MJ Registry Watcher

keeps getting better and better. Nice work This program completes my setup .

 

Because of the discovery of certains apps' registry activities, I have released version 1.2.5.3 of MJRW at http://jacobsm.com/mjsoft.htm#rgwtchr which has the following change :-

Changes 1.2.5.2 to 1.2.5.3
1) Now allows the user to set a minimum time period between fast sweeps, so that if Opera is downloading and the registry is constantly triggering MJRW's hook, a fast sweep is only done every 30 seconds (default value, set from the options menu). This means that, under normal conditions, a fast sweep is always ready to trap a change instantly, but has to wait at least
30 seconds after that, before it can run again to trap another triggered change. It can be set as low as 1 second to duplicate 1.2.5.2's current behaviour. The polling sweep continues to run normally. This significantly reduces CPU usage during Opera browsing sessions, OE checking mail every couple of minutes, and Google web accelerator PC's, for example.

I hope it solves certain people's problems. Regards,

 

Downloading it now. Thanks again!

 

First off, thanks GE for giving us more control over the registry hooking/fast sweeping part of the program. I do have some thoughts/questions though...

After running 1.2.5.3 for a bit, I have began to wonder if a timeout as long as 30 seconds between fast sweeps is where I want to be. If one has a fair amount of ongoing, non-harmful, registry changes (which seems to be the case for me), it seems I would have registry hooking/fast scanning for only a handful of seconds out of each minute (maybe as low as 2 seconds out of every 62.)

While it would not help cut CPU usage as much as I/we might wish, I keep thinking that a timeout of less than 10 seconds (maybe as low as 3 to 5) would be better It would still cut the CPU usage down somewhat while keeping the registry hook in play a good deal more. And allow it to potentially catch something bad in between regular polling sweeps.

Thoughts?

 

The hooking does not depend on this frequency setting. The setting is for how often MJRW should bother checking out what's changed with a "fast sweep", after the hook has been triggered. If a trigger occurs, either the next fast scan timeout will catch it or the polling loop. But the hook is always on, so a change that is 20 seconds old on a system with polling sweeps every 60 seconds, will still cause a fast sweep, even if that sweep is delayed by the 30 seconds "CPU brake".

From my trials, 30 seconds seems to work for me. I had it had 60 seconds, but this seemed to leave a tad too long a gap. The polling would catch random changes first, usually. I also tried 20 seconds, but it seemed to use slightly more CPU when Opera was bashing away, although it's difficult to tell.

With Opera playing youtube near constantly (thanks to my darling kids!), the registry is in constant turmoil, and any generic hooking mechanism would be triggered constantly. You can set MJRW to 3 or 5 seconds yourself (it will remember your setting in the configuration file). Let me know how it seems. I already have some minor cosmetic changes planned for the next version. I will be adding %system%ctfmon.exe to all lists, since it is a common startup file on XP PCs. It needs protecting; the current key sets would detect a change to this file only every 50 sweeps (depending on your settings).

Regards,

 

I thought about this a bit more and I'm still confused... (Haven't had a chance to test my shorter times yet.)

I'm thinking that if the hook triggered sweep is delayed for a period of time longer than a normal sweep, isn't the fast sweep pretty much unneeded at that point? Does it do something that the normal sweep does not do? I guess it seems that if I don't allow the hook the run it's fast scan potentially more often than the normal one, I'm not really seeing any additional coverage.

 

If the registry is in constant turmoil, then triggers will be happening all the time. MJRW will only "fast sweep" investigate them :-
1) The first trigger immediately
2) Subsequent ones at least 30 seconds past this first trigger.

If the registry is not in constant turmoil, most triggers will be investigated immediately they occur, unless they are within 30 seconds of each other.

It's a bit like a sleep function on a burglar alarm - if you get an alarm, you can investigate it straight away. If you get another alarm (within the 30 seconds setting) while you are still investigating, it sleeps the alarm until the 30 secs is up, and then it investigates again. When you have loads of false positive triggers happening, investigating all of them immediately, puts stress on the CPU. I hope that explains the mechanism for you.

 

If you do not have any apps running which constantly rewrite the registry (you are not running Opera or Google web accelerator), then you can set MJRW's fast sweep throttle to 5ms and the frequency to every 1 second. This ensures instant response, and yet the CPU usage is still low. If you are using Opera or Google Web Accelerator, stick with the defaults (10ms and 30 seconds).

