MJ Registry Watcher

*What does the ? ? ? do(Tripple ?)

 

Sorry about the flood, but got some more suggestions.

When a new folder is created in the registry, can it have the option of being deleted or quarantined?
What about auto cleanup of quarantined items?
What about an option to check more than 1 layer deep?

 

I apologize again

Clear the log window?(The red)
Change the arrangement.(Vertical instead of horizontal, log on top row, etc.)

Every time I look at it, I get another idea

Maybe give an option to change the font(Not to insult your tastes) type and size.

 

New day, new ideas
Can you make it possible to undo changes to the monitored files?
Like on the 1st sweep, create a snapshot of all of the files. On the X sweeep, take a new snapshot, and compare it to the old one and report the changes/allow undo. If there are no changes, make the 1st snapshot the template again; if there are changes, make the snapshot taken on the X sweep the template(After any accept/rejects of course).
Next, why is the default lines per thing set to 3 and throttle 35? To make it more simple, just make it so that the lines will always be 1 and only the throttle be adjustable.
A 1 line to 1 ms (or 3:3) makes a 25 % jump in cpu usage.
A 1 line to 15 ms (or 3:45) makes a 5%-8% change. So I will stick to this one.

 

Check for update button. If something is found, advise to goto your site. Ability to auto check/not.

 

Display alert without bringing up the main window to highlight them.
Undo deleted folders from the registry.

 

Well, Dude, you have had a lot of thoughts. I am still mulling some of these over, but, for now, here are some clarifications :-

"First Question, how can you make MJ run during windows startup in a minimized mode."
Answer : There is an option on the Options menu, under Settings, called Automatic Startup Options. Use this to set up how MJRW auto-starts.

"Second, is MJ capable of handling a registry blast. I would consider a blast to be 10+ keys changed at once. Would MJ catch all of them in a row or let some slip through?"
Answer : It would not let any slip through. However, it would present them one at a time. If I ever get time, I may do a "Zone Alarm" type of thing where it collates the alerts and presents them in a scrollable manner. But not yet.

"Also, I don't quite understand the fromat of the keys such as:
hkey_lmus- Is this both LOCAL_MACHINE and CURRENT_USER?
What does the do in certain keys?"
Answer : From the help file :-
Keys can use the shortcut hkey_lmcu to mean both keys hkey_local_machine and hkey_current_user,
and hkey_lmus to mean both keys hkey_local_machine and hkey_users\ (any user rather than
current user). You can make branches of the key wild by putting in the key where the path
should be matched against any registry subkey on the same branch. The rule is that you cannot
begin or end a key with , but you can have as many as you like in the key specification.

"Also, where is a link to MJRW on your homepage?"
Answer : The item is documented at http://www.jacobsm.com/mjsoft.htm#rgwtchr and available directly from http://www.jacobsm.com/RegWatcher.zip

"When a new folder is created in the registry, can it have the option of being deleted or quarantined?
What about auto cleanup of quarantined items?
What about an option to check more than 1 layer deep?"
Answer : There is a quarantine feature, that will offer to move new directories and/or files to it, when a filespec alert occurs. Since the quarantine directory is easy to navigate to (it is directly off the installation directory, and is called MJQuarantine) you could "Explore" it and clean it up manually. Auto-cleanup is beyond the scope of completely free software (IMO). Checking more than 1 layer deep is not necessary, since you can specify multiple 's, as in hkey_local_machine\system\\services\winsock2\parameters\\\\librarypath to check arbitrarily deep! For each level, just add a \ to the key's path.

"Can you make it possible to undo changes to the monitored files?"
Answer : Let's just say that with sizeable files, checking for differences across entire files each sweep, is going to be too time-consuming and CPU-intensive. I have one file that is 3.2GBytes large and I would like to protect it, but it is simply unfeasible to do so. At least MJRW will tell me if its date and time stamp, attributes, size or existence status has changed. If you have files you want not to change, then make them read-only using Explorer. Similarly, registry entries stored in subkeys may well be too numerous to store and check even at one level deep, so restoration of deleted subkeys proves too tricky. You cannot tell how big the tree is, coming off of any particular registry key, so it is unfeasible to attempt to recurse and store it at MJRW startup.

"Why is the default lines per thing set to 3 and throttle 35?"
Answer : These were arrived at after a lot of experimentation with lots of different PCs, both modern and old. Since they are stored in the configuration file, and remembered between sessions, you only ever have to tweak these once, and they are then set, until the next tweak.

"Check for update button"
Answer : A really good idea. I am now considering this one. It will be a simple methodology. It will check mjsoft.htm for MJRW's current version number and check against the one you're running currently. If they are different, you will be taken to the download page, or to the download zip file itself (which is better? let me know ;-)

"Display alert without bringing up the main window to highlight them."
Answer : If you put MJRW into "Accept" or "Reject" mode, then it will not spring up when there is an alert, but just turn the tray icon's colour red, so you can see there have been alerts. Alerts will be automatically "Accepted" or "Rejected" in these modes.

