MJ Registry Watcher

Thank ya.

 

Hey what about me? On page 12 I reported tis root deletion thing, but you all thought that the white boy had gone crazy (Just kidding) I just made all the files read-only, but nice work on fixing it noooow. (still just kidding)

 

Am I the only one to keep getting these strange MJRW alerts from AMD Athlon-based systems, immediately after booting ?

Registry Key hkey_local_machine\system\ControlSet002\control\lsa
Value LsaPid (N) wants to change from
836
to
780

I asked this before ( https://www.wilderssecurity.com/showpost.php?p=387261&postcount=236 ), but nobody else seems to get them, and Google says very little about them. All I could find was a small mention from http://www.windowskb.com/Uwe/Forum....2-Pro-cannot-map-or-see-drives-on-XP-SP2-Home

From this, it seems as if I should add it to the exempt values list, as in :-

hkey_local_machine\system\? ? ?\control\lsa\LsaPid

For it to come up on two entirely separate systems (my old and my new), makes me wonder if it's something I'm doing wrong

Perhaps it is something that is meant to change, because, in my trawl of LsaPid info on the web, I found many consecutive Hijack This logs, with identical lsa keys except for the LsaPid value, which is always different. Perhaps there's nothing to worry about.

I'll take this opportunity to thank everyone for your valuable input, and have a wonderful Christmas, and a successful New Year. Cheers!

 

Thanks Graphic and have a happy new year too !

G.

 

@ Dazed_and_Confused

I agree that one of my posts (the one about Regprot) may look like it´s a bit rude, but just to clear things up, I didn´t mean it like that. I just wanted to point out that RegProt, which coveres a lot less (and is a very small app) seems to be more advanced. But I understand now that it´s probably hard to figure out how to make it work like Regprot and RegDefend.

 

Hi Graphic Equaliser,

Although I am not using your app, that is lsass.exe merely recording its current session PID. You can see the value being set in a Regmon boot log:

75773: lsass.exe:852 SetValue HKLM\System\CurrentControlSet\Control\Lsa\LsaPid SUCCESS 0x354

On my systems, both Athlon64- and Pentium4-based, I see that lsass.exe has the same PID over 80% of system starts. Occasionally, though, the PID will be different, and the registry will reflect that change. My guess is that what you are seeing is normal.

Nick

 

O.K. the dude is back with more suggestions and ideas.
First: Disable logging?

Second: What about the malware that change everything then reboot. While installing legit progs, I found that registry keys were created, but the restart was already started? MJ closed and computer rebooted with an accept/reject screen open. Do I get to see what was changed? Or even deny them?

Third: I sometimes get bogged down with prompts. So much so that I can't switch to accept all because another prompt has appeared before I can click. Is it possible to make it so that Even with an accpet reject prompt open, I could change modes from prompt to accept?

Just personally, I tried Bitdefender 9 Standard for a new antivirus- heard that my current Pc-Cillin detects alot but doesn't scan everything so time to change. BD has 100% vb lab certification and loads of others. Updates produced HOURLY. 30 min support response time via e-mail(also have live, but didn't work on my comp). Ony my 350 mhz, I hardly felt any 'drag' that was common with others like Panda, and my ram stayed rougly the same. PC-Cillin was good on no lag and low ram too. Panda used 450 mb just starting :O (Out of 384 mb(I have an auto ram recover prog)). It also locked up when scanning. Just some interesting stuff. And for the love of god, ditch norton and mcafee.

 

Here is some info:

Isass - lsass.exe - Process Information

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service

Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

Note: lsass.exe also relates to the Windang.worm, W32.Spybot.ABDO, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR, Nimos.worm which spread via floppy disk drives, mass-mailing and peer-to-peer sharing. Please review file path for clarification of this.

Here is where I got it from: http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

It sounds ok to me. Just add to ignore list.

Merry Christmas.

 

I don't know if this works but how about right-clicking on the icon in the tray? It might still be accessible that way when there's a prompt waiting.

 

And I don't know if anyone else has suggested this but it would be nice that when I hit the "x" on the window, it would minimize to the tray rather than ask if I want to shut the prog down.

