Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Ellison, it looks as if BOClean does not like any other programs in the registry while it is booting up. Try moving the Registry Watcher startup from the Startup folder to, say, one of the startup registry keys (hkey_local_machine\software\microsoft\windows\currentversion\run
    for example), or vice versa, if you've got it that way already. If that doesn't work, we could look at command line switches for MJRW that delay starting for a few seconds.

    Graphic
     
  2. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi,
    MJ RegWatcher 1.2.1.5 seems buggy. I created a subkey in hkey_local_machine\software\microsoft\windows\currentversion\run, it popped up a notification window with an "OK" button only. After that it repeadetly reports every value as changed in hkey_local_machine\software\microsoft\windows\currentversion\run, every five seconds. I have to fall back to 1.1.4.1.
    -hojtsy-
     
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    So if I change hkey_local_machine\system\currentcontrolset\services\SomeExisting\ImagePath
    it will not alert? :eek: I tried it: it does not alert. Not good!
    -hojtsy-
     
  4. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Bug corrected and new version uploaded (it is still version 1.2.1.5 though!)

    Let me try to clarify that MJRW *DOES NOT* recurse subkeys - it only checks for the creation of new subkeys, or the deletion of old subkeys, neither of which it can do anything about. It would be unwise to offer to delete a newly-created subkey, since there may be a whole tree of registry information underneath it. It would difficult to store the possible tree of information for any subkey, so if it is deleted, all I can do is report it. That is why for all subkey additions and deletions, you only get the OK button. MJRW is designed to make sure the values for a key are not changed, and monitoring subkey additions and deletions were more an afterthought on observing how trojans work their payload into the registry. Still, it draws your attention to the subkey change, which can be further investigated with RegEdit. Any changes to values will prompt you to accept or reject them. I trust that is now clear.

    In your example
    hkey_local_machine\system\currentcontrolset\services\SomeExisting\ImagePath
    if you are monitoring hkey_local_machine\system\currentcontrolset\services, then unless the trojan creates a new subkey called SomeExisting, any change to the ImagePath value will go unnoticed. You have to put both
    hkey_local_machine\system\currentcontrolset\services
    and
    hkey_local_machine\system\currentcontrolset\services\SomeExisting
    into your key list to trap specific subkey value changes.

    Graphic
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    That was fast. It is working now.
    OK, I understand. Could you modify the change notification window in a way that the contents could be copy-pasted, for further analysis, or posting?
    The problem is that trojans can change the registry for any of your existing services, so that windows executes the trojan instead of the original service. RegWatcher should monitor the ImagePath value in all of the existing services to avoid this. Although it would be possible for me to manually add my each and every existing services to the monitored list, it would be very error-prone, and inconvenient. If RegWatcher would support something like:
    "hkey_local_machine\system\currentcontrolset\services\*\ImagePath" that would solve this problem. (The asterisk here indicates any subkey, withouth recursion) Additionally it would solve the all users vs. HKCU problem too, because then you could write entries like: "hkey_users\*\software\microsoft\windows\currentversion\run"
    -hojtsy-
     
  6. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I have just corrected some bugs in MJRW v1.2.1.5 and released it as v1.2.1.6

    These are the changes :-

    Changes 1.2.1.5 to 1.2.1.6
    1) Fixed bug with subkey change detection messing up subsequent value checking.
    2) Fixed bug where detection of value change would prompt with Yes/No and then another with OK.
    3) Suffixed each value listed with the type of data it holds in brackets.
    4) Added key hkey_local_machine\software\policies\microsoft\windows\safer\codeidentifiers.

    Graphic (cough!)
     
  7. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    MJRW has had a rough day. Version 1.2.1.5 was a bit of a disaster. However, 1.2.1.6 has been tested thoroughly and seems fine in all the situations I've tested for.

    Hotjsy, I see you stopped the RW update thread - is this because the version number did not change when I corrected the bug you reported earlier? If so, that has now been resolved and there will be no more updates without version number changes (I'm new to this). Your idea of denoting wildkeys with an asterisk in the key name is a good one. The key name could not start with *, or end with one, but as long as it contains \*\ somewhere in it, I guess this could be achieved. However, that would somewhat impact on resource usage, since a lot of registry recursion would have to occur every 5 seconds, to locate the matching keys.

