MJ Registry Watcher

Discussion in 'other anti-malware software' started by Graphic Equaliser, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But why not make this app work like RegDefend, or is this very difficult to develop? :rolleyes:
     
  2. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I run MJRW in Auto-Accept mode, so my log is a blow-by-blow account of what is happening in key areas of my PC, but I don't get bothered by alerts. My scan interval is set at 8 seconds (the spinner in the toolbar at the top). You can set this is as high as 600 (10 minutes between each scan).

    I can make 2 changes.
    1) Allow you to set the spinner up as high as 9999 seconds (nearly 3 hours).
    2) If in Accept mode, force a complete scan before closing.

    I'll look into this; option 2 is dangerous. However, it is not of urgent priority, since a ten minute scan should suffice.
     
  3. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    You must bear in mind that the freeware MJRW never started out to be anything but a cruder, but more expansible replacement for Mike Lin's Startup Monitor. (See http://www.mlin.net/ )

    I don't know how RD works. I have looked into other methods but they all use too much cpu and/or resources. MJRW has a minimal drain on the system; about as much cpu as csrss.exe and uses a few meg of ram. If you're happy with RD, I'm not going to re-invent the wheel. Personally, MJRW+Snoopfree is adequate for my security needs. I don't tend to browse in the wild, so to speak!
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well even the Regprot app form DiamondCS is not a poller, this is from the helpfile:

    By monitoring important locations and keys in the Windows system registry, RegistryProt will alert whenever a key is added or changed, and then give the option of accepting the key change, reverting back to the original key setting, or deleting the key.

    Many Registry monitors work by actively polling specific registry locations (you can confirm this with a tool such as SysInternals Registry Monitor). This is a task that must be executed every few seconds and demands resources from the system. RegistryProt v2.0 is unique in that it hooks into the registry, allowing it to sit and wait for changes/additions, using virtually no resources in doing so.
     
  5. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    Thank you graphic equaliser for your wonderful free software.

    I hate it when people look a gifthouse in a mouth.

    Please don't be ungrateful and ask for more than an author of a freeware product is willing to give. He has already given his answer to your request.

    If you want something free that does registry hooking, either pay for it, or write it yourself. If you can't, then stop badgerring other people.

    Actually there's one free software that 'hooks the registry'.......
     
  6. Hey Ya

    Hey Ya Guest

    Yes, but MJRW is configurable; Regprot is not and only covers a limited number of registry keys. Regprot was developed from the same research that led to ProcessGuard and therefore, I suppose, was coded by the same exceptionally gifted programmer responsible for RegDefend. These apps are not open-source and it is difficult to emulate such feats. Let's be grateful to Mark for a superb free app.
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA


    VERY Well stated - Both of you. :)
     
  8. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Thanks for defending MJRW people. It saved my bacon again the other day, when something within IE tried to alter my TCP/IP stack protocols! I simply undid what the MJRW log file had recorded had been done, since I run MJRW in Accept mode. It turned out that it was an esoteric animation add-on for IE and not a virus or an important piece of software.

    Rasheed,
    Hooking registry keys implies you know where they all are to begin with. Directories, files and registry entries can be hooked, but you try porting that to Linux! A poller keeps the design simple. Here is the help section on hooking Registry keys. It is just as complicated for keeping an "eye" on directories and files. Note that, to track key deletions, we have to go back to the poller approach! Enjoy!

    The RegNotifyChangeKeyValue function notifies the caller about changes to the attributes or contents of a specified registry key. Note that the function does not notify the caller if the specified key is deleted.

