Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I am collecting and comparing the list of monitored keys and other capabilites of current registry monitor apps. Mostly of the free ones. The list of monitored keys may or may not be the most important feature of an application, but this thread mainly discusses this aspect.

    '+' means: Key (group) is monitored by the app
    'L' means: Key is monitored by the app only in the HKLM subtree
    'U' means: Key is monitored by the app only in the HKCU subtree
    'HK**' means: The same key is monitored in both HKLM and HKCU
    *** means: Recurse into all immediate subkeys here, 1 level depth

    List entry types:
    (K) is a key, contained values/subkeys are watched
    (v) is a single value watched for changes
    (M) multiple values in different keys
    (?) entry type unknown. Please provide information

    1 SM: Mike Lin's Startup Monitor (free)
    2 RP: DiamondCS Registry Prot 2.0 (free)
    3 RD: RegDefend 1.0 (shareware) [Wilders forum]
    4 RR: Regrun 4 Gold Pro (shareware) [see also]
    5 TT: Spybot Search and Destroy Teatimer (free)
    6 SS: System Safety Monitor (free)
    7 GA: Microsoft Antispyware = Giant Antispyware (free)
    8 WP: Winpatrol
    9 MJ: MJ Registry Watcher 1.2.3.8 (free) [Wilders thread]

    Links are provided to reports about malwares using the specific key. Isn't that cool!

    Autostarts
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J
    + + + + + + + + + (K) HK**\SW\MS\Windows\CV\Run(Once) link
    - + - + - - - - + (K) HKLM\SW\MS\Windows\CV\RunEx
    - + - - - - - - + (K) HKLM\SW\MS\Windows\CV\RunOnce\Setup link
    - + + + - + + + + (K) HKLM\SW\MS\Windows\CV\RunOnceEx link
    - - - + + + L + + (K) HK**\SW\MS\Windows\CV\RunServices(Once) link
    - - + + - - + - + (v) HKCU\SW\MS\Windows\CV\Explorer\Shell Folders\Startup link
    - - - + - - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\User Shell Folders
    - - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Explorer\ShellExecuteHooks link
    - - - + - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\SharedTaskScheduler link
    - - - + - - - - + (K) HKLM\SW\MS\Windows\CV\ShellServiceObjectDelayLoad link
    - - - - - - - - + (?) HKLM\SW\MS\Windows\CV\app management\arpcache\ link
    - - - + - - - - + (K) HKLM\SW\MS\Active Setup\Installed Components link
    - - - ? - - - - + (M) HKLM\SW\MS\Active Setup\Installed Components\***\StubPath link
    - + - + + + + - + (K) HKLM\Software\CLASSES\#file\shell\open\command (#=exe,com,pif,bat) link
    - - - + - + + - + (K) HK**\SW\MS\Windows\CV\policies\Explorer\Run link
    - - + + - - - - + (v) HKLM\System\CCS\Control\Session Manager\BootExecute link
    - - - + - - - - + (K) HKLM\System\CCS\Control\Session Manager\FileRenameOperations link
    - - - - - - - - + (K) HKLM\System\CCS\Control\Session Manager\KnownDLLs link
    - - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\PendingFileRenameOperations link
    - - + - - - - - + (v) HKLM\System\CCS\Control\Session Manager\environment\path
    - - - - - - + - + (K) HKLM\System\CCS\Control\lsa link
    - - + + - + - - + (K) HKLM\System\CCS\Services link
    - - - + - + - - + (M) HKLM\System\CCS\Services\***\Image Path
    - - - - - - - - + (K) HKLM\System\CCS\Services\vxd link
    - - - + - - + - + (K) HKLM\System\CCS\Services\WinSock2 link
    - - - - + - + - + (K) HKLM\SW\MS\Code Store Database\Distribution Units\ link
    - - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Shutdown
    - - - + - + - - + (?) HKLM\SW\Policies\Microsoft\Windows\System\Scripts\Startup link
    - - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logon
    - - - + - U - - + (?) HK**\SW\Policies\Microsoft\Windows\System\Scripts\Logoff
    - - - + - - - - + (v) HKCU\Control Panel\Desktop\scrnsave.exe link
    - - - - - - - - - (K) HK**\SW\MS\Windows NT\CV\Extensions
    - - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\load
    - - - L - - ? - ? (?) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\run
    - - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\win.ini\Winlogon
    - - - L - - L - + (v) HK**\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell
    - - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Run link
    - - + + - - - + + (v) HKCU\SW\MS\Windows NT\CV\Windows\Load link
    - - L + - - - - + (K) HK**\SW\MS\Windows NT\CV\Winlogon link
    - - L + - - L - + (v) HK**\SW\MS\Windows NT\CV\Winlogon\UserInit link
    - - + + - + + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Shell link
    - - + - - - - - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\Taskman
    - - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Winlogon\Notify link
    - - - + - - - - + (K) HKLM\SW\MS\Windows NT\CV\Svchost link
    - - + + - + - - + (v) HKLM\SW\MS\Windows NT\CV\Windows\APPINIT_DLLs link
    - - - - - - - - + (M) HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager\***\Application path
    - - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\WOW\boot link
    - - - - - - - - + (K) HKLM\SW\MS\Windows NT\CV\Shell Extensions\Approved link
    - - - - - - - - + (K) HKEY_CLASSES_ROOT\Protocols\Filter link
    - - - - - - - - + (K) HKLM\SW\Classes\Protocols\Filter link
    - - - - - - - - + (K) HK**\SW\classes\mailto\shell\open\command link
    - - - - - - - - + (v) HKCU\SW\MS\Command Processor\AutoRun link
    - - - - - - - - + (K) HK**\SW\MS\ole link
    - - - - - - + - - (v) HKCR\ftp\shell\open\command\(Default)
    - - - - - - + - - (v) HKCU\ftp\shell\open\command\(Default)
    - - - - - - - - + (K) HKLM\System\CCS\Control\MPRServices link
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J