    Graphic
     
  8. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I do not have the administrator rights to lock (stop) any threads. That thread was locked by an administrator. I am sure that this has no connection with the silent update. It should rather be an enforcement of the local policy in that sub-forum to avoid starting discussions in the update notification threads. Feel free to start a new thread there for each and every update of your software. Old, obsolete update notifications will be deleted, when a new notification is posted.

    How could hkey_local_machine\software\policies\microsoft\windows\safer\codeidentifiers be attacked? Is it used by some malware?

    More new keys:
    1 2 3 4 5 6 7 8 9
    S R P R T S G W M
    M P G R T S R P J
    - - - - - - - - + ¦ HKLM\SW\MS\Windows NT\CV\IniFileMapping
    - - - + - - - - - ¦ HKLM\SW\MS\Windows NT\CV\IniFileMapping\win.ini\load
    - - - + - - - - - ¦ HKLM\SW\MS\Windows NT\CV\IniFileMapping\win.ini\run
    - - - + - - - - - ¦ HKLM\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell
    - - - - - - - - - ¦ HKCU\SW\MS\Windows NT\CV\IniFileMapping
    - - - - - - - - - ¦ HKCU\SW\MS\Windows NT\CV\IniFileMapping\win.ini\load
    - - - - - - - - - ¦ HKCU\SW\MS\Windows NT\CV\IniFileMapping\win.ini\run
    - - - - - - - - - ¦ HKCU\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell


    -hojtsy-
     
    Last edited: Nov 12, 2004
  9. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    RW shows this about the key on my office PC :-
    5 Values for hkey_local_machine\software\policies\microsoft\windows\safer\codeidentifiers :-
    ExecutableTypes (M) ADE ADP BAS BAT CHM CMD COM CPL CRT EXE HLP HTA INF INS ISP LNK MDB MDE MSC MSI MSP MST OCX PCD PIF REG SCR SHS URL VB WSC
    TransparentEnabled (N) 1
    DefaultLevel (N) 262144
    AuthenticodeEnabled (N) 0
    PolicyScope (N) 0

    Notice the executable types list (Jeez!). If a trojan added another extension to this list, they could get machines to execute files that do not look like executables, and don't look very harmful as a result, but which will execute when double-clicked, as executable code!! At least, that's the theory.

    A new version (1.2.1.7) of MJRW will be coming out in the next couple of days, which allows easy subkey additions to the key list, better alert prompts, and it monitors *ALL* registry value types, including binary, multi-strings and even quadwords! Regards,

    Graphic
     
  10. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Graphic,
    I keep getting warnings about changes of the irrelevant
    Registry Key hkey_current_user\software\microsoft\internet explorer\main\Window_Placement key. I am afraid you have to list only the important values from this key, because some unimportant ones are always changing. I will collect the value list to monitor.
    -hojtsy-
     
  11. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Question for Hojtsy :-

    In your table of keys, you quite often have values instead of keys. Could you denote which are keys (where all values must be monitored) and which are values? For example,

    HKLM\SW\MS\Windows NT\CV\IniFileMapping\system.ini\boot\shell

    is a value, and *NOT* a key, whereas,

    HKLM\SW\MS\Windows NT\CV\IniFileMapping\win.ini

    is a key.

    P.S. I do not have keys or values called LOAD or RUN under the keys you cited in your list, on my XP system. Are they Win9x-specific? TIA,

    Graphic
     
  12. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    MJ Registry Watcher version 1.2.1.7 has been released at http://www.jacobsm.com/index.htm#sft . It is mega, and really covers most of the trojan registry hooks. It can drill down into the registry, adding subkeys to your list, and you can balance sheer number of keys against performance requirements of the PC yourself. Remember, all values for any given key are checked (even multi-strings and quadwords!), so WinLogon is covered. Enjoy.