    LONG RegNotifyChangeKeyValue(

    HKEY hKey, // handle of key to watch
    BOOL bWatchSubtree, // flag for subkey notification
    DWORD dwNotifyFilter, // changes to be reported
    HANDLE hEvent, // handle of signaled event
    BOOL fAsynchronous // flag for asynchronous reporting
    );


    Parameters

    hKey

    Identifies a currently open key or any of the following predefined reserved handle values:

    HKEY_CLASSES_ROOT
    HKEY_CURRENT_USER
    HKEY_LOCAL_MACHINE
    HKEY_USERS

    bWatchSubtree

    Specifies a flag that indicates whether to report changes in the specified key and all of its subkeys or only in the specified key. If this parameter is TRUE, the function reports changes in the key and its subkeys. If the parameter is FALSE, the function reports changes only in the key.

    dwNotifyFilter

    Specifies a set of flags that control which changes should be reported. This parameter can be a combination of the following values:

    Value Meaning
    REG_NOTIFY_CHANGE_NAME Notify the caller if a subkey is added or deleted.
    REG_NOTIFY_CHANGE_ATTRIBUTES Notify the caller of changes to the attributes of the key, such as the security descriptor information.
    REG_NOTIFY_CHANGE_LAST_SET Notify the caller of changes to a value of the key. This can include adding or deleting a value, or changing an existing value.
    REG_NOTIFY_CHANGE_SECURITY Notify the caller of changes to the security descriptor of the key.

    hEvent

    Identifies an event. If the fAsynchronous parameter is TRUE, the function returns immediately and changes are reported by signaling this event. If fAsynchronous is FALSE, hEvent is ignored.

    fAsynchronous

    Specifies a flag that indicates how the function reports changes. If this parameter is TRUE, the function returns immediately and reports changes by signaling the specified event. When this parameter is FALSE, the function does not return until a change has occurred.
    If hEvent does not specify a valid event, the fAsynchronous parameter cannot be TRUE.

    Return Values

    If the function succeeds, the return value is ERROR_SUCCESS.
    If the function fails, the return value is a nonzero error code defined in WINERROR.H. You can use the FormatMessage function with the FORMAT_MESSAGE_FROM_SYSTEM flag to get a generic description of the error.

    Remarks

    If the key identified by the hKey parameter is closed, the event is signaled. This means that an application should not depend on the key being open after returning from a wait operation on the event.
    RegNotifyChangeKeyValue does not work with remote handles. If RegNotifyChangeKeyValue is called with an hKey value that is a remote handle, it returns ERROR_INVALID_HANDLE.

    See Also

    RegDeleteKey, RegEnumKey, RegEnumKeyEx, RegEnumValue, RegQueryInfoKey, RegQueryValue, RegQueryValueEx
     
  9. Ryan1F

    Ryan1F Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    13
    Man your programs good..!!!:D It help me alot...
    Now i can see what happeninng and where exactly it happened(in my comp's registry).:D

    Work together with procexp from sysinternals, and its near to perfect...
    keep up the good work....;)

    Many many thanks....:D
     
  10. Ryan1F

    Ryan1F Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    13
    For this kind of software o_O
    Hook up the registry o_O
    stop it or let it o_O??
    .....others will ask for a pay (some money):rolleyes:
    Man this pieces of software is awsome....;)

    i have test it, it work good...!:D
    (winxp_home-xp_pro-winme-bi366cg-df5wks):ninja:
    (P4-ram256-p4v_asus_Mothbrd-hd40gb):ninja:
    slight change need, but its allright...
    nothin perfect.:)

    Man, thank you very much....
     
  11. Trpm

    Trpm Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    2
    Hey there Graphic Equaliser,

    Paul at CCSP said you sent him an e-mail about adding MJ Registry Watcher to the downloads section, so I decided to try it out.
    Nice program, but it's got a problem deleting files in the Root drive, noticed that it had been reported by several other people and you dismissed it, you might want to take a look at this filemon log from my Win98se system, it clearly shows MJ Registry Watcher trying to delete several files and successfuly deleting my autoexec.bat file.