    Security settings
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J
    - - - - - - - - + (K) HKLM\SW\MS\Windows\CV\Explorer\Advanced link
    - - - - - - - - - (K) HKLM\SW\MS\Windows\CV\WindowsUpdate link
    - - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Explorer link
    - - - - - - + - - (K) HKLM\SW\MS\Windows\CV\policies\Explorer\RestrictRun link
    - - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\System link
    - - - - - - - - + (K) HK**\SW\MS\Windows\CV\policies\Network link
    - - - - - - - - - (K) HKLM\SW\MS\Security Center link
    - - - - - - - - - (K) HKLM\SW\Policies\Microsoft\Windows\WindowsUpdate link
    - - - - - - + - + (v) HKLM\SW\MS\Windows NT\CV\Winlogon\DefaultPassword

    Internet Explorer hijacks and parasites
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J
    - - + + + - + - + (K) HKCU\SW\MS\Windows\CV\Explorer\Browser Helper Objects link
    - - - - - - L - + (K) HK**\SW\MS\Internet Explorer\Toolbar link
    - - - - U - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\WebBrowser link
    - - - - - - U - + (K) HK**\SW\MS\Internet Explorer\Toolbar\ShellBrowser
    - - - - U - + - + (K) HK**\SW\MS\Internet Explorer\Explorer Bars\ link
    - - - - U - - - + (K) HK**\SW\MS\Internet Explorer\MenuExt\ link
    - - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Local Page link
    - - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Page link
    - - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Search Bar link
    - - - - U - + - + (v) HK**\SW\MS\Internet Explorer\Main\Start Page link
    - - - - U - L - + (K) HK**\SW\MS\Internet Explorer\Search\ link
    - - - - U - - - + (K) HK**\SW\MS\Internet Explorer\SearchUrl\ link
    - - - - - - - - + (K) HK**\SW\MS\Internet Explorer\Styles link
    - - - - - - L - + (K) HKLM\SW\MS\Internet Explorer\AboutURLs link
    - - - - - - + - + (K) HK**\SW\MS\Internet Explorer\extensions
    - - - - - - - - + (K) HKCU\SW\MS\Internet Explorer\extensions\cmdmapping link
    - - - - - - + - - (K) HKCU\SW\MS\Internet Explorer\URLSearchHooks link
    - - - - - - - - - (K) HK**\SW\MS\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN link
    - - - - - - + - + (K) HKLM\SW\MS\Windows\CV\Internet Settings\SafeSites link
    - - - - - - + - - (M) HKCU\SW\MS\Windows\CV\Internet Settings\Zones\***\CurrentLevel
    - - - - - - + - - (K) HKCU\SW\MS\Windows\CV\Internet Settings\ZoneMap\Domains
    - - - - - - - - + (K) HKU\.default\SW\MS\Internet Explorer\extensions\cmdmapping
    - - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\DefaultPrefix link
    - - - - - - + - + (K) HKLM\SW\MS\Windows\CV\URL\Prefixes link


