MJ Registry Watcher

Version 1.2.3.9 of MJ Registry Watcher is available at http://www.jacobsm.com/index.htm#sft

It has these changes :-

1) Made file viewer, help and log windows searchable, using the Ctrl+F and F3 key combinations to mean Search and Search Again, respectively.
2) Added &%system%drivers to the custom list.
3) Spruced up help file.
4) Some minor code improvements.
5) Changed tray icon hint to show number of sweeps.

 

Version 1.2.4.1 of MJ Registry Watcher is available at http://www.jacobsm.com/index.htm#sft

It has these changes :-

Changes 1.2.3.9 to 1.2.4.1
1) Corrected bug with prefixing keys (would do nothing with subkeys).
2) Added DSO threat detection to all sets with key
hkey_lmus\software\microsoft\windows\currentversion\internet settings\zones\0
3) Changed default frequency for & scans to 50, since 20 used too much CPU with &%system%drivers

 

Hi Graphic, thanks for the updates... many fine features and fixes. I especially like the &%system%\drivers trick (I hadn't realized the reduced frequency could be applied to anything other than hidden registry keys). The drivers directory seems like a very good place to employ it.

Polishing the help file is a great idea too. Window's registry is intimidating to say the least, but countless folks could benefit from an affordable option like MJRW if you can just make it easy enough to get started.

Once again, Graphic, really commendable work.

 

ah-ha, here's a thread I wanted. Will someone please help me with this issue? https://www.wilderssecurity.com/showthread.php?p=380071#post380071

**edit b- opps, you just replied - thanks.

 

I'm sure that Graphic will get back to you here, but as he mentioned on the other thread, it sounds like you may have two competing registry monitors. That can cause problems not unlike two competing firewalls or two anti-virus monitors. What other security software is running on your system?

I don't know what would cause this, but as a wild guess I'd wonder if you were doing any remote login or remote administration. Any clues you have might be helpful.

 

I have no idea why it wants to change to network.

 

I don't understand most of this.

But can I just use MJRW and not any of the other registry guards and be comfortable?

 

Personally I only use Mozilla Firefox browser, my own e-mail client, MJ News Reader (just underneath MJRW on my website at http://www.jacobsm.com/index.htm#sft ), MJRW and Zone Alarm, and I regard myself as impregnable! I like raw, not auto-decoded, so I tend to survive *all* e-mail and newsgroup hacks, and the browser prevents any other ways in. MJRW tells me when something odd has happened to the registry. I can then gauge what to do in response to the MJRW alert.

Even the very best security set-up will have a hole in it somewhere, even if it is the MBR or BIOS, or some clever black hat manages to hook into the NTFS filing system and inject trojans that way.

Of late, I don't get any trojan alerts from MJRW, just weird things like LsaPid trying to change all the while, or some report when Windows does some house-keeping. I use the on-line scan engines (which only work under IE) from Panda and TrendMicro, and they detect nothing on my system.

The worst security hole you can have is the default installations of IE and OE - they are just disasters waiting to happen, IMO.

 

Graphic Equaliser,
Here is an online scanner that will work with FireFox
http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php

BTW, I enjoy your software. Thanks for all of your hard work.

 

Hi KarenJ,
I think MJRegWatcher may ask you a few more questions than, for instance, WinPatrol or Teatimer. That's mainly because it tries to protect against more potential problems. Each system is a bit unique in terms of registry values that may have valid reason to change on a regular basis.

The most important thing to remember is that you'd want to switch MJRW to Accept-mode (or shut it down) before installing or updating software that you've decided to trust. Another potential issue that hasn't been discussed (Graphic?) is whether allowing Windows to perform "Automatic Updates" would be a bad idea. Other than that, most registry changes that MJRW has prompted me about have been related to the few times I run Internet Explorer. I, too, would highly recommend Firefox, and I'm very fond of Thunderbird (also from www.mozilla.org) as my email client.

If you're already using another registry monitor (or want to compare MJRW with another one) you could run both, but keep MJRW in Accept-Mode. This would let you look at MJRW's log screen to see whether or not it will have too many questions. Choosing the lowest security setting (still much more secure than most registry monitors) may help reduce the number of alerts.

@Graphic, Perhaps a somewhat further reduced security level (set and forget) would be helpful.

Regards to all...