"Clear the log window?(The red)
Change the arrangement.(Vertical instead of horizontal, log on top row, etc.)"
Answer : Nice to have, but not essential, especially in a simple, free edition.

I hope that answers some of your questions, and thanks for some of your suggestions. Good luck,

 

-I like the idea for updating.
-What if I want to set MJ into prompt mode but still don't want the main windows to appear with every change. It is very irritating to have to minimize it over and over. Maybe there could be an auto minimize time. When reg. change occurs, bring up main window. Wait 5 seconds then minimize it again.

These, in my opinion, are serious problem:
-All the files(not folders)(Autoexe.bat, etc.) in my main C:\ drive keep getting wiped out for some reason. I copy them back over, and they are gone upon next reboot. I know it is not a virus because when I turn MJ off, it doesn't happed.
-How do you prevent a specific error for a specific file. I keep getting a message that says 1 file goes from atrib-->attrib A and want to stop it without commenting out the whole file.
-When I was reading the help file, and a message appeared, the help diappeared. Was this intended?

 

Is this a program that someone without a lot of knowledge could use?
As I look at the various posts I don't understand much, and wonder if it would overwhelm me or cause me to make some errors in its application?

Thanks,
Jerry

 

Hello, JerryM.

Depends of what you mean by "without a lot". I sure don't have a lot, but I find it very useful.

IMO, the worse kind of error you could make would be to allow a change to the registry that would not be recommended. But that would happen anyway if you didn't run MJRW.

 

I agree about this, MJRW is by far a more thorough program than S&D TeaTimer but this got on my nerves so much, as posted prompts which you can't do anything about but OK them that I have actually reverted and will see whats in the next version.

Ideally I would like to see it have an option to only prompt on items that you have a choice for i.e. accept or reject and for the main window to be automatically minimised after dealing with a prompt or even not popped up. For changes that you can't affect I would like to see an option for these to either be prompted (with just an OK) or either logged or an unobtrusive balloon alert in the system tray that closes itself after n seconds.

Morpheus

 

I am concerned by the lack of response about my C:\ drive repeatedly being erased. I really don't want to have to uninstall it because I like the throttle idea.

What about preventing a specific error for a specific file?
What if multiple changes happen to one file before the first is acknowledged?

 

MJRW AutoStart

How does one tell MJRW that I don't want it to start automatically every time I start Windows? Do I have to manually delete a registry key??

When installing software, I would like to disable MJRW from starting automatically after I restart my PC. I don't see how to disable this auto-start feature. Or am I just overlooking it?

 

their is a startup files that isn't in the list

userinit.exe
can be modified to launch exe at startup

 

https://www.wilderssecurity.com/showpost.php?p=115430&postcount=6

 

Sorry for delays in replying - I've been to the Philippines for the last 5 weeks. I am positively refreshed, so here we go with some replies.

Dude wrote :-
"What if I want to set MJ into prompt mode but still don't want the main windows to appear with every change. It is very irritating to have to minimize it over and over."

If you right-click the tray icon, you can change all sorts of stuff without making the main window appear. Have a look.

Dude wrote :-
"I am concerned by the lack of response about my C:\ drive repeatedly being erased."

MJRW will not delete files, although it can quarantine them, but that's only if it's in Reject mode, or you manually approve it doing so. You can prefix the files concerned with # to stop them being checked for changes, or, more safely, with = to automatically accept changes, while still reporting them in the log. But you've got to ask yourself the question, "Why are these files being changed so often?". MJRW doesn't usually list stuff that gets changed frequently by normal computer usage.

You can monitor userinit.exe by adding
%system%userinit.exe
to your list of keys. Under Options, Settings, Enable Keys List Editing, and then add the line to your preferred set.

You can uninstall MJRW by using it to locate the startup key for it (F4 Search for watcher), and the Regedit button to delete the key manually.

As for balloon alerts, the tray icon goes red if you are in accept or reject mode, and there is an alert. If it's red, click it to bring up the main window and then click the "Log" button to see the problems.

HTH

 

Would it be possible to automate this in a future release?

 

I will probably add an Uninstall option to the "Automatic Startup Options" list. This and the addition of userinit.exe to all lists, will be the only changes for version 1.2.4.3 unless you can think of any more. I may put an auto-update checker in, because Longhorn(y) will probably use different registry keys (Jeez), so the lists will change. However, I suspect the software is probably near it's final incarnation. Remember, it is supposed to be a crude and free reg/file checker - not some elaborate Spybot S&D or PG clone!

 

That would be great. Thanks GE!

If you did absolute nothing else to MJRW, it would still be the best Registry Monitor on the market, bar none! Thanks for all your efforts.

 

I have just started using MJ Registry Watcher v 1.2.4.2. So far very pleased. I have some queries which perhaps some more experienced users can answer.

Is the "custom" list of keys just a text file of the "default" security set?

Where does the "default" set of keys sit in the hierarchy of security sets - 4(lowest) to 1 (highest)? If "custom" is different from "default" what is the position of custom?

What is the difference between "save" button on the control panel and "backup current key" under options?

