MJ Registry Watcher

I can't believe it, but I'm testing something right now, which seems to work, without changing any of the polling loops, but has the added advantage of instantaneous notification for most registry key changes!! What I do is set up the hooks, and when they are triggered, do an unthrottled sweep immediately. This then alerts the user instantaneously a change occurs. Compared to 1.2.4.7, there is a very slight increase in CPU usage, but nothing like what I was expecting. I have also increased the sweep delay from 5 to 10 seconds between loops since we get instant notification for most changes now. Anyway, I'm still playing, but it is looking good for a release tonight. I'll post more findings and an update later. Watch this space!

 

I've tested the new version on 3 pcs for a few hours and it is excellent! Instant notification with all the MJRW features you're used to.

Version 1.2.4.8 is available from http://jacobsm.com/mjsoft.htm#rgwtchr as usual. The changes are as follows :-

Changes 1.2.4.7 to 1.2.4.8
1) Added registry hooking techniques to allow almost instantaneous reporting of registry key changes. The polling technique (sweeps) still runs as before.
2) When in prompt mode and an alert happens, the MJRW window is restored. It is now minimised to the tray, once the alert has been dealt with. If MJRW was already visible before the alert occurred, it is not minimised after the alert has been dealt with.

Enjoy!

 

GE---

Thank you for this brilliant product. the new version rocks.

Btw, I don't think the main window restoration is necessary, if it's not there before alert is triggered. The alert window has provided enough info already. If user wants to see the main one, he/she could click on the tray icon himself/herself. Just my 2 cents.

Regards,

shek

 

There is a reason to have both windows come up. The main window highlights the key that has an alert and gives a context for the alert. But the real reason is that it's much harder to program that way!

 

WoW! GE
You're not one for wasting a single moment of time when it comes to effort. Already like the new configuration that you discovered and then some. As mentioned already, this program does ROCK!

I got some running to do with it awhile so will have 'ta pass along my review after taking it for a good long spin, but already like what's new as always.

Back at 'cha, KEEP UP THE GREAT WORK.

 

Very Cool program, light, stable, ran it along side with GSS very nice !

 

Hi GE

I would like to submit you something that I noticed a lot time ago but was too lazy to post (I also lost my password )

On my windows98SE box, when I tried to add a *.bat file (for testing purpose) in the Windows folder, MJRW prompted me that something have been add, then I clicked on "quarantine", but it said that it couldn't be quarantine. Here is the message :

"MJRW Couldn't Quarantine File c:\windows\Autfttyfy.bat
Cette fonction n'est valide qu'en mode Win32.
** Thursday 04-01-07 16:32:34 **
Important Executables and Driver Files
Files Added :-
c:\windows\Autfttyfy.bat - Size=133 Date=Fri Jun 23 01:33:22 2006 Attributes=---A-"

The second line is in french, it means : This fonction is only valid in Win32 mode.

Since you seem to be present on Wilders actually, I stopped being lazy and log in for the first time with my new password just to know what you think about that message.

BTW I really like this software, thanks a lot for your efforts

MultiSync

 

Welcome to Wilders and this thread, MultiSync. It does sound like trojan activity when a file unexpectedly turns up in your Windows directory that cannot be found by Google. Take any system file and search for it under Google. If it doesn't exist, I'd get suspicious.

Anyway, as regards your problem: I use a Windows function called MoveFileEx to quarantine the file or directory. I searched Google for your problem and it turned up this :-

http://mail.python.org/pipermail/spambayes/2003-March/003894.html

So it seems that despite official Microsoft documentation accompanying Borland C++ Builder 5 stating this works even in Win95, it is not supported under Win9x when used with the "copy across volumes" (MOVEFILE_COPY_ALLOWED) flag specified! Gawd lubbuz. Unfortunately, the alternatives mean a lot of coding, so I don't know what to advise at the moment.

How many other Win9x MJRW users out there get the same error when trying to quarantine a file?

 

Thanks a lot GE

The *.bat file was just my autoexec.bat renamed.

One last thing : I also tried to put that file in my C: (root) and it didn't alert me at all. Maybe i'm wrong, but C: could be a dangerous place for risky files (at least for Win9x) and I didn't see anywhere in MJRW where C: is monitored, for ANY .bat, .exe, .pif, .scr... like in Windows folders.