 

A super-slim, yet well-targeted set could be on the way. With my computer in the shape it's in at the moment (AliMagik mobo cannot handle throughput from the new 250 GB UDMA133 drive in DMA mode, and is forced into PIO mode for stable operation), I keep getting weird alerts like this :-

** Monday 28/02/2005 21:05:08 **
Registry Key hkey_local_machine\system\ControlSet001\control\lsa
Value LsaPid (N) wants to change from
468
to
480
=======================================================
** Monday 28/02/2005 21:05:08 **
Change Auto-Accepted
=======================================================
** Monday 28/02/2005 21:12:06 **
Registry Key hkey_local_machine\system\ControlSet001\control\lsa
Value LsaPid (N) wants to change from
480
to
472
=======================================================
** Monday 28/02/2005 21:12:07 **
Change Auto-Accepted

As you can see, I've got mine in auto-accept mode, but I have also prefixed the lsa key with an equals sign (=) to stop it prompting me when I'm in the normal Prompt mode :-

=hkey_local_machine\system\\control\lsa

This key certainly won't be part of the "slimmed down set"!

The mysteries of the Windows registry forest are dark and deep...

Meanwhile, I'm looking for a good mobo/cpu combination to upgrade my creaking AliMagik.

 

Viruses, trojans, and worms -- Oh MY!

 

I have just posted some updates to the keys included with MJ Registry Watcher at its new location http://www.jacobsm.com/mjsoft.htm

These keys have new entries for SP2-related hot-spots and the light set is now really light but still retains a good range of cover.

Keys added :-
hkey_classes_root\ftp\shell\open\command
hkey_lmus\software\microsoft\internet explorer\main\featurecontrol
hkey_lmus\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown
hkey_lmus\software\microsoft\internet explorer\urlsearchhooks
hkey_lmus\software\microsoft\windows\currentversion\internet settings\zonemap\domains
hkey_local_machine\software\microsoft\security center
hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate
hkey_local_machine\software\policies\microsoft\windows\windowsupdate

There were no changes to the software itself (which still stands at v.1.2.4.1) or the help file. The exceptions file had hkey_local_machine\system\\control\systemstartoptions added to it, so crashed restarts didn't alert you.

The CPU/Mobo combo I've ordered is an Abit 3rd Eye Skt 754 with AMD Athlon 64 3400+ : I haven't received it yet, but I hope the GBP 212 I spent on it will be a good investment. My 4-year old PC crashes regularly when playing 3D action games, and I'm still getting MJRW alerts from the LSAPid key! Cheers everyone,

 

Thanks again for the superb MJRegWatcher. As to your AMD Athlon 64 3400+ ---- I've heard that cpu runs really hot (temperature-wise, I mean). True?

Live long & prosper... bellgamin

 

i tried MJRegWatcher afew days ago and it's so much better then i thought it would be. i think i misunderstood the significance of all the updates, i thought it ment it was buggy, rather it is being fine-tuned, sorry well, it's brilliant thanks, G.E.

i tried putting the exe in startups -
C:\Documents and Settings\iceni\Start Menu\Programs\Startup
but it wouldn't launch correctly, it opened up an empty folder, so i put it in - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
and it launched perfectly. are there any problems with that? thanks

 

Thanks for all your comments.

iceni60, there is no problem where you put the autostart entry for MJRW. However, I have always found it easiest to put a shortcut to MJRW on the desktop, and then drag that shortcut carefully to the Start, All Programs, Startup folder, rather than try to identify where your user statup folder exists on the hard drive! Then, it will start for just that user, and not others who may use the PC. But, it will work if you put it in the "run" keys, and, in fact, is just as easy to remove if you use MJRW to Regedit the location! I have found that over time, MJRW shows a lot of how your PC works internally.

 

Belgamin, the AMD Athlon 1.4GHz I currently run, has an average operational temperature of 80 degrees centigrade! I have seen it go as high as 98C, and have had many cups of tea out of it (just joking!). If the 3400+ ran any hotter than this, I'm gonna need some Space Shuttle heat shielding for the case!

Best regards,

 

Hi iceni60,
If you choose to start MJRW via the registry, I think you'll want HKCU\Software\Microsoft\Windows\CurrentVersion\Run instead of HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce. The "RunOnce" key is intended for one time programs (like updates) and the entry is removed from the registry when the program is run. Entries under the "Run" key are left in place for programs that should continue to start every time you log in.

