MJ Registry Watcher

did anybody tested this app againts malware attack?is there any test reviews?thanks

 

Not sure what you're after here. MJ Registry Watcher doesn't execute user-generated data, so there's no way to attack it. What kind of tests did you have in mind?

 

how in a test if there is one can this tool protect you againts malware attacks?not talking about protecting this app but your system thanks

 

Hi,

After awhile my change "took". Maybe it needed a reboot or restart ? That would be unusual, I could retest. As to the proposed enhancement .. some foghorn notifications have the three choices, some do not (simply "OK"). I am not familiar enough now as to which is why, but I thought the removeany message was one with only "OK". If so your good referenced change would not apply in that type of case. I can test if you like, and you can explain which types of messages go one way, which the other.

The only other reg program I have used was the now-dormant RegDefend. (Seemed to be quite good for its time.) I really do like the idea of this type of visibility, you really get a sense of what is going on. Of course ease-of-use and a training period (for you and the program) is critical.

Shalom,
Steven Avery

 

thanks for the explanation

 

I have just released version 1.2.6.7 of MJ Registry Watcher at http://www.jacobsm.com/mjsoft.htm#rgwtchr and it has the following changes :-

Changes 1.2.6.6 to 1.2.6.7
1) Added the ability to add filespecs to the exemptions list.
2) Corrected bug with exemption additions from alerts putting the prefix in the list in addition to the key or filespec, if there was a prefix.
3) Most alerts which cannot be undone and used to offer only an OK button, will now also have an extra option to exempt certain values/subkeys/filespecs.
4) After exempt subkeys or filespecs are added from an alert, the end of the sweep will reload the list so that the exemptions are set. This also happens if you prefix keys during an alert.
5) When hooking fails completely, it now fails gracefully and correctly falls back to polling only.
6) Fixed bug with exemptions starting with hkey_lmcu and hkey_lmus being ignored.
7) When an exempted value or subkey was changed on the PC (which don't cause an alert), the middle window did not reflect the change. Now it does.
8 ) Reduced execution priority to below normal to ease CPU utilisation.

 

Thanks yet again

 

Thank you, Mark. I usually run the default config in Accept Mode. I'll let you know how 1.2.6.7 goes.

I've made some minor changes to MJRegWatchKeys.txt and MJRegWatcher.xck using the MJ Registry Watcher UI. Extracting the new files over the old ones will overwrite my changes, so I created two files with just my changes in them, i.e. MJRegWatchKeys.txt.mychanges and MJRegWatcher.xck.mychanges. After I extracted MJ Registry Watcher Version 1.2.6.7 over the 1.2.6.6 files, I manually applied my changes to the two modified files. This should ensure I get any changes you've made to the security sets, while preserving any changes I've made. Did I miss anything?

 

Alan, that sounds fine. One thing that comes to mind is that your procedure should be done when MJRW isn't running. Also, check that the files you are adding to, have actually been rewritten by the extraction, before appending your additions, or they might be duplicated.

To do the same while MJRW is running, you can copy your additions to the clipboard and paste them in under the relevant "Edit Exemptions" option, or keys list, after checking that they aren't already in. Hope that's clear, and thanks for supporting MJRW.

 

Thanks once again GE!!!

 

Problem after Spybot-S&D Immunization

MJ Registry Watcher consumed 100% of the CPU on my second processor, and MJRW's UI was unresponsive for a long time: a couple of minutes I think. This was after the 2009-04-08 Spybot-S&D immunization added 133 subkeys to hkey_users\.DEFAULT\software\microsoft\windows\currentversion\internet settings\zonemap\domains and deleted one subkey. It was reported in the log after MJRW became responsive again.

I saw this happen once before in a previous version of MJRW, commented out hkey_lmus\software\microsoft\windows\currentversion\internet settings\zonemap\domains, and subsequently forgot about it. Since then I've switched from that modified Default Security Set to the Light Security Set, which doesn't have that line commented out. As reported, the problem happened again the night before last.

I'm running two 600MHz PIII processors on Windows XP SP3. Since I have a dual processor system and/or MJRW runs at Below Normal priority, it did not adversely affect the rest of my system. I've now commented out the problematic line in the Light Security Set too. Was this long unresponsive interval while MJRW was processing the 134 subkey changes due to a problem in MJRW? Or should I just leave that line commented out and forget about it?

BTW, I noticed from the log that the S&D immunization had removed searchalot.com the list of restricted sites. I've just asked over in the S&D forums why it was removed.

 

Re: Problem after Spybot-S&D Immunization

Alan: It's been my experience that larger changes to the registry key you are referring to does make RegWatcher work harder. And as you noted, how much of the CPU it uses can vary, depending on the abilities and speed of the CPU. I haven't used Spybot for quite a while (IMO, it's past it's prime) but when I did, and I used the Immunize feature, it would take RegWatcher a while to scan and report the changes. Same for Spyware Blaster changes too.