What are the files "MJRegWatcher.xck" and "MJRegWatcher.xcp"? What is their purpose(s)?

What is the pysical change to the scanning methodology with (i) changing the Throttle timing and (ii) changing the lines per throttle? What is "throttle"?

 

If "backup current key" under options is simply backing up the highlighted key, where does the backup get stored??

 

In the help file it uses the term "sweep" and "scan". Is a "sweep" a check through the whole list of keys, while a "scan" is the check done on a file? Thus if one of the keys refers to a file, then the file is only checked once every 50 (default setting) sweeps? Or is it something else?

 

For (i) checking hidden keys and (ii) scanning files, there seems to be just one attribute that applies to both; is this correct?

 

In answer to some of dog1's queries :-
==================================================
Is the "custom" list of keys just a text file of the "default" security set? How do I get a text version of the other key sets?
==================================================
Yes. The others are also text files, but with different extensions. The extension to the MJRegWatchKeys file name can be :-

txt custom list of keys (default startup set)
1 highest security set
2 high security set
3 medium security set
4 light security set
def default security set
==================================================
Where does the "default" set of keys sit in the hierarchy of security sets - 4(lowest) to 1 (highest)? If "custom" is different from "default" what is the position of custom?
==================================================
Order is :-

1 highest security set
2 high security set
3 medium security set
txt custom list of keys (default startup set)
def default security set
4 light security set
==================================================
What is the difference between "save" button on the control panel and saving the keyset when exiting MJ RegWatcher? Are both methods acheiving the same outcome
==================================================
Yes. They are the same.
==================================================
What are the files "MJRegWatcher.xck" and "MJRegWatcher.xcp"? What is their purpose(s)?
==================================================
These are text files containing the exempt values/filespecs (.xck) and exempt keys (.xcp)
==================================================
What is the physical change to the scanning methodology with (i) changing the Throttle timing and (ii) changing the lines per throttle? What is "throttle"?
==================================================
Each line in the top window is checked. The lines per throttle means how many lines from the top window are checked before it pauses. The throttle timing is the pause in ms between each successive set of lines being checked.
==================================================
If "backup current key" under options is simply backing up the highlighted key, where does the backup get stored??
==================================================
The Registry Backup option makes a .reg format backup of the registry in the directory MJRegBackup off of the installation directory. It is named using the characters in the key you are backing up.
==================================================
In the help file it uses the term "sweep" and "scan". Is a "sweep" a check through the whole list of keys, while a "scan" is the check done on a file? Thus if one of the keys refers to a file, then the file is only checked once every 50 (default setting) sweeps? Or is it something else?
==================================================
Sweep and scan are interchangeable. The "once every 50" option is triggered by prefixing a key or filespec with the & sign.

& - if this prefixes a key, it is additionally checked for hidden keys every 50 sweeps (adjustable).
If this prefixes a filespec, this filespec is only checked every 50 sweeps (adjustable)
==================================================
For (i) checking hidden keys and (ii) scanning files, there seems to be just one attribute that applies to both; is this correct?
==================================================
& - if this prefixes a key, it is additionally checked for hidden keys every 50 sweeps (adjustable).
If this prefixes a filespec, this filespec is only checked every 50 sweeps (adjustable)
==========================================
I presume that the Custom set is your norm - a balance between security and consumption of resources?
==========================================
Yes, that's right.
==========================================
You call the "txt custom list of keys" the default startup set; this is in the sense that this is the start up set used by the program. You also have a "def default security set". Is this a confusion of the use of default in that the default security set is just another named security set; it is not the default set for start up purposes? (Can't see why you called one set "default" rather than 1 to 5 (rather than 1 to 4) + custom set?)
==========================================
You're right again - I should have had 5 levels of security and the custom set. I can see how the .def set could cause confusion. Once you know, though...
==========================================
Why do you need a pause between each successive set of lines being checked?
==========================================
If you let the checking phase whizz through the key set, you get spikes in CPU utilisation, and this can impose somewhat on other applications running with a small drop in their performance. I had to throttle the CPU usage somehow, and, after lots of experimentation, this turned out to be the best way.
==========================================
As a much more general query, can you recommend a good source to find out more about the Registry - how it is constructed and the use/definition of the various keys?
==========================================
http://www.winguides.com/registry/
http://www.jsifaq.com/reghack.htm
http://www.mantex.co.uk/news/news-54.htm <-- Beware, may contains spyware, try it on someone else's PC first!
http://www.holbornbooks.co.uk/details.aspx?sn=33440

 

Another question for you please, GE.

I'm still struggling with understanding how to exempt registry keys. Here is one I've been trying to exempt without success:

Registry Key hkey_users\S-1-5-21-2403287975-2540816829-1998901835-1007\software\microsoft\windows\currentversion\explorer
Subkey RecentDocs has been added

I tried adding it as follows to both EDIT EXEMPT VALUES and EDIT EXEMPT KEYS AND FILESPECS.

hkey_users\\software\microsoft\windows\currentversion\explorer RecentDocs

What am I doing wrong?