 

Yeah it works , but just clicking to switch to accept would be more convienient

 

Thanks for that confirmation. I have put hkey_local_machine\system\? ? ?\control\lsa\lsapid into the Exempt Values list.

 

As for Enable Logging suggestion, yes it's ready. The extremely good suggestion of not allowing a reboot if an Accept/Reject message is pending, is something I'm thinking about currently, and hope to have a solution soon. I'm glad the right-click tray menu solved the "switch mode" problem. It's not easy responding to user clicks outside of a modal window!

 

All problems were easy to solve. MJ Registry Watcher version 1.2.4.5 is available for download at http://www.jacobsm.com/mjsoft.htm#rgwtchr with the following changes :-

Changes 1.2.4.4 to 1.2.4.5
1) Ability to disable all logging.
2) Cannot shut down MJRW if an alert is showing.
3) Added hkey_local_machine\system\? ? ?\control\lsa\lsapid to the Exempt Values list.

 

Do you recommend uing RegDefend + MJ Registry Watcher?

 

Dang, that was a fast turn around rate . As for the question about 'synergizing' programs, I don't think that that is a really good idea.

 

RegDefend and MJRW overlap on quite a lot of keys they protect. I think having alerts from both every time, would be nerve-wracking, to say the least!

 

Cheers for the Update
I've started using it again - stopped using it after a system update
It got lost somewhere along the way

Great wee program

 

WARNING !! DO NOT CANCEL ALERTS ISSUED BY MJRW IN PROMPT MODE DURING A WINDOWS AUTOMATIC UPDATE. PLEASE PRESS THE ACCEPT BUTTON EACH TIME, OR STOP THE MONITORING, OR SWITCH TO ACCEPT MODE.

I suppose it had to happen eventually. My 9 year old son, Chris, was running MJRW in "Prompt" mode, when he clicked on the "Automatic Updates" shield in the system tray, and started the updates procedure. MJRW popped up with an alert, and Chris "cancelled" it by clicking the cross in the top right of the alert window. The default behaviour is to reject the change, so that's what MJRW did. When the system was restarted, the dreaded "lsass.exe endpoint not found" message loomed up on the screen. This means that XP cannot find certain registry entries vital for the startup of the PC. OKing this restarted the system for the message to come back again (and again and again ...). This happened even in Safe Mode!

I have now reinstalled XP (the repair options do not fix this horror ), and I was very pleasantly surprised by my son's very intelligent suggestion of seeing if the alerts are caused by "Automatic Updates" which is the text of the window as it does them. He said MJRW should ignore alerts if this window is present. I think it's a great suggestion. What do you think? I invite your erudite feedback.

 

Cheerio for this great new program...............

Been carefully & patiently reviewing many of the posts on this topic as well as the others concerning reg monitors albeit somewhat late.

Graphic Equaliser, thanks for all the ambition that you are pouring into works like this one. The contributions that others are adding to efforts like this are nothing short of amazing! too.

I certainly will keep focused on the progress of RegWatcher right now myself.

I would like to add my own feedback from experience with these various programs and will do so soon.

In the meantime i should first be about getting on my forum profile gear and all that in this upcoming week.

Excellent Topic discussions on these Reg Monitors. Also should mention am a recent SSM devotee too. I really admire how far along the progress in the development of these type apps are coming along now.

Been a long time coming IMHO. Again Thanks and many more.......

 

Welcome to Wilders, Easter. It really is a fine program. Sometimes I struggle with adding keys to the exempt lists, but that's rather insignificant considering all of the positives.

-------------------------------------

Graphic - I have been struggling with adding the following warning to the ignore list. It usually appears whenever I restart Windows. Any suggestions?

** Sunday 2/12/2006 9:35:44 AM **
Registry Key hkey_local_machine\system\ControlSet003\control\lsa
Value LsaPid (N) wants to change from
852
to
832


Thanks in Advance!

Edit: By the way, I am using 1.2.4.5 on highest setting.