    28 11:00:02 PM Regwatch:FFF6B13B Close C:\WINDOWS\MEDIA\UTOPIA QUESTION.WAV SUCCESS CLOSE_FINAL
    29 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\MJREGWATCHER.CFG SUCCESS MJRegWatcher.cfg
    30 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\MJREGWATCHER.CFG SUCCESS
    31 11:00:05 PM Regwatch:FFF6B13B Open C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\MJREGWATCHER.CFG SUCCESS CREATENEW REPLACEEXISTING WRITEONLY DENYNONE
    32 11:00:05 PM Regwatch:FFF6B13B Write C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\MJREGWATCHER.CFG SUCCESS Offset: 0 Length: 50
    33 11:00:05 PM Regwatch:FFF6B13B Close C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\MJREGWATCHER.CFG SUCCESS CLOSE_FINAL
    34 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\JUNK\*.* SUCCESS .
    35 11:00:05 PM Regwatch:FFF6B13B FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\JUNK\*.* SUCCESS ..
    36 11:00:05 PM Regwatch:FFF6B13B FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\JUNK\*.* NOMORE
    37 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\JUNK\*.* SUCCESS
    38 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\JUNK\*.* NOTFOUND
    39 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\*.* SUCCESS .
    40 11:00:05 PM Regwatch:FFF6B13B FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\*.* SUCCESS ..
    41 11:00:05 PM Regwatch:FFF6B13B FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\*.* SUCCESS c-program files-filemap by bb v404-bootalert.LNK
    42 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\C-PROGRAM FILES-FILEMAP BY BB V404-BOOTALERT.LNK SUCCESS c-program files-filemap by bb v404-bootalert.LNK
    43 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\C-PROGRAM FILES-FILEMAP BY BB V404-BOOTALERT.LNK SUCCESS
    44 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\C-PROGRAM FILES-FILEMAP BY BB V404-BOOTALERT.LNK SUCCESS c-program files-filemap by bb v404-bootalert.LNK
    45 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\C-PROGRAM FILES-FILEMAP BY BB V404-BOOTALERT.LNK SUCCESS
    46 11:00:05 PM Regwatch:FFF6B13B Delete C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\C-PROGRAM FILES-FILEMAP BY BB V404-BOOTALERT.LNK SUCCESS
    47 11:00:05 PM Regwatch:FFF6B13B FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\*.* NOMORE
    48 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\USRBAK\*.* SUCCESS
    49 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\*.* SUCCESS IO.SYS
    50 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS MSDOS.SYS
    51 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS BOOTLOG.TXT
    52 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS USR
    53 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS WINDOWS
    54 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS imouse
    55 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Program Files
    56 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS My Documents
    57 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS SBPCI
    58 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS DIRECTX
    59 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS tweak ui
    60 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS CENTURY
    61 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS dosboot
    62 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS icu
    63 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS cdrom
    64 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Windows Update Setup Files
    65 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS mame32
    66 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Intel chipset inst utilty
    67 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS CpuFsb
    68 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS spmario
    69 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Qbasic
    70 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Downloads
    71 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS My Music
    72 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS NU_RESCUE1
    73 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS WUTemp
    74 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS RECYCLED
    75 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS KPCMS
    76 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS psfonts
    77 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS sj512slp
    78 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS BOOTLOG.PRV
    79 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS WIN386.SWP
    80 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WIN386.SWP SUCCESS WIN386.SWP
    81 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WIN386.SWP SUCCESS
    82 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\WIN386.SWP SUCCESS WIN386.SWP
    83 11:00:05 PM Regwatch:FFF6B13B FindClose C:\WIN386.SWP SUCCESS
    84 11:00:05 PM Regwatch:FFF6B13B Delete C:\WIN386.SWP ACCDENIED
    85 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS adaptec
    86 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Converted Music
    87 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Software
    88 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS RegProt
    89 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Config.Msi
    90 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Boomerang
    91 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS occc
    92 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Nortonsd
    93 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS getservice
    94 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS FileMap-by-BB
    95 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS InterMute
    96 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS FileMap Quarantine
