MJ Registry Watcher

In answer to everything so far, I have put version 1.2.3.3 of MJRW at http://www.jacobsm.com/index.htm#sft

Here are the changes :-

Changes 1.2.3.2 to 1.2.3.3
1) Fixed bug with changing the timer's repeat rate. The loop engine now responds to changes immediately.
2) Fixed bug with blank lines causing errors, and subsequent malfunction of the program.
3) Made top window read-only when MJRW is started, and added an option to toggle the read-only setting.
4) Added function key F6 functionality to minimise MJRW back to the tray.
5) Added value hkey_local_machine\system\currentcontrolset\control\session manager\environment\path
to all lists.

 

I'm very happy with the read-only key-list window, and am already using <F6> without having to think abou it. Thank you, Graphic, for all your work on these features and fixes.

I'm glad you've added "hklm\...\environment\path" as a monitored value, but what felt even better was that I was able to add it (on my own) to the last version (thanks gottadoit). On that same theme, I think that "hklm\currentcontrolset\control\session manager\environment\shell" is yet another way that someone might sucessfully get malware to execute on my machine. Then again, it's on my list now, so I guess they won't be able to do that after all.

 

Oops, I guess I meant the environment variable COMSPEC instead of SHELL (although some programs do use SHELL for similar purposes). I will probably watch both, but I'm not sure if it's important to a large percentage of people.

 

I still experience the same problem.
Using 1.2.3.3, Highest set:

After boot: constant 0% utilization by RegWatcher
Immediately after starting iexplorer: 8% utilization spikes in RegWatcher infinitely repeating
After exiting iexplorer: 8% spikes remain!
After exiting RegWatcher and restarting RegWatcher: 8% spikes again!
After reboot, and starting of RegWatcher: constant 0% utilization again!

Using patched up win2000sp3. If I do not start iexplorer, RegWatcher remains at constant zero utilization. This is not a problem to be solved by throthling: there is some more complicated thing happening here. It could be a bug. I also suspect Norton antivirus may interfere/slow down. On this office computer I am unable to disable NAV to test withouth it. Commenting out every file checking changes nothing. Removing all excemptions changes nothing. Would it be possible to release (or send me) a debug version which would log where is that lots of time spent? My hardware is strong enough to maintain a constant zero utilization, because it does exactly that before I strart iexplorer.
-hojtsy-

 

Hi hojtsy, your problem sounds truly mystifying. Since it persists even after stopping both IE and MJRW, the problem would seem to involve something other than those two programs.

I'm using win2000 SP4, and I don't see any of the same symptoms. On my system, MJRW stays at 0% before and after using IE. I'm wondering if there is a reason that you've avoided SP4? The MJRW problem might not be solved, but there may also be a few security holes that only get plugged by applying SP4.

Do the spikes start only if IE has accessed the internet, or do you start IE at a blank page? If you see the spikes without being connected to the internet, you could try exiting your security programs before starting IE to see if the absence of any other program makes a difference. I suppose it could also be some interaction with a third-party driver or even a BIOS issue (or a dozen other things). Do you get the same interaction in SAFE mode? I'd be interested to know if you isolate any more factors.

 

I have just put up version 1.2.3.4 of MJ Registry Watcher at http://www.jacobsm.com/index.htm#sft (just in time for Christmas )

It has these enhancements :-

Changes 1.2.3.3 to 1.2.3.4
1) Now makes a noise when a non-exempted alert occurs, even in quiet modes. Can anyone guess where I got the sound from?
2) Added hkey_local_machine\system\currentcontrolset\control\session manager\environment\comspec to all lists.
3) Now displays how long it has been running for (up time). Consecutive differences between up times on each loop, less the sweep delay time, can be used to time the sweep run.
4) Now displays what mode it is running in, on the tray hint. Saves having to Restore/Minimise to see.

Hojtsy, could you let me know what throttle settings you have, and the CPU spec that it is running on? TIA,

 

Mele Kalikimaka from Hawaii to all fans of MJRegWatch, & especially to Graphic Equaliser, with my fervent thanks for a truly splendid program.

Haku sama YO!!!

 

Hi Graphic,
Merry Christmas to you too, and thanks for your wonderful presents (and presence). I'm sorry I didn't get you anything. But if I did have something for you, you might rather wait until after the holidays anyway.