    Keys of questionable relevance:
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J
    - + - - - - + + + (K) HKCU\SW\MS\Windows\CV\RunOnceEx
    - - - - - - - - + (K) HKCU\SW\Policies\Microsoft\Windows\safer\codeidentifiers
    - - - - - - - - + (K) HK**\SW\MS\Windows NT\CV\IniFileMapping
    - - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\
    - - - - ? - - - + (K) HK**\SW\MS\Internet Explorer\Main\
    - - - - - - - - + (K) HKLM\System\CCS\Services\WinSock2\Parameters
    - - - - - - - - + (K) HKCU\SW\MS\Windows\CV\Explorer\fileexts
    - - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\OpenWithList
    - - - - - - - - + (M) HKU\***\SW\MS\Windows\CV\Explorer\fileexts\***\Application
    - - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\Run(Once)
    - - - - - - - - + (K) HKU\***\SW\MS\Windows\CV\RunServices(Once)
    - - - - - - - - + (K) HKCR\Protocols\Filter\Class Install Handler


    Some features:
    1 2 3 4 5 6 7 8 9
    S R R R T S G W M
    M P D R T S A P J
    - - + + - + - - + ¦ *** Monitors any user configured reg. keys ***
    - - - - - - - - + ¦ Monitors user configured keys based on wildcards
    - - + + - + - + + ¦ Monitors any user configured file associations
    + + - - + + - - + ¦ Is free
    - - + - - + - - + ¦ Displays complete list of monitored keys
    - - - + - - - + + ¦ Displays the content of autostart entries
    + + - + + + + + + ¦ Works by polling the registry content every x seconds
    - - + - - - - - - ¦ Works by intercepting registry change attempts
    - - ? + + + - - + ¦ Also monitors deletions from registry
    - - - - - + + - + ¦ Auto-undos the change before displaying popup dialog
    - - + - - + ? - - ¦ Is also a kind of sandbox
    + + ? + + - + + + ¦ Monitors some files for changes
    - - ? ? - + - - - ¦ Survives certain termination attempts


    Most of these are auto-start locations. The others are some keys you do not want to be changed by malware.

    If you find errors or have some app or key to add (such as Ad-Watch) please post.
    Please avoid holy wars in this thread, I would like it to remain focused.

    You may also be interested in listing the autostarting applications on-demand. For this I suggest the free Sysinternals Autoruns. Warning: this is not a registry monitor.

    See also these places for more regkey lists, and explanations:
    http://forums.subratam.org/index.php?showtopic=1063
    http://www.diamondcs.com.au/index.php?page=autostarts
    http://www.giantcompany.com/antispyware/research/doc_howto_spywaremanifests.aspx
    http://research.pestpatrol.com/Whitepapers/AutoStartingPests.asp
    http://www.cpcug.org/user/clemenzi/technical/Parasites/BrowserHijackers.html
    The NT booting process

    Note that this post #1 keeps growing with new keys, and information added from time to time.
    -hojtsy-
     
    Last edited by a moderator: Feb 19, 2005
  2. FanJ

    FanJ Guest

    Last edited by a moderator: May 19, 2004
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    FanJ,
    I added Regrun, but the list entries are just assumptions. Could you please check that it is correct. I suggest to post the list of monitored keys when suggesting apps.
    -hojtsy-
     
  4. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
  5. FanJ

    FanJ Guest

    First of all:
    I do applaud Hojtsy for trying to get such a list !!! :D

    Also thanks to Sumire for those links !
    At the moment I haven't read them all, but I was very pleased at a first look to see NISFileCheck mentioned.
    It ain't no secret that I'm a BIG fan of NISFileCheck.

    Maybe it is a good idea to point to the difference of:
    - file-integrity-checkers, like NISFileCheck, FileChecker from Javacool, etc.;
    - registry-integrity-checkers like RegRun.

    With respect to auto-start places on your system, some of those utilities have some "overlap", but it can't hurt to have more than one program to watch them.
     
  6. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Wow Sumire, there are mighty lots of infos in those threads.

    I updated the table with explicit locations and more keys. Unfortunately there are lots of assumtions in the table. I don't have time to test all this out: please help!

    -hojtsy-
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi HoJtsy, You have picked a difficult task. Well done! Though I do not think that Process Guard should be classed as a registry checker as it only checks the on e entry you have shown. :)

    Of the commercial programmes, AdWatch from Lavasoft also monitors Reg run changes as does TDS3.
     
