MJ Registry Watcher

A followup to my post above...

I had a "duhhhh" moment and realized that all I need to need is build all of the keys/subkeys except for the one that's causing the issue and leave the original key commented out. It's not perfect (certainly if a new key were added) but it will give me back most of the protection I would normally have.

Also, began Registry Watcher testing on my PC at home. Again, seems to be doing great.

My setup here is quite a bit different though. Since I run as Limited when surfing the web but as Admin for all non-web stuff, I set up 2 RegWatcher program locations and run each account differently.

My Limited user is set at the medium watcher settings and runs in the Prompt mode. The Admin is set at the default watcher setting and is always in Accept mode. This should help to prevent issues like GE noted with his Windows Update boo boo.

Anyway, I would appreciate it if anyone has any other thoughts that might help me.

And once more, thanks Mark/GE for the app. It's cooooolllllll!

 

Is there anyway for regwatcher to keep track on the newly created files under windows and system directories? not all types of files, just some of them, such as .exe,.dll,.sys .

For example, i tried to add the lines like %windir% ? ? ?.exe and %windir%*.dll . but it seems that the wildcard doesn't work. if i use %windir%, regwatcher will scan through every file including the subfolder, which is not what i want.

Any ideas or comments?

Regards,

shek

 

I certainly monitor this key, but it has never alerted me before (my year old log file shows nothing for zonemap), so I can only conclude that something in your startup is reading this key and rewriting it. Is it possible to comment out each startup app and reboot, until the culprit is found. I know it is tedious, but I can't figure out why an app would rewrite this key. TIA,

 

I have tried this and there is no way with the current version of specifying a filespec for multiple files (just directories AFAICS). This would need a new version, and the first thing we would need to decide is whether to wait for Vista, so as to incorporate new keys and values to protect, or to do it ASAP. What do you suggest? Your %windir% example is pretty compelling, in that this a useful set of files to protect, and Vista may be way off yet.

 

GE: Thanks for the reply.

As I noted above, the key in question is hkey_users\S-1-5-21-1516393544-4148478518-3649461330-1139\software\microsoft\windows\currentversion\internet settings\zonemap\domains

I haven't had the time to mess around with something like Regmon (from Sysinternals) to really look at what's happening and who the culprit is. I kind of/sort think it's Windows Defender that is deleting and re-writing the key in question. But I have no solid proof that is the case. If I can find the time, I may try to dig into this a bit deeper. But for now, the minor changes I've made seem to be working fine.

 

Maybe I didn't make it clear. What i want is regwatcher could alert user newly created files(.exe, .dll,.sys) under c:\windows\ and c:\windows\system32\ (winxp for example), but not including subfolders, which would increase scanning time. Because many trojan/backdoors add files under these two directories. Of course, users could add extra rules to cover other directories or file type. Btw, this idea comes from mcafee virusscan enterprise 8.0i access protection.

 

Have been using MJRW for some days now and was very pleased with it untill now. Today I had to install some software and then I always disable some programs among which is Spywareguard. I unticked the 3 General Protection Options in SWG, saved settings and I ok'ed/accepted the MJRW-prompts. SWG was totally disabled. After the installation I enabled it again and again I ok'ed/accepted the prompts, but I saw the Spywareguard-taskbaricon still said "disabled"... The "Real-time Scanning Engine" option was still disabled (the other 2 where enabled). They where all still ticked and I again clicked "Save Settings" and now it was, without a prompt of MJRW, enabled. In this case it wasn't a big deal because you can see the mistake (taskbaricon), but when you don't see it it could be a big deal. Hope it can be fixed, because I really like the program.

 

Get: I'm not totally sure I followed what happened in your situation. Are you saying that you believe Registry Watcher was the cause of SWG not coming back up ok? Or that Registry Watcher didn't set off a warning when you re-enabled the 3rd option?

FWIW, when I install new software, I always run Registry Watcher in "Accept" mode. (You can make this change instantly by right clicking the tray icon.) It still logs all activity in it's scanning parameters and alerts you with the k-chop sound, but it doesn't impede things in any way. This still allows you to review monitored changes made manually (in case things end up different than what you thought might happen.)

A key piece of info that led me to this course of action is a page or so back (in this thread) where GE notes his son's negative experience with Windows Update and still using "Prompt" mode.

 

Yes, that's the issue. I didn't know you hear a sound when in accept-mode, so maybe I'll do that, but my sound isn't always on and therefor I prefer popups.

 

There is also an additional notice of an event when in Accept mode. The tray icon goes from green to red and stays that way until you acknowledge it by left clicking it once (which brings up the program window.) Of course, if it's red and you reboot, it goes back to green. But the event is still in the log...

 

Yes, I thought about that also and was thinking about putting it back in. I still prefer prompting, but untill that's fixed, if it is a fault of MJRW and therefor fixable that is, I will use it in accept-mode. Thinking out loud now I think maybe accept-mode is preferable, because I can't remember the last time I was infected with something.

 

Great Topic thread by the way.

Anyone have a good URL to the very latest version of this and is being updated again soon?

Thanks, lots of interesting discussions and results with this so far.

 

You can get it here : http://www.jacobsm.com/mjsoft.htm . If it is updated soon I don't know.

 

This is the case for me also.

I am the sole user of my Win XP PC and I use 2 accounts. One is the Admin and I run RegWatcher in Accept mode for it. (This is the account I install software under and do Windows Update under.) The other account is a Limited user and it's the one I surf under. I run a separate RegWatcher iteration for it in Prompt mode. (A separate and complete Registry Watcher setup is loaded in each user account under Documents and Settings. This allows each account to run with different settings. I do NOT use Fast User Switching. (Makes life sooo much less complicated.))