 

Hi
Someone can tell me where i can find a Faq for use this program? My english isn't good and is hard for me use it

I have see that MRW monitoring only few string and i want a complete monitoring of the regedit, what i must do?

Other question, i have read that MRW can creare a .reg file for restore the regedit if a program have change it but i don't know what i must do for enable this option
The best if MRW backup ONLY the key modificated, is possible? I want see which key enter the program that i install for se the key added

If someone want help me, please speak easy

 

Open up the program and set it to highest it willl cover most areas.

 

HI MJRegistry community,

First I would like to say that it is a big programming feat to evolve MJRegistryWatcher form a polling to a kernel based defense program. Secondly I think it is incredible that Mr. Jacobs still offers this a s freeware.

I have not played with MJ Registry watcher, although I have done some tailing of WinPooch, SSM-free and Regdefend (feeware liteware).

On our PC's at home one has SSM-free (plus Antivir, SensiveGuard and DefenseWall paid) in which I have addded 58 key protections in which the default SSM-free settings are blocked, RegrunAnimator and the entries listed in WhereMalwareHide (thanks Lucas1985). The good thing about SSM-free is that it guides you through the reg-key groups/entries and fieldvalues to protect. The downside is I do not know how to add wildcards (which limits the entries to protect). So SSM-free helped me to develop a basic understanding of the registry and protection.

Thanks to YankinNCrankin I have Regdefend (liteware) with ToniKleins set of entries (about 199 when you use Firefox and not IE), with CyberHawk, Antivir (all free) and GeSWall Pro (paid). Good thing about Regdefend is that you can use the trial period for learning and change the liteware version to block in stead of ask your hardened set of protection. Good thing about Regdefend is that you can use wild cards AND exceptions on process basis (so a rule is valid for every program except some whitelisted aps on specified keys).

Now I know that MJRegistryWatcher has wildcards, but does it also have the program exception capabilities of Regdefend? The good thing about MJRW is that it is truly fully functional freeware.

Regards K

 

Registry Watcher is still a poller. GE added the ability to hook to the registry for changes. It the registry hook notes a change, it triggers a poll to see if the change is a monitored key/value. To my knowledge, none of the changes made Registry Watcher a kernal-based app. (This is my understanding of how this all works. Not speaking for GE! )

Registry Watcher does indeed offer the ability to create customized exemptions. The screenie I've attached show the 2 areas where those settings can be made.

 

thank's but the control isn't complete
Can u tell me what i must do for create the .reg backup file?

Bye

 

I wish only that the author of this app would state a clear warning to the following effect:

WARNING: THE DEFAULT ALERT WAVE IS NOT SAFE FOR VETS SUFFERING POST-TRAUMATIC STRESS SYNDROME!

I had my speakers on high when the alert went off, and I dove for my AR 15, AK 47, .45 Colt, YM 16, CZ 23, and a few other toys!

Dave HAL

 

Great program that encompasses wide coverages but has but single drawback for some of us. Polling allows enough time for intrusion and in today's world thats all it takes to completely wreak havoc.

Plz correct me if i seem cynical to my observations to this.

 

I have thought about this quite a bit. With the knowledge that no anti-malware program is perfect, and based on the few (non-destructive ) tests I've ran with Registry Watcher, I am convinced it can make a good defensive stand against the majority of baddies it was designed to alarm on.

It will alert on, but cannot prevent monitored file deletions (it does not store copies of the monitored files.) So yes, that could be an issue. (Not for me much because I image my setup fairly often, as IMO, we all should. )

As for monitored file additions, it will roll those back. (A startup file addition was one test I ran. In a limited user account, Registry Watcher prevented the addition of a file. Microsoft's Windows Defender did not.)

As for monitored registry additions or changes, they can be rolled back. My experience with the program is that monitored registry deletions are be handled the same as changes. So they too can also be rolled back.

I acknowledge that many of us define our own best practice security different. But for several months now, I have been comfortable that Registry Watcher can and does make my PC safer.

 

The backup registry options allow you to make a .reg file of the entire registry or just the key and subkeys you are on. Use Options, Backup Registry or Options, Backup Current Key. If the current key is a wildcard key with multiple matches you can choose which matching keys you want to write .reg files for. The help file states :-

You can backup the registry or the key(s) you are on.
The Registry Backup option makes a .reg format backup of the registry in the file MJRegBackup\MJRegBackup.reg off of the installation directory. It makes a copy of the old .reg file backup before overwriting MJRegBackup.reg, if one existed, and calls it MJRegBackup.old.
These reg files are only to be restored as a last resort (ie. before reinstalling OS or reformatting hard drive)!​

Sorry to hear that PTSS sufferers are having a bad time with the klaxon alert!

