MJ Registry Watcher

I spotted some bugs and an increase in cpu use in version 1.2.3.5, so I have released a new version 1.2.3.6 at http://www.jacobsm.com/index.htm#sft which addresses these issues, and adds some new functionality in light of the %windir%tasks directory, so that filespecs can be exempted in the exempt subkeys file. It's all in the help file. The changes are :-

Changes 1.2.3.5 to 1.2.3.6
1) Fixed bug with Prompt/Accept/Reject setting.
2) Added exempt files capability using exempt subkeys file. Added %windir%tasks\sa.dat to the exempt subkeys and filespecs list, by way of example. This is just the Start Assistant (Wizard) for creating new tasks for the scheduler.
3) Addressed a cpu utilisation issue.
4) Fixed multiple occurrences of a bug where it would not display the updated key data after an alert which was accepted, until you moved off the key and back on to it.

 

I tried the Quarantine feature, and it works like a charm. I am impressed.
Maybe I could suggest now my old idea about showing status info in the tray icon. There could be a different icon image for Stopped, Reject, Prompt and Accept mode. I noticed that the onhover tip window displays the Reject, Prompt, Accept mode, but provides no info whether the whole scaning process is running or is Stopped.
-hojtsy-

 

Hojtsy, that is a good suggestion. The tray icon hint text is at the limit supported by this component at the moment, so getting rid of some text and using the tray icon could be beneficial.

There is one bug I am currently aware of in 1.2.3.6 and that is when you press View File on a file in the top window, the title bar of the viewer window does not display the file information any more - I know what I did wrong. A triviality, I'm sure, but will be fixed in 1.2.3.7.

Any ideas on LSA key and how trojans attack it?

Regards,

 

The screenshow on your homepage no longer shows the alert you had with LSA. Can you post it from your logfile?
For example W32/Netspree.worm could set the value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous = 0
thus weaking the external protection of the computer. After this an external user can remotely login withouth password, and access some limited informations on your computer.
Another thing employed by WORM_RBOT.AGJ is to set the value
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSN Messenge = "winlogin.exe"
to let itself autostart, but I don't really understand how.

 

I am pretty sure it wasn't a virus. Windows itself seemed to want to change these entries after a reboot, to "No Data" entires, and then later, want to change them back again. Shortly afterwards, my PC crashed with a message from lsass.exe saying about an endpoint format being invalid. Eventually, I had to reinstall the OS, and now I have a very dodgy hardware setup, with freezes and lock-ups very common. Could it have been the Sasser worm? Nope, as it turns out, it wasn't a trojan or virus after all. The AliMagik mobo I have in the PC is too slow to handle the UDMA133 HD I installed the other day, and it keeps faulting instead of keeping up!

 

thanks for this wonderfull prog
see you!

 

Hi Graphic, and thanks for another big improvement. I'm still trying to find time to test all the new features, but it looks good. Verification before closing seems a very good thing.

I have, however, noticed one oddity in v1.2.3.6. When I start MJRW (highest security set) taskmgr shows Mem-Usage=7800K and VM-Size=4100K. VM-Size remains fairly steady throughout, but Mem-Usage has an odd fluctuation pattern. It does not change much, when I "Show Window" (or get an alert) for the first time, but after I minimize MJRW, Mem-Usage drops way low. From 7800K, I've seen it drop as low as 264K, then starts rising (quickly at first) until it gets to somewhere around 1850/2000K. Mem-Usage stays fairly steady until the next Show-Window which (understandably) increases it by around 300-400K. When MJRW is minimized, the Mem-Usage does the same thing again. It, first, drops low, then starts increasing until it gets back to 1850/2000K. Though I don't know that this is accurate, on my system, it appears that if MJRW was never "displayed and minimized", that six megabytes of (unused?) RAM might never be released.

The dramatic drop in Mem-Usage (after minimizing) bounces back up so quickly that taskmgr (on high update speed) doesn't always catch the full extent of it. Although I've seen Mem-Usage as low as 264K, it is often already back to 1400K by the first update. Just wanted to share my impression from repeated observations, because dropping so low (even for a split second) seemed quite surprising from a program that I expected would maintain a constant memory requirement (except, of course, for the needs of "Show Window", alerts, options, list changes, etc). Anyway, hope this helps determine whether or not something is amiss.