 

hi, G.E. i think i put the shotcut in the same place as you described, when i got to C:\Documents and Settings i went iceni and not all users but, i must have done something wrong because it didn't work. it is working fine now though and i am very happy with your program

earth1, i don't know why i wrote runonce, i just checked and it is in the correct place - run, i don't even have the key runonce, there's one called run- where eraser is. anyway, thanks for noticing my mistake and letting me know

 

Has anyone had a chance to assess the new reduced light key set yet? I pruned it in such a way as to retain coverage, while dropping rarer and fuller keys. Is cpu usage on older PCs reduced compared with the old set?

 

Registry Watcher fails a test!
http://dl.filekicker.com/send/file/143719-YJTV/scoundrelsimulator.exe
the author's website: http://www.geeksuperhero.com
run the program, there are 5 tests available inside. RW cannot pass the 2nd one, disable the internet option. Although RW does have two pop-up warnings, it still fails. it seems that RW cannot block all the changes, even if i have set it to the highest security level. btw, my system is winxp sp2.

 

I just tested this using the Default set, and it prevented all hacks except the second one, as you said, so it's not the level of security used by MJRW that affects this.

It seems to alert for the second test, and you can prevent the registry change, but there seems to be another setting that is being done (to a file or the registry) that is not currently covered. Hojtsy, any ideas?

 

Hi, G.E. First, thanks much for an awesome program. Reading through this thread for the first time tonight/today was really interesting, helpful, and educational. I like how responsive/interative you've been with the input/feedback generated here. I also like the fact that running MJRW in "prompt" mode enables me to learn a lot about what's going on "behind the desktop". (Something, from your own posts, that you seem to enjoy as well.)

Second, I am trying to figure out how to get MJRW to save my options settings. UPDATE: I re-read the thread and discovered that MJRW always re-starts with the "Custom" setting and the workaround is to decide whichever level setting is desired (Light, Medium, High, Highest) go into the MJRW directory, open up either MJRegWatcher Key.1, .2, .3, or .4 (I had to open them manually with notepad because notepad didn't automatically recognize the extensions), then save as MJRegWatchKeys.txt, effectively overwriting that file, and creating a new "custom/default" setting. (NOTE: 1 is the HIGHEST level of security, and 4 being the lightest.).

As far as MJRW's inability to save the setting for the "Enable Sound" option, (for me it would be disable the sound) even though there is now the option to choose from between 2 wav files, there is no "nosound" wav file. It was a simple matter for me to take one of the provided files, load it into Sound Forge, mute it, and then save as "nosound.wav". Then, I selected that file as the default, and MJRW did save it/use it after a reboot. (I'm just stating what I did here specifically in case that might not have been obvious as a workaround for some other folks.)

One suggestion: I would like to see something addressed at the beginning of the help text regarding installation methods for this program, either using: 1. Your desktop icon to start menu/startup folder way or 2. The "more traditional" (for W2K) start/settings/taskbar & Start Menu.../Advanced/Add, etc. Since I use RegCleaner, and it offers a nifty option of automating the adding of startup items (as well as the option to delete startup items), I opted for using that program to add a HKLM/Run reg entry for MJRW. I personally avoid adding desktop icons whenever I can, so that's one reason I chose to not use your recommended installation method. But even at that, I did have to dig through this thread to find the references on to how to install MJRW. I really think that should be at the head of your help text, before you get into all the cool stuff MJRW can do. Or, offer an option that seems pretty standard now in most Windoze programs: to "Load MJRW upon startup".

sk

 

1) You can use the command line to load the relevant set. It is documented in the help file :-

When launched with no command line parameters, MJRW will use the "Custom" key set. If you wish to use an alternative set, then just specify the extension to the MJRegWatchKeys file name. This can be :-

txt custom list of keys (default)
1 highest security set
2 high security set
3 medium security set
4 light security set
def default security set

2) The next version (1.2.4.2) will store the sound option. This will be better documented too, since I have told nobody that when you choose a sound to replace the default Chinese karate expert exclamation, it overwrites the mjrwalert.wav file in the installation directory with your new sound. The file is still called mjrwalert.wav, but it now contains the sound you chose (from anywhere on your harddisk). The original sound is always available in the file orgalert.wav, and you can simply choose this to "reset" the sound back to the original.

3) Load at Startup with a prompt as to which set you want to load with, seems like a very good idea to me. Again, this will be part of version 1.2.4.2, but I need to know which is the registry location/folder that is the fasvourite here to install it in. Should it be for current user or all users? Should these be options? Whaddyafink?

4) View File when you're on a directory, should present the files in a list so you can choose one to view, as it does with registry keys and regedit. This will also be in the next version.

Any other ideas to go in before the next release, are all welcome. Many thanks again for all of your input. Regards,