Can anyone help me set RegWatcher to catch a culprit?

Discussion in 'other anti-malware software' started by bellgamin, Mar 30, 2005.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Almost every day when I use Ace Utilities to clean my registry, it spots a useless entry for HKEY_CURRENT_USER\Software\Developer Express giving as the reason "Obsolete key."

    I then have Ace Utilities delete the entry. But the next day, it's back again. I have verified that Ace DID do the deletion. After 4 such episodes, I became curious as to what keep putting that entry back into my registry.

    To discover the culprit, I decided that I wanted Registry Watcher to alert me as soon as ANY change was made to hkey_current_user\software\. Therefore I added the following item to Registry Watcher's list of registry keys to be monitored:hkey_current_user\software\? ? ?.

    NOTE: For this post, I put spaces between the question marks so that I wouldn't trigger the o_O smiley. When I put the above entry in RegWatcher, I did NOT put any spaces between the question marks.

    This morning, the registry entry for developer express was NOT present. Tonight, that entry is back in the registry again. RegWatcher was running all day, but never made a peep when the registry entry for developer express was added. In other words my entry of hkey_current_user\software\? ? ? did not cause RegWatcher to notice the change.

    I suppose that I used the wrong syntax for setting my little trap... didn't I? If so, how SHOULD I set this trap so that RegWatcher will flash an alert when the developer express entry is again added?
     
  2. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I don't know the answer, but I don't think you should end with ? ? ? "The rule is that you cannot begin or end a key with ? ? ?, but you can have as many as you like in the key specification." (spaces added to prevent o_O showing)
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Good point, Howard. Thanks. I shall try using hkey_current_user\software\? ? ?\ & see how that works. Unfortunately, it might be a day or so before this revised mousetrap is put to the test. aloha..... bellgamin
     
  4. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    The reason I chose not to support key definitions ending in wildcards is because you rarely need them. In this example, it sounds as if the subkey Developer Express is being added to one of the user subkeys and auto-copied into the current user (which is why my key sets do not monitor current user; lmus covers it and more).

    So, try without the wildcards :-

    hkey_lmus\software

    This watches for additions or deletions of any subkeys, and should catch the Developer Express key being created. Could you post back saying what happened, and whether you caught the "culprit"?

    P.S. You can allow o_O to work by checking the "Disable smilies in text" checkbox in the Additional Options panel when posting.

    Regards,
     
    Last edited: Mar 31, 2005
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I have re-set the trap. Thanks for the advice. Rest assured, I shall report back.

    However, I have noticed that, with respect to this situation, Murphy's law #16-2a (2nd rev.) appears to be fully functional. Namely, While the repairman is present, the gizmo works perfectly. After you pay him for doing nothing, he then departs, & the gizmo again ceases to function. :oops:
     
Loading...
Thread Status:
Not open for further replies.