    97 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS spell
    98 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS ie-spyad2
    99 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Recovered_10_3_05
    100 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Driver Collector
    101 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS autoexec.bat
    102 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\AUTOEXEC.BAT SUCCESS autoexec.bat
    103 11:00:05 PM Regwatch:FFF6B13B FindClose C:\AUTOEXEC.BAT SUCCESS
    104 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\AUTOEXEC.BAT SUCCESS autoexec.bat
    105 11:00:05 PM Regwatch:FFF6B13B FindClose C:\AUTOEXEC.BAT SUCCESS
    106 11:00:05 PM Regwatch:FFF6B13B Delete C:\AUTOEXEC.BAT SUCCESS
    107 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Recovered_12_14_05
    108 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS DETLOG.TXT
    109 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS SD.INI
    110 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS VIDEOROM.BIN
    111 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS Bejeweled Installer.EXE
    112 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\BEJEWELED INSTALLER.EXE SUCCESS Bejeweled Installer.EXE
    113 11:00:05 PM Regwatch:FFF6B13B FindClose C:\BEJEWELED INSTALLER.EXE SUCCESS
    114 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\BEJEWELED INSTALLER.EXE SUCCESS Bejeweled Installer.EXE
    115 11:00:05 PM Regwatch:FFF6B13B FindClose C:\BEJEWELED INSTALLER.EXE SUCCESS
    116 11:00:05 PM Regwatch:FFF6B13B Delete C:\BEJEWELED INSTALLER.EXE ACCDENIED
    117 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS sleep.com
    118 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\SLEEP.COM SUCCESS sleep.com
    119 11:00:05 PM Regwatch:FFF6B13B FindClose C:\SLEEP.COM SUCCESS
    120 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\SLEEP.COM SUCCESS sleep.com
    121 11:00:05 PM Regwatch:FFF6B13B FindClose C:\SLEEP.COM SUCCESS
    122 11:00:05 PM Regwatch:FFF6B13B Delete C:\SLEEP.COM ACCDENIED
    123 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS IPH.PH
    124 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS DETLOG.OLD
    125 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS IMAGE.IDX
    126 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS IMAGE.DAT
    127 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\IMAGE.DAT SUCCESS IMAGE.DAT
    128 11:00:05 PM Regwatch:FFF6B13B FindClose C:\IMAGE.DAT SUCCESS
    129 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\IMAGE.DAT SUCCESS IMAGE.DAT
    130 11:00:05 PM Regwatch:FFF6B13B FindClose C:\IMAGE.DAT SUCCESS
    131 11:00:05 PM Regwatch:FFF6B13B Delete C:\IMAGE.DAT ACCDENIED
    132 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* SUCCESS IMAGE.BAK
    133 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\IMAGE.BAK SUCCESS IMAGE.BAK
    134 11:00:05 PM Regwatch:FFF6B13B FindClose C:\IMAGE.BAK SUCCESS
    135 11:00:05 PM Regwatch:FFF6B13B FindOpen C:\IMAGE.BAK SUCCESS IMAGE.BAK
    136 11:00:05 PM Regwatch:FFF6B13B FindClose C:\IMAGE.BAK SUCCESS
    137 11:00:05 PM Regwatch:FFF6B13B Delete C:\IMAGE.BAK ACCDENIED
    138 11:00:05 PM Regwatch:FFF6B13B FindNext C:\*.* NOMORE
    139 11:00:05 PM Regwatch:FFF6B13B Read C:\WINDOWS\SYSTEM\OLEAUT32.DLL SUCCESS Offset: 516096 Length: 4096
    140 11:00:05 PM Regwatch:FFF6B13B Read C:\WINDOWS\SYSTEM\OLE32.DLL SUCCESS Offset: 239104 Length: 4096
    141 11:00:05 PM Regwatch:FFF6B13B Read C:\WINDOWS\SYSTEM\OLE32.DLL SUCCESS Offset: 58880 Length: 4096
    142 11:00:05 PM KERNEL32:FF0FFD7F Close C:\WINDOWS\DESKTOP\REGWAT~1\MJREGW~1\REGWAT~1.EXE SUCCESS CLOSE_FINAL
    143 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\TASKS\*.* SUCCESS
    144 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\START MENU\PROGRAMS\STARTUP\*.* SUCCESS
    145 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\TASKS\*.* SUCCESS
    146 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\START MENU\PROGRAMS\STARTUP\*.* SUCCESS
    147 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\START MENU\PROGRAMS\STARTUP\*.* SUCCESS
    148 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\WINDOWS\TASKS\*.* SUCCESS
    149 11:00:05 PM KERNEL32:FF0FFD7F FindClose C:\*.* SUCCESS
    150 11:00:07 PM Explorer:FFF1467F FindOpen C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS .
    151 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS ..
    152 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatcher.cfg
    153 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchHelp.txt
    154 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS RegWatcher.exe
    155 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.log
    156 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.1
    157 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.2
    158 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.3
    159 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.def
    160 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.4
    161 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.txt
    162 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatchKeys.old
    163 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatcher.xcp
    164 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegWatcher.xck
    165 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS orgalert.wav
    166 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS mjrwalert.wav
    167 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJQuarantine
    168 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS MJRegBackup
    169 11:00:07 PM Explorer:FFF1467F FindNext C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* NOMORE
    170 11:00:07 PM Explorer:FFF1467F FindClose C:\WINDOWS\DESKTOP\REG WATCHER\MJREGWATCHER\*.* SUCCESS

