MJ Registry Watcher

You need to enter the following into the exempt keys and filespecs list (the second item on the options menu) :-

hkey_users\\software\microsoft\windows\currentversion\explorer\recentdocs

I already have this in my exemptions file :-

hkey_users\\software\microsoft\windows\currentversion\explorer\runmru

and I don't get alerts from it. Good luck,

 

I have just started using MJ and I have to say I like it very much. I like that is used very little resources. I am ever thinking of ditching RegRun gold for it. My question is: is it possible to have an "ultimate" watch file? Regdefend has their own files of what is protects and they even have additional files that enable it to protect files and key that RegRun protects. It it possible to make a combination of those file and use it with MJ? If not, can people please share their custom protection files?

 

Thanks, Graphic. I had almost the same thing, except for the backslash before 'recentdocs'. I'll give it a try.

What is this one going to do the top one does not do?

 

You can construct sets of keys and filespecs that could span the entire PC's system, and thereby protect it all from anything with MJRW. I've just tried
%system%
and it adds 2,013 files and directories to the checking loop. On each scan, it pauses for a second as it checks this one, and the CPU spikes. You could make it
&%system%
and that would lessen the strain to one fiftieth of a check every loop.

You can also construct sets using other app's keys, but you may need to run it through a macro-enabled text editor to get the syntax correct for MJRW. Or you could just add to your custom set any keys you find in other apps, using copy and paste. Anyway, with a powerful enough PC, you could certainly protect the entire PC with MJRW.

Daisey,
hkey_users\\software\microsoft\windows\currentversion\explorer\runmru
is a subkey that kept alerting me every time a new "most recently used" item was added to Explorer. I exempted to quiten these needless alerts. I never get alerts from RecentDocs, so I didn't need to exempt it.

On a more general note, I almost always run MJRW in "Accept" mode, especially if I'm installing new software or hardware. I always run the Custom set. I hardly ever get alerts, but when I do, they are usually explainable by some action I'm performing. It is useful for keeping an eye on what the kids get up to on my home PC (software installations and the like), and since MJRW in Accept mode still logs all registry and filespec changes to the log file, you can always undo any damage done by malicious software.

 

That's a very good point, GE. I normally run the HIGHEST security set, so installing software of any kind would set of a flurry of bells and whistles if not in accept mode.

Regarding the "most recently used" alert you mentioned above, is there no way to add a button to the dialog box that would put that registry key into the Exempt list?

 

I am entertaining that idea now. It really likes scones and tea! ;-)

 

Is there a way, or is there ever going to be, a way to minimize to the system tray when closing instead of having RW ask you if you want to leave?

Also, are there any plans to include a locking feature with it so that entries/rules cannot be deleted?

 

No. You just want it to behave like ZoneAlarm, which it isn't.

The sets are locked by default. You have to turn editing on. From the help file,
"After a save, a backup of the original set is in the file MJRegWatchKeys.old"

 

Thanks, GE. I know I've said this before, but I just wanted to thank you again for all your help. This is a great app, as is. I keep it running all the time!

 

I just deactivated this program because of some really weird behavior. When I shut down MJ Registry Watcher using the icon in the System Tray, it would shut down fine, but it would also delete a whole bunch of files from the root directory (C:\). It took some trial and error to figure out what was causing this, and I am now 99.9+% certain that it's MJ Registry Watcher that is responsible for the deletions.

Specifics:
I am using MJ Registry Watcher 1.2.4.2 under Windows 98 SE.


Phil

 

It could be that it has quarantined these root directory files. Certainly, this discussion has been had before in this thread. From that discussion with poster Dude :-

MJRW will not delete files, although it can quarantine them, but that's only if it's in Reject mode, or you manually approve it doing so. You can prefix the files concerned with # to stop them being checked for changes, or, more safely, with = to automatically accept changes, while still reporting them in the log. But you've got to ask yourself the question, "Why are these files being changed so often?". MJRW doesn't usually list stuff that gets changed frequently by normal computer usage.

HTH, Phil.

P.S. version 1.2.4.3 is imminent - the only changes are userinit.exe in all key sets and an uninstall option in the Autostart options menu. Nothing spectacular.

P.P.S. I got a really fruity alert the other day. I was installing the WinTV PCI card drivers, when MJRW sprang up reporting changes to the Winsock2 TCP/IP protocol stack! That's right - Hauppage TV card driver install generated this alert :-

Registry Key hkey_local_machine\system\CurrentControlSet\services\winsock2\parameters\protocol_catalog9\catalog_entries
Subkey 000000000014 has been added
Subkey 000000000015 has been added

These subkeys contained similar binary data to other entries under this key. Bizarre!

 

MJ Registry Watcher version 1.2.4.3 is available for download from http://www.jacobsm.com/mjsoft.htm#rgwtchr . It has the following changes :-

Changes 1.2.4.2 to 1.2.4.3
1) Added uninstall facility to the automatic startup options.
2) Added %system%userinit.exe to all key sets.

 

Hello again, GE.

I am getting better at adding data to the exempt keys and values lists. However, unless I do it often, I seem to forget some of the basics. So, hence my question.

Is there a way that I can backup the exempt lists so I can restore them if I ever need to. For example, when I upgraded to 1.2.4.3, it appears that my exempt lists are gone. Maybe it's something I did. But in any case, I would rather not have to key this data in again. Thanks!

 

All this wont help against rootkits...


Its a sereus getting problem


only a full restore of an original image does helps


Also rootkit revealer or Fsecure blacklight and the MS thing wont help you because some rootkits intercepts all windows calls so your anti4us scanner etc wont see the rootkit..

