MJ Registry Watcher

doctormac,
Sorry it has taken me so long to get back here - you know how it gets sometimes! Anyway, there are a couple of things you can do to stop this "bitbucket" alert getting on your nerves. When the alert comes up, could you please copy the text of the alert and post it up here for me to look at? TIA. BitBucket is a subkey of the main Explorer registry branch. It should not be causing repeated alerts, so this should be interesting!

As for Win98, yes, there are problems hooking certain objects under Win9x (OS fault - not mine ). So the message "WaitForMultipleObjects : The handle is invalid : Filespec Hook Turned Off" is nothing to worry about. It means that MJRW will now only use polling to trap filespec changes, rather than both polling and hooking - you're still protected. This problem occurs on certain Win9x systems and not others, so I cannot easily pinpoint the problem. According to MS documentation, the hooking should work fine under Win9x, but they said that about certain low-level multimedia system calls (none of which are used in MJRW), and some of them hang under Win9x!

As for different key sets, the reason MJRW comes up with the "Custom Set" by default (rather than the "Default Set") is so that you can twiddle with the custom set but always have a backup copy of the default set of keys, in case your experiments get out of hand. The other day I wanted MJRW to protect all file associations on the PC, so I added the key spec

hkey_classes_root\\shell\open\command

to the custom list. It worked, but it adds a lot of extra stuff to MJRW's checklist. so I removed it after the experiment was over. The Custom Set is ideal for this type of treatment, whereas the Default Set is the same set as the initial Custom Set supplied with MJRW. Of course, you can experiment with any of the sets supplied with MJRW - you can always go back to the zip file and extract the originals again, if things get messed up.

I hope that's cleared things up for you!

P.S. Thanks to Han and Bellgamin for your (as always) helpful comments.

 

A new version of MJ Registry has just been released (available as usual at http://www.jacobsm.com/mjsoft.htm#rgwtchr . It has the following improvements :-

Changes 1.2.6.3 to 1.2.6.4
1) Enhanced alert email functionality to allow the specification of User ID/Password and the From email address. The format for the configuration of the outgoing email alerts is documented under the section EMAIL ALERT CONFIGURATION in the help file.
2) Fixed a bug which caused the specification of an "Always Reject" value on a line by itself, to not delete the value if none existed before one was created. This means that specifying
!hkey_lmus\software\microsoft\windows\currentversion\run\QuickTime
just before the line
hkey_lmus\software\microsoft\windows\currentversion\run
now properly ensures that MJRW will not allow the QuickTime run value to be created, or if one exists, will not allow it to be changed.
3) Alerts will occasionally be able to report recently launched processes so that finding the cause of an alert is easier.
4) There is now the ability to log all process launches. This can be switched on or off (default), and the setting is remembered in the configuration file.

Enjoy!

 

Thanks Graphic

 

Exceptional improvement! Many thanks for continuing to fine tune this monitor making it even more useful each update.

EASTER

 

Many thanks from me too! (I won't run my PCs without it!)

 

i think by running this tool we can keep our registry clean from junk,spywares and trojans

 

it will be nice if the developer adds protection againts termination and password protection againts settings alteration

 

[Solved] Automatic Startup not working

[Solved]
Edit: I had one more idea. Just noticed the trailing space in the path in the registry key. Edited it out. Automatic Startup is working now.

I can't figure out why MJ Registry Watcher isn't automatically starting up when I boot the computer. I'm a new user and I downloaded version 1.2.6.4 a couple of hours ago from http://www.jacobsm.com/mjsoft.htm#rgwtchr. My OS is Windows XP Pro SP3. I want MJRW for automatically tracking legitimate registry modifications in real-time, especially auto startup mods. My account has Administrator privileges.

The instructions were easy to follow. I installed it in my system program files directory at D:\Program Files\MJRegWatcher. I verified that it works properly by using Autoruns to temporarily remove the SunJavaUpdateSchedJava(TM) d:\program files\java\jre6\bin\jusched.exe autostart entry and then restore it. MJRW caught both changes immediately. I don't know if it matters, but I changed the polling interval to 600 seconds because the CPU load from polling is non-trivial on my nine year old 600MHz PIII. I also changed the Alerts to Always Accept. The red icon and log pane provide me with sufficient information to track auto startup registry mods.

