admin account is set to run in RegWatcher in Accept mode and my Limited User account runs RegWatcher in Prompt mode. Running them differently allows me to safely update Windows and other programs needing admin privileges, yet still keep track of what is going on. On the other hand, since I do nearly all of my surfing in the Limited account, RegWatcher gives me the option to block things/events that I don't want to happen. I have been running RegWatcher like this for quite a while and so far, it's working out great...

 

bob i got the winpatrol plus this app is terrific,if i knew this software before it is a must have multipurpose tool to have.i had some spyware hiding and remove it with winpatrol

 

Greetings HAN

Thanks for your very detailed and helpful replies.

You are correct ...

That BitBucket thing is appearing at HKLM\ etc. etc\Explorer

However, it is not automatically deleting the Recycle Bin. Very strange! Every so often I pop into the registry and delete it ... but when I look again a little later it's back there! Strange!

There must be something in my box that is creating that value continually. Anyway, as long as it's not harmful I guess I can learn to live with it.

Again, many thanks for your long and helpful answers.

Best wishes,

Dr. Mac