 

I have seen the same behaviour on every installation of MJRW. When minimised it drops its memory usage to about 1.5 mb, but when restored to the screen, the usage goes up to about 7-8mb. I really do not know why it does this, since I wouldn't have thought the smattering of controls on the MJRW screen would cause such a large amount of RAM consumption. I suppose one can never tell what Windows is doing behind the scenes.

There will be a version 1.2.3.7, since I have discovered a couple more bugs, and I want to implement Hojtsy's idea of changing the colour of the tray icon to reflect different states of running.

 

Graphic,
I was wondering if it might be worthwhile to add the IE favourites directory tree into the default file watchlist, this would help catch malware that attempts to rewrite your existing bookmarks to go via a trojan site
(can you add a directory and tick "and subdirs" to the config file and just enumerate the subdirectories at startup or at some configurable interval?)

To allow this to be tweaked a little and cause fewer alerts it would be good if we could have the alert go off for file modification & deletion and not for file creation

Of course everyone that uses a sensible browser will want to add their bookmarks into it as well, so maybe the default locations for firefox, mozilla et al could go in to the "heavy" list

Thanks

NB:

I'm not sure what you were meaning when you said that you were not at liberty to say how mjrw accessed the registry and whether it would be affected by someone creating a key with a NULL value in the name....

I wasn't particularly bothered "how" you access the registry, it was more of a query about whether the program could be bypassed in this way.

I didn't particularly want to advertise how to bypass MJRW (and potentially other registry monitors) if you were using the standard Win32 API's that cannot read keys with NULL values embedded in the name

 

Version 1.2.3.7 of MJ Registry Watcher is now available at http://www.jacobsm.com/index.htm#sft . These are the changes :-

Changes 1.2.3.6 to 1.2.3.7
1) View File now puts up details of file in title bar of viewer.
2) Auto-Accepted value changes now refresh the middle window correctly.
3) If the log viewer is open when an alert occurs, details are appended to bottom of the window.
4) Tray icon colour is grey for prompt mode, green for accept mode, blue for reject mode, and red when running minimised silently and there are alerts.
5) Window pane dimensions now resize correctly, both when starting up and reading configuration details, and when you manually reset the display using the menu option.


Native API Registry access is *not* what I use!! This will be covered by the trojans eventually, so there's not much point in using it now. However, I cannot say how I do it, or the "black hats" will have a new string to their bow. So, everyone, stum, and stop asking!

Gottadoit, the favourites directory for browsers is not a standard entry. I am inclined just to let you add each directory and subdirectory to the top pane, and prefix them with an equals sign. Then any changes to current bookmarks would be allowed and logged for you. When a new bookmark is added, it would be automatically allowed, and logged. You could then look at the log file and find any suspicious changes to these bookmarks manually, or use a text editor to view the log and search for the bookmark directory names in there. Subdirectory recursion is not planned for MJRW yet.

 

Hi Graphic,

Thanks again for the latest update. The color-coded tray icon will be helpful. I wonder if you might want to use a "warning" color when MJRW is "Stopped" (red or orange?). Thinking about this led me to some confusion. Then again, thinking usually does.

Metaphorically, "green for accept" seems to mirror MJRW's role as a traffic cop, allowing changes to go ahead. In terms of results, though, "Accept" seems most similar to leaving MJRW "Stopped". If colors are chosen according to which conditions are most dangerous when forgotten, perhaps both Stop and Accept should be a bright, warning color. No problem either way. I'm sure I'll adapt just fine with or without any color changes.

You may also want to consider adding %system%drivers/etc/hosts at some security level(s). Not sure that's the right path for Win9x, however.

 

v1.2.3.7 - Realplayer stuff

Is it possible that in version 1.2.3.7. is not monitoring stuff (for ex. TkBell, Real Update etc.) that RealPlayer try to push up to registry accidentally when i use this player ?

In version 1.2.3.5 and 1.2.3.6 it was o.k. (I could reject it) but in actual version it seems that it is not monitoring (maybe it is strange behaviour only in my pc, but before 1.2.3.7 it worked o.k.)

