MJ Registry Watcher

Discussion in 'other anti-malware software' started by Graphic Equaliser, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Graphic, I think I'm still getting version 1.2.2.5 from http://www.jacobsm.com/index.htm#sft
    The title bar says v1.2.2.5 and the md5 matches the zip file I downloaded Tuesday. I'm anxious to see 1.2.2.6 though. :)
     
  2. gustav21

    gustav21 Guest

    I have some simple (and newbie) questions :

    I'm on 98SE, may I comment all keys mentionning "windows nt" or should I leave it as is ?
    Is there some list concerning only those old OS in MJRW or I have to manually tweak it ? Or do nothing ? If so, Does it changes anything on my PC's performances ?
    Finally, how do I remove a key from monitoring when I receive an alert and don't want the same key monitored again ?
    Thanks
     
  3. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Try reloading/refreshing the page. I have checked that the current version is up, and the zip is correct. When I revisit the page with Mozilla Firefox, it comes up with the old version until I click Refresh, when it always gives the current version I just uploaded. However, in IE, sometimes this doesn't work, and you have to exit, clear the cache and history, and go back in, to get it to work.
     
  4. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Don't worry about the NT keys - they are ignored if they cannot be found.

    The lists are based on Hojtsy's work at
    https://www.wilderssecurity.com/showthread.php?t=32823&page=1&pp=25
    and should handle the Windows 9x family fine. As for performance, I need to hear from you, if you have issues. The "ignored" nt keys are skipped, so it should improve performance compared with XP or 2000.

    When an alert occurs, if it concerns a value, you can use the "Comment Out Key" button to ignore it in future. However, if it concerns a file or a subkey addition or deletion, then you can only OK the change, and investigate it subsequently. The display should be on the line that caused the subkey alert, and if you put a # sign at the beginning of the line, and save it, that key should no longer cause alerts. If the line displayed is not the key you wish to comment out, you can search for the key using the F2 function key. This searches for any text you enter, to see if it is in the top window, so you could type part of the key name to find it.
     
  5. gustav21

    gustav21 Guest

    Thanks for your answer Graphic Equaliser

    But if the added or deleted subkey is only a part of the line displayed and I only want to comment out that subkey and NOT the entire key, do I have to add the whole key (subkey included) as another entry in the top panel ?
    I'm thinking of the Key hkey_users\.DEFAULT\software\microsoft\windows\currentversion\explorer
    "Subkey RunMRU has been deleted" as an exemple. I don't want to comment out all the rest of the key. How do I do ?

    Using TaskInfo2002, with Customkeys and MJRW 1225, 98SE Pentium2-350Mhz 196Mb Ram, I peek at 7.00 % of CPU usage for RegWatcher.exe only.
    If you wish I try all possible settings with 1226 and give you some feedback about my %CPU just tell me, it will be my pleasure !
    Thanks again
     
  6. gustav21

    gustav21 Guest

    Here are the results with MJRW 1.2.2.6
    On my ooooooooold computer

    Highest %CPU usage for RegWatcher.exe (monitoring every 7 seconds)
    Custom :10%
    Light : 6%
    Default : 10%
    Medium : 9%
    Hight : 9%
    Highest : 17%

    But mostly around 4-8 % when monitoring
    So, what should I use ? High ?
    Thanks again
     
  7. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Wow. You cannot exempt certain subkeys, but you can values. It looks as if Win 9x creates and deletes the MRU subkey. Let me think about this one! In the meantime, you can put the cursor on the line with the key hkey_users\.DEFAULT\software\microsoft\windows\currentversion\explorer and press the Subkeys button. Then go up to the keys it has put in that you don't want (including hkey_users\.DEFAULT\software\microsoft\windows\currentversion\explorer\RunMRU), and delete them. Then save the key set. But that will probably overload your PC - I just tried it, and don't advise it - my figures were :-

    Loaded 1,335 Values (204K) and 1,227 Subkeys (18K) and 19 File Stats

    As for your performance figures, 7% should not be a problem. If it gets in the way, you can pause monitoring by pressing the Stop button. Thanks for your report - it makes interesting reading.
     
  8. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I also get this one on Win2K:

    ** Thursday 12/2/2004 4:36:21 PM **
    Registry Key hkey_users\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500\software\microsoft\windows\currentversion\explorer
    Subkey RunMRU has been deleted

    It occurs intermittently, but usually shortly after bootup. I've also seen it being added. I haven't yet noticed a pattern, but neither have I tracked it closely. It seems there have been one or two other trivial sounding subkeys that behave similarly from time to time. Sometimes, I see the MJRW window start to display just as the system is shutting down, but I'm not sure whether or not it was going to alert me to something. I'll try to keep better tabs on what really happens if that will help.

    In this particular case, perhaps any key that ends with "MRU" can safely be ignored.

    PS: Refresh did the trick for the download, thanks. :)
     
    Last edited: Dec 6, 2004
  9. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    When MJRW is shut down, it restores itself from the system tray to the screen in order to store the coords and size of the display window, before exiting. It is *NOT* an alert! ;)
     
  10. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi Graphic, I'm glad to hear that is normal.

    Another subkey that my system (W2K) seems to add/delete fairly often is this:
    -- hkey_users\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500\software\microsoft\internet explorer\TypedURLs
    Those may be the only two subkeys that add/delete repeatedly. No anxiety for me here, just letting you know.

    BTW, I can't believe how much faster MJRW is now. My P3-800 is handling twice as many keys with less strain. My Athlon XP 1700 sits on zero and only occasionally spikes all the way up to 1 or 2%. Well done! :)
     
    Last edited: Dec 6, 2004
  11. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I have just put up version 1.2.2.7 up on my site at http://www.jacobsm.com/index.htm#sft

    It has the following minor updates :-

    Changes 1.2.2.6 to 1.2.2.7
    1) Added option to maintain a list of exempt subkeys from alerting you.
    2) Added LSA and OLE keys to default lists.