Wait, wait, I know I know that sound from somewhere... I think... is it... no... NO... NOOOO, Graphic, please, say it ain't so! Pleeeasse tell me you did not kidnap Scotty the Windows Watch Dog. It's just so wrong! ...I'll admit, though, it seems Scottie's watchful eye is taking in more than ever before.

A warm Season's Greetings to all.

 

I am using MJ 1.2.3.4, Highest set, default timing settings.
Home system: win2000sp4, IE6sp1, TeaTimer, 100k values, 10k keys
Office system: win2000sp3, IE6sp1, 100k values, 10k keys

On both systems MJ CPU usage starting with 0%, and jumps up to 5-6% pulses after opening any page in IE which contain FLASH animation.

Only after a page with macromedia flash is displayed.

On the office machine the only other security program is Symantec AV, but I am not allowed to exit from that one. Note that I also has Symantec AV at home, but disabling it does not seem to affect.

The two computer hardwares I tested are quite different, and this happens on both.

I had some progress now in uncovering this mistery. Firstly the MJ CPU usage jumps up only after I open a page containig FLASH animation! For example http://www.stanthonyparish.org/tools/flashtest.htm. To restore 0% utilization by MJ, usually it is enough to close the single IE window which displays the flash. But on my office machine, where I am using Xdesk software, this software need to be closed TOO, to restore the normal low CPU usage. Quite strange.

Could others please test this thing too.

-hojtsy-

 

Hi Graphic,
see The List for more locations not yet covered.
By the way I find the popup sound effect annoying. Could you please make an option to disable/replace it?
-hojtsy-

 

Hi Graphic, I agree with hojtsy about needing an option to disable the audio alert. I may want it on most of the time, but if I'm recording a radio program, for instance, I'd like to avoid recording alerts as well. I'd be happy with an on/off option or a separate .wav file that plays if present. That would allow users to choose a different sound (or no sound).

Also, when I recently created a new link in my startup directory, MJRW didn't react. After some testing, I realized it was because I was logged into my restricted account, and MJRW was "runas" Admin. In this case, MJRW is not watching "my" startup directory, it watches it's own (Admin). After thinking this through, I'm wondering whether you may want to watch for changes in every directory that matches:
--- %bootdrv%\Documents and Settings\*\Start Menu\Programs\Startup
I don't know what the performance impact would be, but should a program get copied into any account's startup directory, it could certainly create a problem the next time that account is accessed.

As always, just my two cents about the future of a highly valued program.

 

I'm glad that you seem to be zeroing in on the problem. For myself, I've always left Flash in the category of programs from which I expect more grief than gratification. I'm not familiar with Xdesk, but the complication it adds sounds like a bizarre twist..

I'm planning to start a fresh system install in a few days, so if no one confirms your findings, I'll try installing Flash at a point where I can restore a "before" image. Hopefully someone who uses IE and Flash can try right away. Meantime, perhaps the output from RegMon/FileMon/APImon etc. could shed some light on the nature of the conflict. It's also very possible that they will generate a huge pile of unhelpful data to sift.

Good luck.

 

Hi Graphic,

I must agree with the others about needing an option to disable and/or customise the audio alert. I hope you add this option into a release soon.

I also have another request: Could you offer a way of specifying certain keys to always have changes be rejected? Pherhaps in addition to the # key 'commenting out' (ignore) certain keys, an exclamation mark (!) would always have mjrw reject any changes to that key.

This way the program could still run in prompt mode for all but specified (ignored or always-no) keys.

thanks for a great program. hope to hear from you soon.
Scott

 

My current creative drift is focused elsewhere for the moment. I will return to MJ Registry Watcher once my free time pool replenishes itself. I've just installed a new hard disk because the old one keeps giving me a warning about SMART detecting pending failure. The new one being 250GB and my having an Asus AliMagik mobo caused a lot of problems. I've had to install special drivers and an updated BIOS to get it to work properly! "It's been emotional".