Let see if I'm the only one with that little problem of quarantine ...

 

Believe it or not, you have highlighted an area that could be improved. Currently, the MJRW quarantine assumes that the new trojan file or directory can be moved there and then, and just complains if it doesn't work. With MoveFileEx, you can tell it to do the move at the next reboot with another flag (doesn't work under Win 9x - sorry ) and this would be a major improvement to the quarantine. If the move fails, it could still show the error message, but offer to quarantine it at next reboot. If running under Win9x, MJRW should use a different technique to try to move it there and then (similar to the way it handles the Startup directories). I could even undo any ReadOnly flags applied to the possible trojan, and then move it. And there is a technique to do the move at reboot under Win9x, for really stubborn b***ards (buzzards, I said buzzards!). Anyway, this does point at a new version already! And I think it will be worth it, such an improvement to the quarantine mechanism for all Windows flavours. Also, I could add %bootdrv% to the key lists. Mmmmmmmm......

 

I'm glad to help GE

BTW, I edited my previous post and add some other things, about monitoring the C: folder in Win98.

Thanks again

MultiSync

 

Hi, GE---

Under current quarantine mechanism, file just moves to corresponding directory without changing its extension. I think it would be dangerous if the moved file is an active malware and user runs it by mistake when he/she trys to double check. So why not, for example, change aaa.exe to aaa.exe.rgw, when quarantining a file.

btw, I also like the idea of adding %bootdrv% to the key lists.

Regards,

shek

 

Good idea, Shek. And, Multisync, I did see your root key wish list! That's why I mentioned %bootdrv% keys at the end of my last post. Anyway, I currently protect these root files/dirs :-

%bootdrv%boot.ini
%bootdrv%documents and settings\\start menu\programs\startup
%bootdrv%autoexec.bat
%bootdrv%config.sys
%bootdrv%explorer.exe
%bootdrv%ntdetect.com
%bootdrv%ntldr

I'll change them to :-

%bootdrv%documents and settings\\start menu\programs\startup
%bootdrv%ntldr
%bootdrv%.bat
%bootdrv%.com
%bootdrv%.dll
%bootdrv%.exe
%bootdrv%.ini
%bootdrv%.lib
%bootdrv%.pif
%bootdrv%.scr
%bootdrv%.sys
%bootdrv%.vxd

The new quarantine mechanism will rename any file in the following manner :-

i_am_a_trojan.exe will be renamed to i_am_a_trojan_exe.mjq
i_am_a_trojan.jpg will be renamed to i_am_a_trojan_jpg.mjq

Right, I think that's everything. I'll make a start shortly. Thanks for the suggestions, folks!

 

Thanks for the update! The change to the registry monitoring is great!

 

I need the community's help. I have implemented a tentative version 1.2.4.9 and I need someone with a genuine Windows 9x system to test the new quarantine mechanisms. MultiSync, are you out there?

I have uploaded the new version at http://jacobsm.com/RegWatcher1249.zip (This link is now defunct - see below for latest version)

If it works, I can officially release it for the benefit of all. Otherwise, please let me know ASAP if it still goes wrong (especially that error message MultiSync got last time).

Here are the new features in 1.2.4.9 :-
Changes 1.2.4.8 to 1.2.4.9
1) Thoroughly improved the quarantine system, which now offers to quarantine at reboot if the possible trojan cannot be moved away immediately. Also, corrected a bug (hopefully) with Win9x systems and the use of the MoveFileEx function during the quarantine process.
2) Changed the boot drive file lists to cover more possibilities. They are now :-
%bootdrv%documents and settings\? ??\start menu\programs\startup
%bootdrv%ntldr
%bootdrv%.bat
%bootdrv%.com
%bootdrv%.dll
%bootdrv%.exe
%bootdrv%.ini
%bootdrv%.lib
%bootdrv%.pif
%bootdrv%.scr
%bootdrv%.sys
%bootdrv%.vxd
3) Added right-click options on the Help and Log buttons so that these files can be more easily edited.
4) Corrected small bug on "Explore" button, which wouldn't highlight the relevant file under Explorer under certain circumstances. Now it does.

Please help! TIA,

 

Hi, GE

Thank you for this wonderful program. Now it's one of my favorite freebies.