  8. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    TDS does not actively monitor, so it does not classify here. I would love to include AdWatch, if somebody could please list the keys it watches.
    -hojtsy-
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    By using Sysinternals Registry monitoring utility(Regmon)....I monitored TeaTimer.exe thru a few cycles and compiled it into the below results. This is by no means official and is solely based on an observation by an interested user of Spybot.

    Code:
    [u]HKCU\Test-Dummy\Test-Resident\[/u]....Cycle starts	
    
    HKCR\batfile\shell\open\command			
    HKCR\comfile\shell\open\command			
    HKCR\exefile\shell\open\command			
    HKCR\piffile\shell\open\command			
    HKCR\scrfile\shell\open\command			
    HKCR\regfile\shell\open\command
    
    HKCU\batfile\shell\open\command			
    HKCU\comfile\shell\open\command			
    HKCU\exefile\shell\open\command			
    HKCU\piffile\shell\open\command			
    HKCU\scrfile\shell\open\command			
    HKCU\regfile\shell\open\command	
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\		
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce		
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\		
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\		
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser		
    HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\		
    HKCU\Software\Microsoft\Internet Explorer\MenuExt\		
    HKCU\Software\Microsoft\Internet Explorer\		
    HKCU\Software\Microsoft\Internet Explorer\Main\		
    HKCU\Software\Microsoft\Internet Explorer\Search\		
    HKCU\Software\Microsoft\Internet Explorer\SearchUrl\
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\		
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\		
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\		
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\		
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\		
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    HKLM\SOFTWARE\Microsoft\Internet Explorer\MenuExt\
    HKLM\Software\Microsoft\Internet Explorer\		
    HKLM\Software\Microsoft\Internet Explorer\Main\		
    HKLM\Software\Microsoft\Internet Explorer\Search\		
    HKLM\Software\Microsoft\Internet Explorer\SearchUrl\
    
    [u]HKCU\Test-Dummy\Test-Resident\[/u]....Cycle starts again		
    
     
  10. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi,hojtsy

    I also respect your efforts.
    With SSM's normal setting, it seems that SSM can monitor the following entries.

    SSM
    + HKLM\SW\MS\Windows\CurrentVersion\Run
    - HKLM\SW\MS\Windows\CurrentVersion\RunEx
    + HKLM\SW\MS\Windows\CurrentVersion\RunOnce
    - HKLM\SW\MS\Windows\CurrentVersion\RunOnce\Setup
    + HKLM\SW\MS\Windows\CurrentVersion\RunOnceEx
    + HKLM\SW\MS\Windows\CurrentVersion\RunServices
    + HKLM\SW\MS\Windows\CurrentVersion\RunServicesOnce
    + HKCU\SW\MS\Windows\CurrentVersion\Run
    + HKCU\SW\MS\Windows\CurrentVersion\RunOnce
    - HKCU\SW\MS\Windows\CurrentVersion\RunOnceEx
    + HKLM\SW\MS\Windows NT\CurrentVersion\Winlogon\Shell
    - HKCU\SW\MS\Windows\CurrentVersion\Explorer\Shell Folders
    + HKCU\SW\MS\Windows\CurrentVersion\Explorer\User Shell Folders
    - HKCU\SW\MS\Internet Explorer\Main\...
    - HKLM\SW\MS\Active Setup\Installed Components\KeyName
    - HKU\...\SW\MS\Windows\CurrentVersion\Run...
    + HKLM\Software\CLASSES\exefile\shell\open\command
    - ...\SW\MS\Windows NT\CurrentVersion\Winlogon\UserInit
    + HKLM\SW\MS\Windows NT\CurrentVersion\Windows\APPINIT_DLLs
    - ...\SW\MS\Windows\CurrentVersion\policies\Explorer\Run
    - HKLM\SW\MS\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    - HKLM\SW\MS\Windows NT\CurrentVersion\IniFileMapping
    - HKLM\System\CCS\Control\Session Manager\BootExecute
    - HKLM\System\CCS\Control\Session Manager\FileRenameOperations
    - SharedTaskScheduler
    + Common_Startup_Folder
    + User___Startup_Folder
    - Other_User_Startup_Folder
    - screensaver
    - NT_logon_script
    + NT_wininit_ini
    - User_stylesheet
    - User configured reg. keys


    In addition to this, I added the following registry entries to the SSM's monitor.