 

Thanks for the Welcome sentiments Dazed_and_Confused

Glad to be here. Even more glad i was to have happened on some of your posts regarding RegWatcher. I reviewed those discussions in the Topics with great interest and am very grateful for all the feedback everyone offered as well as the contributions & suggestions to the new additions Graphic Equaliser is added to his program. Very EFFECTIVE!!! and extremely configurable from my early experience with it so far.

Also appreciate the attention the developers have given to these exchanges. It makes for a great deal of confidence to find everyone in concert on the best possible approaches to shore up the Windows OS systems this way against all that foistware lurking plus others yet being developed.

Again Thanks for the welcome i hope to share along with everyone else in the upcoming weeks over here.

 

Some very good points, Easter. When everyone co-operates on a project, you get much better results. Perhaps that is why M$ Windoze is so ... (I'll shut up!)

Daisy, the LSAPID key (my (least) favourite!) has been exempted by the current key set that came with 1.2.4.5 - perhaps you retain your customised exempt values set when a new version is released and put it back after installation, which is why you missed this one. Simply add this line to your exempt values list :-

hkey_local_machine\system\\control\lsa\lsapid

The current (version 1.2.4.5) default exempt values list is as follows :-

hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\dcacheupdate
hkey_local_machine\system\\control\lsa\lsapid
hkey_local_machine\system\\control\session manager\pendingfilerenameoperations
hkey_local_machine\system\\control\systemstartoptions
hkey_users\\control panel\desktop\convertedwallpaper
hkey_users\\control panel\desktop\convertedwallpaper last writetime
hkey_users\\control panel\desktop\fontsmoothing
hkey_users\\control panel\desktop\fontsmoothingtype
hkey_users\\control panel\desktop\originalwallpaper
hkey_users\\control panel\desktop\wallpaper
hkey_users\\software\microsoft\internet explorer\main\download directory
hkey_users\\software\microsoft\internet explorer\main\save directory
hkey_users\\software\microsoft\internet explorer\main\window_placement
hkey_users\\software\microsoft\internet explorer\toolbar\shellbrowser\itbarlayout
hkey_users\\software\microsoft\internet explorer\toolbar\webbrowser\itbarlayout
hkey_users\\software\microsoft\internet explorer\toolbar\webbrowser\{0e5cbf21-d15f-11d0-8301-00aa005b4383}
hkey_users\\software\microsoft\windows\currentversion\explorer\directorycolsx
hkey_users\\software\microsoft\windows\currentversion\explorer\shell folders\cache
hkey_users\\software\microsoft\windows\currentversion\explorer\shell folders\cookies
hkey_users\\software\microsoft\windows\currentversion\explorer\shell folders\history
hkey_users\\software\microsoft\windows\currentversion\explorer\shell folders\recent

HTH,

 

Thanks, GE. I think that is exactly what happened. Though I don't remember specifically requesting to keep the old one. I probably should put a comment line in the file to help me identify and distinguish lines that I have added, and lines that were there by default. In that way for future releases I can take the new exempt list, and know which lines that I need to paste to the end.

 

Testing Registry Watcher out again. I tried it quite a while back before the CPU optimization was in place. My original test machine was a very sloooow Win 98SE PC. So I didn't have the best of luck at that time.

Working quite well now. I must say that as I read through this thread, GE's dedication to making the app a success is remarkable.

I do have one minor issue that I can't seem to figure out. When RegWatcher looks at the hkey_lmus\software\microsoft\windows\currentversion\internet settings\zonemap\domains key (I'm using the Default record set), something keeps deleting and then adding the domains that are in my IE Trusted Zone. This typically scenario is that the entries are deleted soon after bootup and then added back a few minutes later. I know this isn't a malware issue (this PC is scanned 12 ways to Sunday) and the only records involved are all of the correct "trusted" ones.

I have tinkered with the Exempt entries to no avail. The only thing I have found that is working is to "Comment" the reg key out. But I know it covers more than just the key that is my trouble spot. (And specifically, that spot is hkey_users\S-1-5-21-1516393544-4148478518-3649461330-1139\software\microsoft\windows\currentversion\internet settings\zonemap\domains )

Any ideas