In terms of the new version, I have a question. You have added the %bootdrv%?? ?.ini to the list. But I don't see similar rules such as %windir%?? ?.ini and %system%?? ? .ini. I'm not sure whether it's necessary to add those two in. What do you think about it?

Regards,

Shek

 

I already protect these :-

%windir%system.ini
%windir%win.ini
%windir%wininit.ini

and :-

hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\system.ini
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\system.ini\boot
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\system.ini\boot\shell
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\win.ini
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\win.ini\load
hkey_lmus\software\microsoft\windows nt\currentversion\inifilemapping\win.ini\run

XP is not as "ini-bound" as Win9x is. I am not sure how much of a security risk .ini files are. Does anyone out there know? FYI, I have 27 .ini files in c:\windows and 15 .ini files in c:\windows\system32, so there would not be any resource issues to protect these. If nobody says anything else on this matter 1.2.4.9 will protect these 2 areas too (%windir%.ini and %system%.ini).

P.S. I am rewriting the Win9x quarantine system as it still doesn't work (using Microsoft Virtual PC 2004). There will probably be a release tonight.

 

GE: After buying a new XP laptop, I have relegated my trusty 98 SE laptop to the back of the closet. (I may try a Linux distro on it though!) So I'm not in a position to try out the new builds on it.

As for .ini files, I agree that in general, they are probably not much of a security risk. I suppose if malware were to completely overwrite or replace them, then it could be an issue. But there still would have to be other changes, like new or changed .bat, .exe, .dll (or whatever) files that the questionable .ini files would refer to. And those kinds of files RegWatcher is already looking for...

FWIW, I did a search of my XP Pro PC at work for .ini files and it found 44 in C:\Windows and C:\Windows\System32. (If you let it go to C:\Windows and all subfolders the total jumps up to 220.)

 

Official Release of MJRW v1.2.4.9
OK. I have decided not to include any extra .ini file specs (you can do this yourself, if you really want to protect these). I have also managed to test out the quarantine mechanism under Win 9x to my satisfaction. Therefore, I am releasing version 1.2.4.9 of MJRW, as usual at http://www.jacobsm.com/mjsoft.htm#rgwtchr

It has the following changes :-

Changes 1.2.4.8 to 1.2.4.9
1) Thoroughly improved the quarantine system, which now offers to quarantine at reboot if the possible trojan cannot be moved away immediately. Also, corrected a bug with Win9x systems and the use of the MoveFileEx function during the quarantine process.
2) Changed the boot drive file lists to cover more possibilities. They are now :-
%bootdrv%documents and settings\\start menu\programs\startup
%bootdrv%ntldr
%bootdrv%.bat
%bootdrv%.com
%bootdrv%.dll
%bootdrv%.exe
%bootdrv%.ini
%bootdrv%.lib
%bootdrv%.pif
%bootdrv%.scr
%bootdrv%.sys
%bootdrv%.vxd
3) Added right-click options on the Help and Log buttons so that these files can be more easily edited.
4) Corrected small bug on "Explore" button, which wouldn't highlight the relevant file under Explorer under certain circumstances. Now it does.

Let's blast them trojans to hell!

 

GE---

the new version I download is 502k, but on your website, it says 514k. I think it might be a typo which could lead to some confusion. Please fix it.

Regards,

shek

 

That's because my "K" are 1,000 bytes instead of 1,024

I will have to change the sizes on the whole page. I'll sort it out as soon as I can!

 

Thanks for the new version!

Installed and running. Great as always!

 

Hello GE

I'm back, and I tested the new version (1.2.4.9).
It didn't work correctly. Here is what happened :

1-I put the same file (same name : Autfttyfy.bat) in C: and in C:\Windows
2-Seconds later (23 seconds as set by me as polling interval), I got a prompt about it, quarantine them, all was OK.
3-I decided to change the attribute of those files to R.H.A. just to try to play harder , got another prompt : Click on OK (only choice available)
4-Then I restarted my computer
5-I got this message (traduced from French) :
"Windows could not update one of your system file before starting. Windows can't start correctly. If Windows is unable to start, run the installation program again. Press "anything" to continue."

So it booted up normally.

This is the last line of my Wininit.bak :
=c:\Windows\autftt~1.bat

I changed the attributes (from nothing to RHA) AFTER the prompts just to see if MJRG could deal with it.
I used the same file name twice to see how MJRW could quarantine them and renamed them correctly (create two renamed files of the same one put in two different folders). Maybe I shouldn't do this for your testing purpose, let me know.