Is it a bug? Only GE can tell us that. IMO, it's not. It takes horsepower to do things like that. Certainly, the bigger the job is, the more horsepower it takes.

FWIW, I no longer make use of any program (IE-SpyAd, Spybot, Spyware Blaster, etc.) that uses that registry key. Especially when IE 8 came out and MS said that large numbers of entries in the Restricted Sites section can cause speed issues. Besides, for the most part, these apps don't provide much help for Firefox or Opera. (Anymore, I use one of the managed HOSTS files, hpHosts for web site blocking, along with WOT.)

 

Thanks, Han, for sharing so much good information coming from your own experience. I rarely use IE anymore, and when I do, I run it in Sandboxie. Maybe I don't need the passive protections provided by Spybot S&D and SpywareBlaster any longer.

 

this tool is very amazing this registry protection tool is compare to the one built in winpatrol plus thanks for making it

 

Alan, if a trojan decides to add its own zones to that key, Spybot S&D isn't going to help, unless it somehow protects that key, in which case commenting it out in MJRW is fine. The UI thread runs at "Below Normal" priority, and the sweeps run in a separate thread at "Idle" priority. It may appear as if MJRW is "jammed" in these type of situations, but it is deleting all those added values and then writing back all the original ones to undo the change and then prompt you. MJRW is written in C++ which is about as near to the hardware metal as you can get, so it can peak out a processor sometimes, but it should only be for a few seconds, not minutes as you stated before. Mind you, a 600 MHz P3 is old hat nowadays! The only thing I can think of is that a battle between MJRW and S&D ensued, where MJRW was undoing the change that S&D had made, and S&D was instantly redoing them. Perhaps that's what happened. If that happens a lot, prefix the relevant MJRW key with '=' (equals sign meaning always accept changes to this key) and it will log the changes but not try to instantly undo them. Another example I know of is ZoneAlarm and its entry in the run keys when it installs. The simple solution to ZA's installation is to exempt the value it is trying to write. HTH.

J Monge - thanks for your kind comments!

 

@Graphic Equaliser :MJ Registry Watcher is part of my arsenal weapons i love this type of security aproach,to protect the registry is very importan cause i know that's where malware targets

 

Thank you for the feedback, Mark. I'm already running in Accept Mode. I'll just leave the line commented out.

 

For The Graphic Equaliser,

OK, some classic 600 MHz P3 PCs won't handle various registry protection apps. BUT! There is still WinCleaner Free AntiSpyware, which offers a configurable registry protector and file protector. Which keys would you add as additional registry shields. I recall one version of The Arovax Shield long ago -- possibly archived at filehippo or oldversion -- which had the option to add extra protection for a given registry key. RegWatcher is a neat app, and some of the files included in RegWatcher really help, when edited, in configuring it for older PCs running 9x/ME. But I'm curious as to how you would set up WinCleaner FREE AS.

Thanks,
Dave

 

Dave, WinCleaner AS is no longer a supported product, and judging by their forums, there is little or no support for problems with the product. It seems the only way to add all of my coverage into their program would be to manually enter each one through their UI.

 

I have just released version 1.2.6.8 of MJ Registry Watcher at http://www.jacobsm.com/mjsoft.htm#rgwtchr and it has the following changes :-

Changes 1.2.6.7 to 1.2.6.8
1) Changed the use of the word "Registry" to "Reg" because of the Brontok virus rebooting the PC when it detects a window with "Registry" in the title.
2) Added the ability for MJRW to erase chosen values from any key without having to go into RegEdit. Again, this is because Brontok reboots if you launch RegEdit.
3) Removed %alldocs% from the mnemonics because it didn't work. Replaced it with %allappdata% which points to the common repository for application data. Under XP, this is usually c:\documents and settings\all users\application data\
4) Corrected over-long widths of 3rd and 4th buttons on the viewer window after an alert.
5) Added option to take you to the MJ software website.
6) Added option to check for updates, which will list the newest changes and optionally take you to the website.

 

Updated. Thank you for MJ RegWatcher.

 

As always GE, thanks a lot!!

 

GE: I have a question. I use IE8 from time to time (best IE in a long, long time) and I keep seeing this change

I have tried various ways to exclude this from being monitored but I can't seem to find the way. I know I must be missing something obvious but I don't know what/where. Any help you could give would be much appreciated!

 

Add
hkey_users\\software\microsoft\internet explorer\toolbar\webbrowser\ITBar7Height
to the Exempt Values list. That should do the trick. With v1.2.6.8 , you can switch to Prompt mode, launch IE8, and when the alert occurs, use the button "Exempt Certain Values" to exempt the ITBar7Height value. HTH,

 

Thanks for the help. I totally forgot about the ability to add Exempt Values while in Prompt Mode. That did the trick!