    Thought you might like to see it happening in real time.

    Rex A.K.A. Trpm
     
  12. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    To put it frankly, having looked at your log, I'm flabbergasted! I need to know a couple of things before I can fully investigate what is going on here. First, what mode are you running MJRW in? If it's not already, please run it in Accept mode for a couple of days, and see if that still deletes autoexec.bat. Secondly, I need to see the MJRW log entries for the date and time of that file activity output. Thanks for your patience.
     
  13. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    On further investigation, it appears that Win9x systems do not have a "Common Startup Directory" although they do have a "User Startup Directory". MJRW has a problem when this is the case, and there is a fair chance Win9x users will have files removed from their root directory. I am working on a correction, which will be published at some time today. Thankyou everyone, for your feedback and patience. And thankyou Trpm for the filemon output, which really clinched this bug for me. I will post again when the corrected new version is available for download. Regards,
     
  14. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    MJ Registry Watcher version 1.2.4.4 has been released. It has one change :-

    Changes 1.2.4.3 to 1.2.4.4
    1) Corrected bug which, on Win9x systems, would attempt to clear the root directory on exit.

    You can download it from http://www.jacobsm.com/mjsoft.htm#rgwtchr

    My browser is being stubborn and refusing to display the new mjsoft.htm page I beamed up there a moment ago. It keeps displaying the old page with version 1.2.4.3 on it instead. You may have to clear the "IE History" to get it to display correctly. However, the download is definitely version 1.2.4.4 despite what the web page may say.

    It's a good job we've got an old Windows 95 PC in the office! I have tested this version on it, and the problem of disappearing root directory files on Win9x systems is definitely cured now. Regards,
     
  15. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Graphic,
    What would happen if filesystem permissions either in the path or for the named directory denied mjrw from accessing the directory, is that a similar case to it not being there ?

    Just wondering...
     
  16. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Yes, it would not find the file or path when it issued a "stat" function call. That file or path would stay invisible to MJRW until its permissions changed.
     
  17. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Ok I think you have answered my question, I was wondering if the problem you just fixed could be encountered in a different way

    Not that it really matters now that it has been fixed, but how did the Win95/98 problem manage to delete files from / when the "Common Startup" directory wasn't there if you are doing a stat check prior to changing/listing the directory ?
     