EASTER, 2010: I don't know what GE's plans are with Registry Watcher. The current version is 1.2.4.5.

I can't speak for others but I have found it to be one of the best free programs I've ran across. IMO, it does take some knowledge of how the Windows registry works to use it, but that's often the case with any powerful PC tool.

My feeling is that if anyone is interested in it, but not sure if it's right for them, download and run it but place it in Accept mode. That way, you can learn how Registry Watcher works and also learn a great deal about what's going on in your PC (without the concern of making the wrong accept or reject decision.)

 

I only run an adminaccount, so it will have to stay in acceptmode, but I'm already used to it and when promptmode is safe to use I will also keep it in acceptmode. I've got compuserve for my mail and everytime I log in a win.ini prompt comes along. When in promptmode I deleted win.ini from the set, but now I can keep it in.

 

Sorry for the delay in my reply. I have been busy with family affairs of late. Anyway, as for the problem Get is experiencing with Prompt mode, I suspect you are running MJRW in prompt mode, and it instantly undoes any change to the registry before it puts up an alert window (in case a nasty Trojan reboots the PC while the alert is showing). When you accept the change, it reinstates the registry change that had been made by program X, and undone by MJRW. This may interfere with other registry products you may have running (but not in a destructive way), so you should take the advice HAN gave, and switch to Accept mode when making changes you know will impact the registry keys protected by MJRW. After the installation, update or whatever is complete, switch MJRW back to Prompt mode.

In the meantime, work will start in the next few days/weeks ( ) on version 1.2.4.6, which will allow filespecs with wildcarded filenames. There will also be some cosmetic enhancements, like being able to print part of the log (or all of it). I will add filespec keys to cover executables in the windows and system32 directories like this :-

%windir%.exe
%windir%.com
%windir%.bat
%windir%.dll
%windir%.lib
%windir%.sys
%windir%.vxd

&%system%.exe
%system%.com
%system%.bat
&%system%.dll
%system%.lib
%system%.sys
%system%.vxd

Please note the '&' prefixing the system directory's exe and dll files - this is because there are over 1700 on WinXP systems, and several hundred on Win9x systems, so they will be checked every 50 sweeps to lighten the CPU load.

Any filespecs that are duplicates of these, will be removed, unless it is an unprefixed system dll or exe.

Since the key files will change, all users who have tweaked their key files, should keep lists of extra keys they have added, in a separate file, whose contents can be injected into each key file after the install (extraction from zip file). Exemptions file additions should also be kept in a separate file, for the same reason. In fact, thinking about this, I think whenever MJRW starts, it should check for a subdirectory called "tweaks" and merge any like-named file in there with the new files installed in the parent (MJRegWatcher) directory, if it finds keys or exemptions it does not already have. Then you could keep your tweaks transparently from one version to the next.

Feedback is welcomed on all these proposals. Warmest regards,

 

Having thought about it, the Tweaks directory was a bad idea. Each set may have different tweaks, so it became very difficult to program very quickly. I did everything else, and some UI niceties.

The new version of MJ Registry Watcher (version 1.2.4.6) is now available at http://www.jacobsm.com/mjsoft.htm#rgwtchr . For some reason, the site seems to be down currently, but I'm hoping it will be back up within the next 12 hours. The ISP technical support phone queue is still at position 30, so I'm not the only one experiencing problems.

The new MJRW protects all executables in the Windows and System32 directories, so it makes your PC even more secure, since most trojans target these directories to inject executables into your system. Windows is checked every sweep, and System32 .exe and .dll files checked every 50 (configurable) sweeps, to ease CPU usage (filespecs are prefixed with an ampersand '&' in the new key sets).

Changes 1.2.4.5 to 1.2.4.6
1) Added wildcard filenames capability for filespecs.
2) Added WINDOWS and SYSTEM32 executable filespecs to all but the light key sets.
3) Made mousewheel scrolls affect the window the mouse is over, even if it does not have focus.
4) Removed duplicate keys caused by new filespecs in (2) from all key sets.
5) Added Print capability to file viewer window.

 

The site is now back and running.

 

Thanks for the update GE. Will be loading it later today...

 

Thank you very much, GE. You did a great job.

shek

 

@Graphic Equaliser: I will leave it in acceptmode (a sweep every 20 sec). There aren't so many changes in my registry so checking it when it's unexpected isn't hard to do. Thx for a great program btw! It's the missing part in my security I was looking for.

 

I have loaded the new 1.2.4.6 version on two PCs (one has two separate setups of RegWatcher on it, one for the Admin acct and one for the Limited acct) and it is running great!

GE: All I did was overwrite the 12 files from the new version over the existing 1.2.4.5 files and then made any changes I needed for my personal tweaks. Was this the right/best way to go about it?

 

HAN, yes you did it right. If there are lots of tweaks, you may want to store them in files, so you can copy and paste them back into new versions of the key sets and exemptions files.

There is a bug in 1.2.4.6 which took me a while to notice. When you are on the &%system%.dll key, and you choose to View a file that is towards the end of the long list, it will put up the wrong file, or nothing at all. (Technical aside : caused by CaretPos overflowing on text greater than 64K in a Memo)

I have corrected this, but I feel one slight bug is not enough to warrant a release. If anyone has any new ideas, bug fixes or enhancements for MJRW, it may give me cause to release 1.2.4.7 - in the meantime I'm looking for anything else. Perhaps those who know Vista registry key locations could get in touch so we can engineer new sets for it. TIA,

 

well ive decided to give MJRW a try and i have a few questions (if u dont mind):

whats are teh differences between the security sets?

and am i right in that MJRW uses polling to monitor the registry?

 

1. The higher security level it is, the more values and keys are monitored.
2. Yes, MJRW uses polling.