I followed the instructions for Automatic Startup, i.e. "use the Options, Settings, Automatic Startup Options screen to install it either just for the current user, or for all users". I chose "all users". I've verified that the following key was installed:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MJ Registry Watcher"="D:\\Program Files\\MJRegWatcher\\RegWatcher.exe "

All the other entries in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] still start up automatically, but RegWatcher.exe does not. I've verified that the path in the registry is correct by copy/pasting it into Start > Run. It works just fine, except it won't automatically start up.

I'm out of ideas. Anybody know what's wrong here?

 

Re: Automatic Startup not working

If the listing is exactly as it is in your post, I wonder if the syntax on the startup is correct.

There are 2 backslashes between each entry. Normally, there should only be one. Beyond this, I'm not seeing much wrong.


**EDIT**

If the above is not helpful, try removing all the quote marks on

 

Problem sorted - it was the trailing space. A new version is in the works and it will include a fix for this, more detailed debug mode info, and a raft of new keys and filespecs to augment the protection already offered - see http://gladiator-antivirus.com/forum/index.php?showtopic=24610 for reference - I hope to cover all of these locations and more. It will be released in about a week since I need to test how system utilisation changes with the news keys in each of the security sets. If you have any other suggestions to enhance or correct MJRW in the next few days, please email me or post something up here. TIA,

 

Wow! I didn't notice the space until you pointed it out!

Tony Klein knows his stuff. Interesting post!

Best of luck on the upcoming new version!

 

Re: Automatic Startup not working

Thank you for the suggestion, HAN. The double backslashed value you see is the output when creating a .reg file by exporting that Run key with Regedit. I spotted the trailing space in the exported key, verified that removing it fixed the problem, and emailed a bug report to Mark. You must have missed the Edit I added to the beginning of the post an hour later. I've added [Solved] now to the title to make it more obvious.

 

Great catch guys!

And also looking forward to Graphic Equaliser's fix and new release when it becomes available.

EASTER

 

Hi, very cool little application, that I have missed before.

What is the keyboard shortcut to launch the program from system tray? If I hit the shortcut again there can be many instances of the program running, is this normal?

 

Looking forward to it

 

Mike, you can have multiple instances of MJRW running, and some users actually do run 2 or 3 instances. In their situation, they are running each instance with different custom key sets, and with different modes (Accept, Prompt, Reject). This poses no problems except where overlapping keysets are used and changes are rejected (they would have to be rejected for each instance of MJRW - that's all).

As for a keyboard shortcut to launch the program, I haven't devised one. The F6 key serves to minimise MJRW back to the tray when it is on screen and in focus. Since MJRW is usually autorun at startup, there has never been a need for a shortcut key to launch it!

All users, changes to the keysets, rather than being merged into the existing keys, will be an addendum at the end of each list, in a section called ## Additional Security. I have also added Vista's task scheduler directory to the fray, since it is in system32 rather than windows (as in XP). I have also changed every instance of "open\command" to "\command" so as to protect every action, rather than just the open action. Here is the list so far :-

## Additional Security
%system%ctfmon.exe
%system%tasks
hkey_classes_root\.lnk\shellnew
hkey_classes_root\.bfc\shellnew
hkey_classes_root\unknown\shell\\command
hkey_classes_root\directory\shell\\command
hkey_classes_root\folder\shell\\command
hkey_classes_root\drive\shell\\command
hkey_classes_root\applications\iexplore.exe\shell\\command
hkey_classes_root\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\\command
hkey_classes_root\cplfile\shell\\command
hkey_classes_root\http\shell\\command
hkey_classes_root\inffile\shell\\command
hkey_classes_root\internetshortcut\shell\\command
hkey_lmus\software\classes\folder\shellex\columnhandlers
hkey_lmus\software\classes\shellscrap
hkey_lmus\software\classes\shellscrap\shell\\command
hkey_lmus\software\clients\startmenuinternet\iexplore.exe\shell\\command
hkey_lmus\software\microsoft\windows nt\currentversion\aedebug
hkey_lmus\software\microsoft\windows nt\currentversion\drivers32
hkey_lmus\software\microsoft\windows nt\currentversion\image file execution options
hkey_lmus\software\microsoft\windows nt\currentversion\image file execution options\\debugger
hkey_lmus\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\run
hkey_lmus\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce
hkey_lmus\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonceex
hkey_lmus\software\microsoft\windows\currentversion\app paths\\
hkey_lmus\software\microsoft\windows\currentversion\explorer\advanced
hkey_lmus\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden
hkey_lmus\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden
hkey_lmus\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\policy\dontshowsuperhidden
hkey_lmus\software\microsoft\windows\currentversion\explorer\mountpoints\\shell\\command
hkey_lmus\software\microsoft\windows\currentversion\explorer\mountpoints2\\shell\\command
hkey_lmus\software\microsoft\windows\currentversion\explorer\mycomputer\\
hkey_lmus\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers
hkey_local_machine\system\\control\bootverificationprogram
hkey_local_machine\system\\control\class\{4d36e96b-e325-11ce-bfc1-08002be10318}\upperfilters
hkey_local_machine\system\\control\print\monitors
hkey_local_machine\system\\control\safeboot
hkey_local_machine\system\\control\safeboot\minimal
hkey_local_machine\system\\control\safeboot\network
hkey_local_machine\system\\control\safeboot\option
hkey_local_machine\system\\control\securityproviders