  18. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    It's complicated, because I seem to program in such a modular fashion. The routine that handles moving of link or pif files from the startup directories to a backup location, is called in no less than 10 different places in the code. One of its arguments was the backup directory from which the backup link and pif files were being deleted, as part of its "cleanup" routine at program close. Unfortunately, on Win9x systems, this could turn out to be blank, and inclusion of the backslash meant that the non-readonly files in the root of whatever drive MJRW was running on, would be deleted. :eek:

    Now, I have guaranteed the routine won't be called if either, or both, of the startup directories do not exist. I tested it on the office Win95 PC like this :-

    1. Backed up all root directory files :cool:
    2. Launched MJRW 1.2.4.3 and left it for a few scans
    3. Shut down MJRW
    4. Beheld the disaster that was loads of files missing from the root directory
    5. Restored files to root
    6. Launched MJRW 1.2.4.4 and left it for a few scans
    7. Shut down MJRW
    8. Beheld the wonderful intact root drive

    If you're running Win9x and had dumped MJRW because of this bug, please accept my sincere apologies :oops: , and feel free to download the updated version at http://www.jacobsm.com/mjsoft.htm#rgwtchr

    Best regards
     
  19. Trpm

    Trpm Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    2
    Hey there Graphic Equaliser,

    I wanted to wait until I had tested the New and Improved MJ Registry Watcher 8 or 10 times before I responded, since you had already fixed it, before I got a chance to answer any of your questions.
    Great job!!! Works like a charm now, thanks for the fast response! ;)

    Rex
     
  20. Gedeon

    Gedeon Guest

    Hi Graphic,

    I use MJRW 1.2.4.2 on W98SE, ALWAYS in Accept Mode : could you tell me please if some files have been deleted in my root directory on MJRW exit ? If yes, could you give me the name of these files ?

    Now, i'm going to download the last version. Thank's for your great job !

    Gedeon
     
  21. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    It is possible that autoexec.bat and config.sys have been removed. Both Microsoft and the end user tend not to put important files in the root directory, unless they protect them first by making their attributes "Read Only" or "System" or "Hidden" or any combination of these. So, for the most part, this bug really only affects autoexec.bat and config.sys files, and these can contain some important set up info for your PC, if you are tailoring it to some environment. The PC functions fine if neither of these files exists, but you may run out of file handles when running an old DOS application. Config.sys can contain device drivers and such drivers are loaded at startup. If you were using a device one of these drivers supported, then that device may now fail without the driver being present. I assume you have not seen this happen, and hence it doesn't sound as if you have lost anything important at all. It sounds like you don't have too much to worry about, since your PC is still working fine. HTH,
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, I was just asking for a new feature, if the author doesn´t want to implement it (or can´t), it´s up to him, I don´t know why everyone is getting so emotional. And I´ve tried the app, and I didn´t like it, way too much popups I didn´t like the polling and the GUI isn´t that nice either. It´s just my opinion, nobody has to become mad. ;)
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Rasheed,

    I can't speak for everyone else, but it wasn't your dislike of the app that concerned me, but your attitude in general. The fact that you had the opportunity to try it should make you grateful. You weren't charged a cent, after all.

    Sorry you didn't like it. If you find something that's better, feel free to discuss it here at Wilders, just not this thread.

    Take care. ;)
     
  24. Matt Barnes

    Matt Barnes Registered Member

    Joined:
    Dec 18, 2005
    Posts:
    3
    Location:
    Waynesboro,VA
    Is there a way to automatically allow/deny registry changes for certain users. I want to deny all changes made when other members of my family are on the computer.
     
  25. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    You would have to have an MJRW directory for you and a separate one for the family. Go to your MJRW directory, then uninstall MJRW as it is currently, and install it just for you (current user only). Login as a family member, go to the family MJRW directory, and install that for the "current user only". Set it to Reject mode. Log back in as you, and set yours to whatever mode you prefer. That's all you'd have to do. HTH,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.