 

Nil Desperandum. The bad guys are winning but they've not won yet. Rootkits,after all, are not magic but software. The "help" (for me) in using MJRegWatcher is educational: I learn more about how my comp works. Its not a 'set and forget' tool and so is quite a challenge for my (lowly) computer skills. Why not give it a try?

 

Daisey, you can easily backup and restore the exempt lists using Explorer. Go to the MJRegWatcher directory, and make copies of the files mjregwatcher.xcp and mjregwatcher.xck, then, after an new version of MJRW is installed, copy the backups back to these files. Since there may not be too many new versions now, you won't have to do this very often. If new developments occur, and MJRW needs to move on, I may put backups of these files into place automatically.

MrHawkEye, rootkits are a serious problem, but I have managed to go to http://www.snoopfree.com and use SnoopFree to maintain a clean, unhooked system. It is also free of charge, and it uses next to no resources. It has spotted keyboard hooks and screen hooks from a variety of programs so far, including Windows Messenger! To gether with MJRW, it is a formidable combo! HTH,

 

Thanks,GE. I now have Karen's Replicator set to copy these files daily to my backup drive so I can restore if needed in the future. Are there any other files that you recommend I backup that contain program settings?

 

You could back up the key sets, just in case you had made any changes to them. They are in the MJRegWatcher directory and are called :-

MJRegWatchKeys.txt
MJRegWatchKeys.def
MJRegWatchKeys.1
MJRegWatchKeys.2
MJRegWatchKeys.3
MJRegWatchKeys.4

and the configuration file that stores window placements :-

MJRegWatcher.cfg

and the alert sound file :-

mjrwalert.wav

and the log file :-

MJRegWatchKeys.log

As for Karen's Replicator, what a lovely looking freebie. I have already developed a similar system to backup files from one place to another, but it doesn't have all the features Karen's has. It can also optionally zip the files, and it's scheduled by the Windows task scheduler. Optional compression may be something to consider asking Karen to add. I use the freebie ZipForge component at http://www.componentace.com, and since the software is free, there are no business complications.

Best regards,

 

Will do. Thanks!

Yes. I really love it, too. And she is also responsive to requests / suggestions. I will mention the one about compression.

If you have time, I would like to get your thoughts on this one key I have been struggling with. I download music using MSN's service. And it always pops up the following message:

Registry Key hkey_users\S-1-5-21-2007687975-2540826829-1998901835-1007\software\microsoft\windows\currentversion\runonce
Value MsnMusicAssistant (S) is going to be deleted - data is
C:\Progra~1\MsnMusic\4226251\MsnMusic.exe

To exempt this, I have tried adding the following to both lists, unsuccessfully. What might I be doing wrong?

hkey_users\\software\microsoft\windows\currentversion\runonce\msnmusicassistant (s)

Thanks!

 

Instead of putting :-
hkey_users\\software\microsoft\windows\currentversion\runonce\msnmusicassistant (s)
into the exempt values file, put :-
hkey_users\\software\microsoft\windows\currentversion\runonce\msnmusicassistant
instead.

The (s) bit refers to the registry data type that this value has. In this case it is a plain string. The following types are classified under MJRW :-

(S) String, eg. CompanyName (S) Microsoft Corporation
(E) Environment string, eg. Local Page (E) %SystemRoot%\system32\blank.htm
(N) A double word number (8 bytes), eg. CompletionChar (N) 64
(B) A binary value, with variable length data in Hex format, eg. Cache_Percent_of_Disk (B) 0A 00 00 00
(I) A double word number (8 bytes) in big endian format (hex bytes in reverse order), of which I have no examples!
(M) A Multi-string, a delimited set of strings, eg. LocalService (M) Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
(L) A Link, of which I have no examples!
(Q) A Quad-word, of which I have no examples!
(R) A Resource list, of which I have no examples!
(F) A full resource descriptor, of which I have no examples!
(C) A resource requirements list, of which I have no examples!

HTH,

 

Hi!

I cannot read all 13 pages of discussion , so if this dublicated questions - sorry.

Which database of startup programs are you using in "MJ Registry Watcher"?

In our software - Absolute StartUp - I am using my own database - it contains 12K+ descriptions of programs from startup and I'd like to exchange my base with other similar.

Have you?

 

fgroup,

MJRW does not contain a database of startup programs as such. Instead, it contains locations in the registry, directories and files that are known to be places where Windows looks to find startup programs. Because of the open design of Windows, anything can be started at startup, and from a multitude of locations. MJRW attempts to cover all of these places, but without actually specifying which programs they are - just that something in one of these startup locations may have changed. HTH,

 

I have not read whole the thread but I would like to know of this app is just as advanced as RegDefend, or is it polling for changes?

 

RegWatcher polls at easily configured intervals -- as fast/frequent or as slow/infrequent as you specify.

Immediately upon detecting any change to a protected registry item, RegWatcher blocks the change BEFORE asking you about it. If you say "let it happen" RegWatcher will then permit the change to be made.

RegWatcher is free. RegDefender isn't. When set for frequent scans, RW makes it very very unlikely that unwanted registry changes will be made. RD makes it fundamentally impossible for unwanted registry changes to be made.

 

Graphic,
Would you consider allowing the polling period to be a lot more infrequent ?

What I would like to do is have the program in auto accept mode so that it will not attempt to roll back any changes and have its log as a broad-brush history record for persistent changes in the keys being monitored

To do this I would want to poll all of its keys once on startup and then infrequently afterwards (half-hourly, hourly or maybe every few hours). And then have it do its best to do a poll when it receives a shutdown message from Windows (or when it is asked to exit normally) so that it has a reasonable chance of capturing fairly up to date key state prior to reboot

What do you think, I think it would be a useful enhancement to capture and log changes to the steady state of the PC without trying to get all the blow by blow details with very frequent polling

Thanks