I have also altered the exemptions files so if you have any useful ones, I would be grateful if you told me so I can possibly incorporate them. TIA,

 

mike21: I have 2 user accounts on my PCs at home and I use Reg Watcher differently on each one.

For my admin account, I use the default rule set and leave Reg Watcher in "Accept Mode" all the time. This keeps the alerts in place but allows things like program and Windows updates to proceed unimpeded.

Then for my Limited user account (the one I do most of my web surfing on) I use the Medium rule set and bounce back and forth between "Prompt Mode" and "Accept Mode", depending on what I am doing.

I like how flexible the program is. It can pretty much monitor whatever you want, how you want.

 

is this app similar to what WinPatrol does?or is it diferent?thanks

 

To avoid boring you to tears with lots of details, I'll make this pretty short. The two apps are similar in some respects but in many ways, very different. They both monitor certain file and registry changes but Registry Watcher is highly customizable. You can set it to monitor whatever you want. (GE's sets of rules may be enough for most users (they are for me) but you can also roll your own, so to speak.)

On the other hand, WinPatrol's options are limited. You can turn off some things but not really add anything new to be monitored.

This all said, I like and use both. I run paid WinPatrol Plus (on XP both at home and at work) along with Registry Watcher (to which I've also contributed.) I would not like to do without either one...

**EDIT**
The free version of WinPatrol is a polling app (as low as one minute between polls) and so is Registry Watcher (it can be set for intervals as low as one second between sweeps (of course there would be an impact on CPU utilization if set that close.) The paid version of WinPatrol can monitor some items in real time versus the standard polling method.

 

Just a minor UI polish issue regarding the control for the polling interval. It appears that the only way to change it is with the up and down arrows. It would be nice if it was editable too. Isn't there a widget attribute or something like that that just needs to be set when it's created?

 

Hi and thx for your reply. I didn't want to quote all your msg to save some space, but as for the above it is not what I am asking for. Suppose that MJRW is already started and lies on system tray. Is there a way to show the main window from sys tray without having to click it?

 

Hi, Mike. I've never used it, but the description of this program suggests it might support that. Perhaps someone else might know of an even better program. This is just something I found with a quick web search.
http://4t-tray-minimizer-free.4t-niagara-software.qarchive.org/

 

Alan, I have incorporated the change into 1.2.6.5 to make the polling interval editable. A few more days of testing it and it will be released.

Mike, in order to make a shortcut key that activates MJRW while it is in the system tray, I would have to install a system keyboard hook to 'catch' the keystroke, and then restore the MJRW window. This would involve writing a DLL that is loaded when MJRW starts. I have written an event journaller that does this but I would not foist this technique onto MJRW. Keyboard hooks look notoriously like keyloggers - they inject their DLL code into every running process' memory space - that is how they work. This would be overkill for a simple MJRW activation key. Sorry, but Windows does not make that kind of thing easy.

** EDIT **
Mike, I apologise. I just found a Windows API function that does the trick - RegisterHotKey. I can make the hotkey Ctrl+Alt+F6 if you like - it ties in with F6 to minimise it back to the tray. Again, this is set for next release 1.2.6.5

Keep those ideas rolling in! Regards,

 

And you keep this program on advancing in better coverages. LoL

Thanks GE for continuing it during this very long stretch where others might have been content to just bail out.

Regards:EASTER

 

Thanks a lot for trying to implement my suggestion Graphic Equaliser.