In the meantime, keep the suggestions coming in. I like Sira's idea of assigning "Auto-Reject" tags to certain keys. I also like the exclamation character (!) . I will supply the WAV file separately, thereby letting you change it to whatever you like, and put an option to run with no noise. I need to address certain key omissions. Earth1's suggested key %bootdrv%\Documents and Settings\\Start Menu\Programs\Startup has led me to consider being able to protect directories generically. I could then get rid of the common and user startup bit, and replace it with directory name entries in the top window which would by default contain startup directories for all users.

As for Hojtsy's Win2K SP3 problem, I think I need more clues, so keep researching please. Cheers everyone and thank you for your patience.

 

Hi hojtsy,

After installing IE's Flash plugin, then loading http://www.stanthonyparish.org/tools/flashtest.htm., I did see MJRW's CPU usage increase substantially. With an animation active (taskmgr.exe on fast update) I saw 4-6% spikes while MJRW's status bar was counting.

I did not, however, have to close the browser window to get the CPU usage back to normal. As soon as I pointed IE at a page with no animation, MJRW's CPU usage would return to zero. Are you sure that your home system kept MJRW's CPU usage high until the browser was closed?

I realize you may not be able to do anything about it, but I wonder if your office system has more problems because SP4 is not installed. Of course Xdesk (or virtually anything ) could be significant too.

While I understand that CPU contention (and API contention) can escalate rapidly, I don't know whether the reason(s) for MJRW's performance loss can be well or easily understood. I struggled to get the combination of MJRW and BOClean to work efficiently with more than one of the AV's that I tested. Maybe Graphic can shed some light in terms of what MJRW is up against, and/or what it doesn't "like".

Hope we find out what's going on.

 

Ahhhhh sounds like you are having fun, hope it all works out for the best...

Great program, thank you.

Cheers

Blackspear

 

Hi Graphic,

I hope your system is happy and stable once again. Nobody likes getting "emotional" with their computer.

I, too, liked Sira's idea of using !HKLM\blah\blah\keyname as an auto-reject mechanism. After considering it, I have a handful of questions. Should it mean no subkeys or values can be added or deleted directly under the key? I assume it means the key itself cannot be deleted. If the key doesn't already exist, does it mean that any attempt to add the key will be rejected? If the set of values under the key cannot change, can the data associated with one of the existing values be changed? I assume that 2nd level subkeys would not be effected (assuming wildcards are not employed). I fear there may be even more possibilities.

A separate, but related question is could you use the same syntax to spell out the full name of an existing value, and have changes to that one particular value be auto-rejected?

The separate .wav file sounds great. With regard to protecting multiple startup directories, I'm guessing that you're considering using WaitForMultipleObjects() on several ChangeNotification handles. If you haven't used them before, I have 'C' source for a very simple command line program that uses WaitForSingleObject() to wait until a change is made in/under the directory it was told to monitor. As soon as Windows detects a change, the program simply exits. I'm guessing you don't need it, but just in case it would help, let me know.

And no more singin' them low-down, dirty, MoBo Blues...

 

You are right. I was not exact in stating my experiences. It is enough to unload the flash page (by loading an different page) to restore the 0% utilization, and it is not required to close the browser window.
Now that somebody else experienced the same strange slowdown, I am convinced that it has nothing to do with my environment. It may be the very same reason why I found old versions of MJRW cpu consuming, because I view all kinds of flash pages.
-hojtsy-

 

Withouth big changes in Regwatcher the following seems feasible:

No *values* can be added or deleted.

No. Regwatcher can not stop that. Currently key undeletion feature is not present, and is considered problematic.

No. Regwatcher can not stop that. Currently key deletion feature is not present, and considered dangerous.

Data of values will be protected from changes.

They would not be.

-hojtsy-

 

Thanks, hojtsy. I do remember reading through some of those issues earlier in the thread, but you've made my mental picture much clearer.

I still hope auto-reject can apply to one specifiic value or to all values under a specified key. It might also be useful to have the opposite ability to "always auto-accept" on a key and/or value. Syntactically, perhaps, '=' or '+' could indicate auto-accept. There might be a simple clarity to using '-' for reject with '+' for accept, but I think '!' for reject with '=' for accept would work well too. (at least for programmers )

 

Sorry if this has been mentioned before but.... is there any plans to make MJ Reg Watcher intercept registry changes instead of finding them after the fact? I feel that this is a much better approach at security.