Han, no really, MJRW installs a kernel hook for the entire registry. Any change anywhere will trigger a "fast" sweep. How fast this sweep is depends on the fast sweep throttle timing. Reduce this to 1ms and you'll get a pretty instant notification of any monitored registry change. I run it at 5ms and this seems plenty fast enough for me. I also set a fast sweep frequency of 1 second so that the fast sweep runs almost always instantly a hooked change is detected.

An aside : I note that Intel CPUs report more CPU usage for MJRW than AMD ones. I have MJRW set up with the above parameters, and it used a mere 1m 20s CPU time on an AMD PC that had been up for over 15 hours! For Intel CPUs (no matter how powerful or dual-cored or whatever) they all seem to use about 1 min CPU for each hour up time (at worst), sometimes better. Perhaps Task Manager works differently with Intel CPUs - I dunno.

Another aside : I heard a lot about Vista's internals, and I'm still in shock. It queries every hardware devices' voltages 30 times every second. No wonder you need heavy hardware to run it. Laptop users lessen their battery life by 25% compared with XP SP2! See http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html for more info.

 

Nice reg program, just keep improving it cause it's well worth the effort for many of us.

 

MJ Registry Watcher - fidbox.dat

I have searched, without much luck, to find anything about an entry (entries) which are being flagged regularly (actually, nothing but so far... just starting out).

Anybody have so help with what these are? (Being new, if they "or OK" is there a way to 'not sound the alert' just for these.)

<<
File Details Changed from
c:\windows\system32\drivers\fidbox.dat - Size=3,829,536 Date=Sun Mar 25 14:34:13 2007 Attributes=-HSA-
to
c:\windows\system32\drivers\fidbox.dat - Size=3,831,328 Date=Sun Mar 25 14:48:48 2007 Attributes=-HSA-
File Details Changed from
c:\windows\system32\drivers\fidbox2.dat - Size=59,168 Date=Sun Mar 25 14:26:17 2007 Attributes=-HSA-
to
c:\windows\system32\drivers\fidbox2.dat - Size=59,680 Date=Sun Mar 25 14:50:07 2007 Attributes=-HSA-
** Sunday 3/25/2007 2:50:14 PM **
Change Auto-Accepted
>>


TIA,
Bill

 

whenever file property is changed, then it triggers an alert. If you don't want the alarm, you could always edit the exempt filespecs list under option.

 

Re: MJ Registry Watcher - fidbox.dat

They are updated Kaspersky files. All you need to do is add them to the Edit Exempt Keys and Filespecs List under Options in the Registry Watcher window. See my screenie... (I have them exempted at work for my KAV 6 I run there.)

 

Han, thanks for explaining that. It may be better to make the spec more generic, as in :-

%system%drivers\fidbox.dat
%system%drivers\fidbox2.dat

Is anyone out there using MJRW under Vista? Have you had problems with it, or does it work perfectly?

 

I'm brand new to MJ, dumping years of TeaTimer for Registry patrol. Am very pleased with lower overhead, improved system response. Have a few questions per following ...
When running program CCleaner, Cleaner option. How do I have MJ ignore changes that occur in the registry each time I run the routine. Currently I just "accept" each run, but my preference is have MJ "ignore" any activity CC does to the registry.
Also the same global question during the notorious 2nd Tuesday of the month / MS update requirement. For this week I just closed MJ while applying MS updates.
Thanks for a wonderful program.
Dennis L

 

Dennis---

you could just switch mjrw to accept mode when running ccleaner and ms update.

 

I agree with Shek. Because the entries for Win Updates and CCleaner's actions vary so much, it would very difficult to know which items could always be safely ignored.

If your preference is to normally run in Prompt Mode, you can quickly move to Accept Mode (and back) by right clicking on the padlock tray icon and choose the mode you want to move to. No need to open the full interface. (FWIW, I always run in Accept Mode when installing new (trusted) software, including Windows Updates. It ensures that everything is setup as it should be.)

If you are uncomfortable running in Accept Mode while online, all of Windows (and Office) updates can be downloaded manually from MS's website for later (offline) installation.