    The exempt subkey list already has a value in it. This hkey_local_machine\system\currentcontrolset\services\nrkctl32 subkey is added and removed when WCPUID is started and ended.

    Some of the latest trojans are writing to these LSA and OLE keys.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: Registry Monitor comparison

    I'm suddenly getting error messages caused by MJRW when opening IE, thought it was a Browser Hijack, it's not, Prevx is picking up the change as seen in the following screen shot.

    Cheers :D
     

    Attached Files:

  13. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi Graphic,

    I really like the design for exempted subkeys, and it seems to work very well for HKLM keys. Oddly enough, I think I'm having a problem with HKU-based subkeys. I've exempted the same subkeys repeatedly, but I keep getting alerts. I've used cut and paste to transfer the keys into the exempted list, and can visually confirm that I'm re-adding the same exact name, but it doesn't do anything.

    I tried everything I could think of using my registry editor and experimenting with both the watch and exempt list. My testing seems to confirm that HKU-keys are not successfully exempted, but I couldn't gain any further insights.

    Perhaps I've specified them improperly. I've added: (actual GUID digits X'ed out):
    hkey_users\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500\software\microsoft\windows\currentversion\explorer\runmru
    hkey_users\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500\software\microsoft\windows\currentversion\explorer\hotkeys
    hkey_users\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500\software\microsoft\internet explorer\typedurls

    A separate (very trivial) oddity I noticed is that after unzipping and running MJRW 1.2.2.7 for the first time,, the number of seconds between sweeps will display as 5, but seems to be, effectively, zero. The status line is almost constantly "Checking..." and the Start/Options buttons rarely respond. Clicking the time control either up or down fixes the problem.

    I've noticed one more thing as well, but I'll experiment a bit more and write it up for you ASAP.

    Mike
     
  14. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I'm trying the MJ Registry Watcher, but only the "Log" and "Help" buttons works...

    I also notice that it takes about 5%-20% of my CPU :(
     
  15. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Have you tried adjusting the time/frequency control? Click the spin control just to the left of the "Regedit" button, (either up or down) and see if that doesn't free up everything else. The post above (#113) describes what I think you're seeing (2nd to last paragraph).

    HTH, Mike
     
    Last edited: Dec 6, 2004
  16. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Thanks earth1 :)

    I think that I will stay with WinPatrol because is more easy and don't require such user intervention...

    But it's a very nice program...
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,362
    Location:
    Hawaii
    Easy, yes. Holey, too. :D
     
  18. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I too came across the timer issue today, and adjusting the seconds up then down cures it. I am looking at both the problems Earth1 mentioned, plus a super-slim set of keys for at least some good coverage.
     
  19. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I know, but don't want that a windows popup any time... :p
     
  20. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    You can choose from auto-reject or auto-accept, and you will not see any popups. Use the radiobuttons on the left of the buttons.
     
  21. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi again,

    Not trying to bury you today, but I think I've got one more reproducible error now. Open MJRW's main window, press Options and select Edit Exempt Keys. Leave that window open, and start regedit from somewhere else. Change something in the registry that will trigger a popup window. Soon, you should see a MessageBox that says, "Cannot make a visible window modal". I can click OK on that box, but when it disappears, MJRW appears to be locked up.

    I don't want to be too presumptuous, but I'm guessing there's been a time or two in the past where you debated splitting the program into multiple threads. I'm also guessing that trying to leave it single threaded is part of the complication around the scenario above. In case this is an ongoing debate, I've noticed one more thing that you may want to consider if you haven't already.

    When a popup window waits for me to decide to accept or reject a change, the scanning for further changes is halted. If a malicious program can make one change it can make several. One or two innocuous looking changes will keep me busy without realizing I'm under attack. There would be more than enough time for my attacker to make a series of hostile changes to the registry, then shut me down.

    I know there are ways to help avoid being in that position and that you can't ever hope to solve every conceivable attack. I just bring this up now because if the main goal is to ensure "rollback safety", I think MJRW may require at least two threads.

    I certainly don't want to diminish what a valuable program I think MJRW is in its current, single-threaded glory. Just wondering if this is a glimpse at a significant decision.

    Best Regards,
    Mike
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Graphic Equaliser, I posted in the wrong thread, it has now been merged into this one at post number 112, can you please take a look at an oddball problem that has appeared.

    Cheers :D
     
  23. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hello again, again Graphic,

    Oops, now I'm seeing two threads. Well, obviously, you should probably ignore the crazy parts of my post. Hope some of it actually made sense.

    Mike
     
  24. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I have just finished version 1.2.2.8 of MJ RegWatcher at http://www.jacobsm.com/index.htm#sft

    It has these changes :-

    Changes 1.2.2.7 to 1.2.2.8
    1) Made application dual-threaded so that UI could function during a checking loop.
    2) Slowed down loop so CPU utilisation is low.
    3) Fixed bug with hkey_user subkey exemption.

    Earth1, this one where you RegEdit and change something to cause a popup to try to appear, when MJRW is already showing something modally (asking for Save or Cancel), is just a shortcoming of the design. Try not to get caught!

    And as for checking while a popup alert is showing, is an idea that is ticking away in a backroom somewhere at the moment. I sidestep the problem because I always run mine on Reject mode, unless I'm installing something.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The problem remains with 1.2.2.8

    MJRW tries to change IE's home page if going between Firefox and IE.

    Cheers :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.