 

Well yes, but it seems to be much more complex to implement.
In the meantime the following applications offer registry change intercepting features:
Tiny Personal Firewall (unknown key list),
PrevX (unknown key list),
DiamondCS Process Guard (only a few keys)

-hojtsy-

 

I have no plans to make MJRW intercept changes. The number of monitoring threads would be ridiculous, given the coverage, and I have no idea what the cpu consumption would be.

I have posted a new set of "Custom" keys at http://www.jacobsm.com/MJRegWatchKeys.txt and it is quite something. Every control set is now protected, rather than just currentcontrolset, and I have corrected and added all the keys in Hojtsy's list at https://www.wilderssecurity.com/showthread.php?t=32823&page=1&pp=25 , and the ones at http://forums.subratam.org/index.php?showtopic=1063

It gives very good coverage to both known and unknown trojans. However, the payload is that you may have to adjust the throttle timing down to 10 ms and have the number of lines per trigger at 3 to get frequent enough sweeps. The new forthcoming sets (and the new custom set above) are more demanding than previous versions, yet I have not noticed much impact on performance, but we are talking 1GHz cpus and upwards. On my office 2.8GHz P4 HT it amasses a total of 2 or 3 seconds cpu time in 8 hours of computer use.

As for auto-reject keys, I am beginning to think this was a bad idea after all. A better way would be to say, if running in "Prompt" mode (and only in this mode), keys prefixed with an exclamation auto-reject, and keys prefixed with an equals sign auto-accept.

Earth1, I have also run into a problem with directory protection. If you decide to protect *all* of the Windows directory, for example, I will have to copy the contents somewhere on startup. Yikes! No way, Jose. But there is a "what you gain on the swings, you lose on the roundabouts" solution to this. Directory entries in the top window just list the contents of the directory, as a list of file details (like the details we currently see for files). Then, I wouldn't have to copy anything anywhere. I would keep the current Common and User startup protection and rollback capabilities, but you would be able to do a no-rollback alert for other user's startup directories.

If all that sounds OK to you, I'll crack on with it. Secretly, I was hoping that 1.2.3.4 would be the last version (is there such a thing?!?), but it seems there are still a few little irritations in the user interface, like pressing escape on the help or log screens does not close the window. These will all be addressed in the up and coming next version.

 

Thank you, Graphic, for the updated key list. I'm running it now with the suggested throttle settings. It does take a bit more CPU, but seems reasonable.

Agreed, that's a much better way to say it. It's great that you want to do it..

I'm not sure I understand what you mean. I tried adding a directory name to my key list (c:\test). After adding a trailing backslash, MJRW accepted the input. Highlighting that entry in the top pane, however, yielded this result in the centre pane (even though c:\test did contain two files):
==================================================
c:\test\ - File does not Exist
==================================================
Were you were proposing a new behaviour for the upcoming release, or did I miss your meaning completely?

I heartily agree that you don't want to monitor all of "Documents and Settings" just to protect the startup directories. A viable alternative might be to leave the default as it is now, but add a syntax element that allows directories to be specified. If one or more directories are specified, then monitor those, else monitor the defaults. I guess this could extend to directories other than startups. On the downside, rollback from a changeable list of directories would involve more new code. Perhaps the user should create the rollback directory and specify it by name. Maybe something like these paired entries:
(@directory)C:\Documents and Settings\myUsername\Start Menu\Programs\Startup\
(@rollback)C:\regwatcher\rollbackData\myUsername

Since you are considering winding this down, I don't want to get too carried away. Maybe you'll want to do what's expedient for the moment, and see how you feel about it later. No matter what you decide for the future, RegWatcher, as it stands now, is a magnificent contrbution.

With yet another well deserved thanks-ly yours,
Mike

 

Earth1, the directory protection is a proposal. But you missed my point. I was saying that it would be unfeasible to protect huge directories like Windows because the time it would take to do a rollback snapshot of its contents at startup would be too long. So, what I am proposing is that I simply store lists of file info for each directory entry in the top window. If any file in the directory changes, it would no longer match this list, and cause an alert. But roll back would be impossible. It would be an alert like the subkey addition/deletion one, with a simple OK button. I hope that's clear. eg.

C:\Documents and Settings\\Start Menu\Programs\Startup