    HKCR\exefile\shell\open\command\
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

    I think preventing ITW threat is the most important thing so I added the above entries. Please look at the below screen shot. It is the screen shot of the backdoor MiniMo's auto-start editor.

    And backdoor Beast and Subseven use ActiveX startup as a start up method, so I added ActiveX startup.
    http://www.nsclean.com/psc-bst.html

    Any suggetions and recommendations are really appreciate. :)

    Best Regards.
     

    Attached Files:

  11. --?--

    --?-- Guest

    This is a very good thread! Thanks everybody.
     
  12. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Sumire and Bubba: thanks very much. I updated the table.
    Bubba could you be so kind to do the same registry monitoring to the DiamondCS RegProt with the regmon. I am unable to get any official info about it, so the table contains only assumptions: some confirmation would be fine.
    In the meantime I will start a thread discussing specific keys and apps.
    -hojtsy-
     
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Sumire, can SSM's monitor be used with out SSM to watch the registry? You see I have Process Guard and don't feel the need for the execution protection as that is built into PG. Thank you.
     
  14. lonewolf3367

    lonewolf3367 Guest

    SSM can be used without it's additional registry monitoring capabilities. As a matter of fact that's the way i use it and have been for quite some time now and i think it's great.
     
  15. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Lonewolf I think I confused you on SSM. I would like to have the the reg. protection without the Execution Protection.
     
  16. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi,WilliamP

    At first, I haven't used Process Guard ,so I can't say anything about Process Guarud.

    As for the SSM, SSM can turn the Execution Protection off, so you can use only SSM's registry protection.

    Best Regards.
     

    Attached Files:

    • SSM1.jpg
      SSM1.jpg
      File size:
      44.8 KB
      Views:
      34,919
  17. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi,hojtsy

    I was using RP(Registry Prot) on my old Win98box, if my memory is correct, I think RP can't monitor (Common_Startup_Folder) and (User___Startup_Folder).

    May I ask you a question? What is "screensaver" start-up method on your table? Would you please let me know more details?

    I've found this vulnerability, so I tested this vulnerability on my WinXp box, but this vulnerability doesn't work correctly on my WinXp box, so microsoft already fixed this vulnerability. Is this the "screensaver" start-up method?

    I've found another ITW start-up method which SSM can't monitor perfectly. The below screen shot is the backdoor CIA's start-up editor.

    Windows NT Run
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

    Explorer Run(edit.SSM can monitor this entry)
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

    I think there are many start-up methods which I don't know of. :(

    Best Regards
     

    Attached Files:

    Last edited: May 24, 2004
  18. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi Sumire,
    The danger of any screensaver is that it is started withouth user intervention.
    One of them is the logon screensaver in: HKU\.DEFAULT\Control Panel\Desktop\scrnsave.exe
    Other one is user specific screensaver in HKCU\Control Panel\Desktop\scrnsave.exe
    Any changes to these entries should be confirmed by the user. The vulnerabilty you mentioned instructs to replace the file logon.scr. But did you also tried changing the registry to point to your app instead? It will work of course.

    I will also add the keys you mentioned.
    See also https://www.wilderssecurity.com/showthread.php?t=33418
    -hojtsy-
     
    Last edited: May 24, 2004
  19. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I added some more startup entries. I am still unable to find an app which monitors more than half of these startup entries by default, so the clear winners are the apps which enable the user to add custom registry keys to monitor.
    -hojtsy-
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hojtsy - Fantastic thread. :eek: Can you note which apps allow the user to add custom registry entries?
     
  21. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    That is the last line in the table. Of these apps only RegRun and SSM is customizable.
    -hojtsy-
     
  22. strongarm

    strongarm Guest

    Now this is a good thread!
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks. I see it now. :)
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    An interesting discussion this! I would suggest adding HKLM\SYSTEM\CurrentControlSet\Services - this is monitored by SSM even though it is not listed in the Plugins/Registry/Configuration key list (anyone know why?). This contains the startup details of all Services and would be a target for rootkits and other kernel-mode trojans.

    Also should it be worth including the monitoring of files that allow startup programs? (e.g. system.ini, win.ini)

    Edit: Answered my own question :eek: SSM monitors this under Plugins/Services which is a separate plugin. Still worth noting IMHO.
     
  25. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I understand that SSM allows the addition of additonal registry keys for monitoring. Please escuse my lack of knowledge here, but why would the developer not include many more (if not all) registry keys by default? Is there a downside to adding additional keys?
     
Thread Status:
Not open for further replies.