 

Trevor12, make sure you have not got it into Auto-Accept mode (check the radiobuttons at the top - it should be Prompt that is checked), and that the key hkey_lmus\software\microsoft\windows\currentversion\run is in the list and not prefixed with any character. I've just checked mine, and any change to this key is definitely flagged in my 1.2.3.7

Earth1, Auto-Accept mode is *not* the same as "Stopped". Auto-accept logs every change made to the keys and files, but also just accepts them : a bit like a registry activity logger. If it is stopped, I think the next version ought to paint the padlock black. I will probably add the hosts file into all lists too.

 

Hi Graphic, thanks for reply I checked your advice and everything seems to be ok.

I found this strange behaviour of actual version MJRW because I have beside MJRW the resident shielr from Spybot S and D and with previous version of MJRW i had always two warning window (MJRW ans Spybot) and with actual version only Spybot resident shield warning window appears with relation to RealPlayer.

maybe something strange with my pc and actual MJRW version is ok.

 

Hi, I used this excelente program before, and now I am going to use it again, just a question, does it runs well with PrevX and Process Guard? No problems with them?
Thanks, and again, what an excelent program!!!

 

It runs really well, I have it amongst the following security.

Hope this helps...

Cheers

 

Trevor, it may be due to Spybot S&D resident shield fixing the change before MJRW has a chance to see that it has changed.

Thanks for your comments, everyone.

I found my XP Pro SP1 hosts file at C:\WINDOWS\system32\drivers\etc\hosts - does anyone know where it is located under Win2K and Win9x systems? TIA

 

Hi Graphic Equaliser,

I believe these locations are the default locations.

Windows 95/98/Me c:\windows\hosts

Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts

Windows XP Home c:\windows\system32\drivers\etc\hosts

Best wishes,
VV

 

I found this in the readme.txt file of hpguru's hosts.zip:

Win9x/Me C:\Windows
WinNT/2K C:\Winnt\System32\Drivers\etc
WinXP Home/Pro C:\Windows\System32\Drivers\etc

 

Hi earth1,

The info I posted about the locations of the hosts file came from this source:
http://accs-net.com/hosts/how_to_use_hosts.html

But checking elsewhere, the info agrees with what you found.
http://www.mvps.org/winhelp2002/hosts.htm

Perhaps someone running XP Pro would confirm the proper default location, to be sure.

Best wishes,
VV

 

C:\WINDOWS\system32\drivers\etc

Cheers

 

Sorry for the NooB post - how do I set up MJ Registry Watcher to start up with my preferred scan frequency and security set? I've been looking through posts but can't find it - or at least not in a form my feeble mind can grasp.

I am using v1.2.3.7 and would like it to start with a scanning frequency of 1/min and highest security set.

 

Hi Digitalman,

You can select the security set by adding a parameter to the command line that invokes MJRW. It would look like:
--> c:\some\path\MJRegWatcher\RegWatcher.exe 1
Where '1' would select the highest security set and '4' would select the lightest security set.

The scan frequency is controlled by the little numeric "spin control" to the right of the "Reject" button. It indicates the number of seconds MJRW will wait after finishing one scan before starting another. Setting it to 55 will probably get you close to once per minute. Scan speed is varied by the "throttle" settings (Options->settings->)

Graphic, the parameter info is listed in the change log (1.2.2.3) portion of the Help file, but would probably be more easily found in the main Help section.

 

Noted.

 

Just completed version 1.2.3.8 of MJ Registry Watcher at http://www.jacobsm.com/index.htm#sft

It has these changes :-

1) If it is stopped, the system tray padlock is coloured black. I also lightened the green on accept mode, because I am red/green colour-blind, and found it difficult to tell whether an alert had happened!
2) Added hosts file locations to all lists.
3) Now continues the sweep when a key is prefixed on an alert, rather than stopping completely and waiting for the user to save and restart.
4) Improved hidden key comparison report to more easily see what has changed.

P.S. Don't tell anyone that I'm colour-blind : I'm piloting long-haul Boeing 747 flights, and I don't think they'd be very happy if - hang on - is that a green "Go" or a red "Stop"? Whoops, too late...