---------------------------------------------

I just did this :
1-Delete Autfttyfy.bat in my C:

MJRG log :
Run Keys and Startup Files
Files Added :-
c:\*.bat - No Files Found

Files Deleted :-
c:\Autfttyfy.bat - Size=133 Date=Fri Jun 23 01:33:22 2006 Attributes=-----

in Wininit.ini :
[Rename]
=

2-Add Autfttyfy.bat in C:

MJRW log :
Run Keys and Startup Files
Files Added :-
c:\Autfttyfy.bat - Size=133 Date=Fri Jun 23 01:33:22 2006 Attributes=RH-A-

in Wininit.ini :
[Rename]
=c:\AUTFTT~1.BAT

Finally this is the complete log from MJRW :

=======================================================
** Tuesday 09-01-07 15:26:17 **
Run Keys and Startup Files
File Details Changed from
c:\windows\wininit.ini - Size=28 Date=Tue Jan 09 15:18:34 2007 Attributes=---A-
to
c:\windows\wininit.ini - Size=2 Date=Tue Jan 09 15:26:14 2007 Attributes=---A-
=======================================================
** Tuesday 09-01-07 15:27:25 **
Run Keys and Startup Files
Files Added :-
c:\*.bat - No Files Found

Files Deleted :-
c:\Autfttyfy.bat - Size=133 Date=Fri Jun 23 01:33:22 2006 Attributes=-----
=======================================================
** Tuesday 09-01-07 15:27:41 **
Couldn't Change Attributes for c:\*.bat - No Files Found
Reason :-Le fichier spécifié est introuvable.
=======================================================
** Tuesday 09-01-07 15:27:41 **
MJRW Couldn't Quarantine File c:\*.bat - No Files Found
Cette fonction n'est valide qu'en mode Win32.
=======================================================
** Tuesday 09-01-07 15:27:42 **
MJRW will try to Quarantine File c:\*.bat - No Files Found at Next Reboot
=======================================================
** Tuesday 09-01-07 15:28:41 **
Run Keys and Startup Files
File Details Changed from
c:\windows\wininit.ini - Size=2 Date=Tue Jan 09 15:26:14 2007 Attributes=---A-
to
c:\windows\wininit.ini - Size=15 Date=Tue Jan 09 15:28:40 2007 Attributes=---A-
=======================================================
** Tuesday 09-01-07 15:30:42 **
Run Keys and Startup Files
Files Added :-
c:\Autfttyfy.bat - Size=133 Date=Fri Jun 23 01:33:22 2006 Attributes=RH-A-

Files Deleted :-
c:\*.bat - No Files Found
=======================================================
** Tuesday 09-01-07 15:30:54 **
MJRW Couldn't Quarantine File c:\Autfttyfy.bat
Cette fonction n'est valide qu'en mode Win32.
=======================================================
** Tuesday 09-01-07 15:30:55 **
MJRW will try to Quarantine File c:\Autfttyfy.bat at Next Reboot
=======================================================
** Tuesday 09-01-07 15:31:37 **
Run Keys and Startup Files
File Details Changed from
c:\windows\wininit.ini - Size=15 Date=Tue Jan 09 15:28:40 2007 Attributes=---A-
to
c:\windows\wininit.ini - Size=30 Date=Tue Jan 09 15:31:36 2007 Attributes=---A-

------------------------------------------------------

Hope this helped you

I'm sorry for my bad English...

Don't hesitate if you have any questions or if you want me to try something.

Thanks again

MultiSync

 

Thanks for your detailed report. This has been corrected in the latest version (the version you were using is an experimental version). I got the same problems with the experimental version under Microsoft Virtual PC running Win 98. Download and reinstall the latest version and this should all work, including your RHS attributes trick (I like it!). Regards,

 

GE---

My cpu is amd sempron 2500+ (1.4ghz, no overclock). Before switching to reg hooking, the cpu usage is really light. However, when the new version comes out, it becomes a little bit too high. Given everything on default, using medium key set, the cpu spike is around 25%. If changing to custom key set without modifying anything, the cpu spike is around 15%. Run the program for 30 minutes and the cpu time for regwatcher.exe is almost 3 minutes. Does anyone have similar experience?

Regards,

shek