    Graphic :)
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  14. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Graphic,
    I suggest to continue RegWatcher-specific conversation (such as features, update notes, etc) in the thread MJ RegWatcher and limit the topic of the current thread to issues which are interesting for the users of any reg. monitor application. For example relevance of some new keys, application differences, new tools, etc.
    -hojtsy-
     
  15. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
  16. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I put some more new keys to post #1. Some of them are using wildcards:

    1 2 3 4 5 6 7 8 9
    S R P R T S G W M
    M P G R T S R P J
    - - - + - + - - - (M) HKLM\System\CCS\Services\*\Image Path
    - - - - - - - - - (M) HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager\*\Application path
    - - - - - - - - - (K) HKCU\SW\MS\Windows\CV\Explorer\fileexts\*\OpenWithList
    - - - - - - - - - (M) HKCU\SW\MS\Windows\CV\Explorer\fileexts\*\Application
    - - - - - - - - - (K) HKU\*\SW\MS\Windows\CV\Run(Once)
    - - - - - - - - - (K) HKU\*\SW\MS\Windows\CV\RunServices(Once)

    In these keys the asterisk is indicating a single level of recursion, meaning that, for example the ImagePath value should be monitored in the key for every service.
    It may be problematic to add these keys to the monitored list of configurable applications because of the wildcard nature. Either the software provides build-in support for these specific keys, or you enter all possible keys manually, or you should wait for a software which supports the wildcards (none of them support yet).

    HKU\*\SW\MS\Windows\CV\Run(Once)
    HKU\*\SW\MS\Windows\CV\RunServices(Once)

    These keys contain some autostart entries of all users, inluding the current, and also including the ".default" user, which stores the default settings of newly created users. HKCU is just a shortcut to one of the subkeys of HKU.
    Since most malwares only hijack settings of HKLM, or HKCU it may be not needed, complex, or too resource-consuming to monitor the autostart locations of other users. It should be decided based on your own preferences. My personal opinion is that it would be most beneficial if registry monitors would monitor all autostart locations for all users, but use the high frequency only for HKCU. Monitoring setting of other uses are less important then HKCU, and could happen, say, once in a minute. Every entry in the Big List starting with HKCU or HK** could be present in any of the HKU subtrees, and ideally should be monitored. There is really not much sense in listing every one of them. So the keys in bold were just examples. A registry monitor software could just take the list of keys, and everything starting with HKCU could also optinally be monitored in HKU/* with much lower frequency. I hope I was clear.

    -hojtsy-
     
  17. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    The wildcard idea is what I'm aiming at with MJRW. But I have so far found that the resource usage to do a recursive scan of subkey branches is immense: try doing a search in Regedit for a key or value that doesn't exist and see how long it takes (18 seconds on my AMD Athlon 1.4GHz for any given value name!); this could not be tolerated every 5 seconds on even modern PCs. However, if the scan were done at startup, and the matching keys and values stored into a "dummy" of MJRW's top window list, and the dummy is scanned, I have found that if the number of resultant keys exceeds 400, the intrusion into my Quake 3 experience becomes noticeable. Can you evaluate how many keys your proposed list would entail on a normal XP registry? That would give me an idea of whether it's worth doing or not. Thanks, and keep up the wonderful work.
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    At this point, would it not be better to start hooking the Windows Registry API routines used to make changes so that checks need only be done when a key is changed and on that key only? Alternatively any changes could be intercepted by this method and only made if approved.
     
  19. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    But a full recursive scan is not needed for these keys. You just start from a constant given key, at the asterisk you enumerate the immediate subkeys, and in each of the immediate subkeys you try to walk down the constant given key, indicated after the asterisk. Also I believe that runtime performance could be improved if you only read, store and monitor the required names and values (ImagePath for example), and not the full value lists in the keys.
    The precalculated list would work in most cases. The less elegant thing is that it will not be updated for newly added keys.
    My estimates are:
    50 values are covered by HKLM\System\CCS\Services\*\Image Path
    3 values are covered by HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager\*\Application path
    50 keys are covered by HKCU\SW\MS\Windows\CV\Explorer\fileexts\*\OpenWithList
    50 values are covered by HKCU\SW\MS\Windows\CV\Explorer\fileexts\*\Application
    3*2=6 values are covered by HKU\*\SW\MS\Windows\CV\Run(Once)
    3*2=6 values are covered by HKU\*\SW\MS\Windows\CV\RunServices(Once)
    Plus extending other HKCU keys to HKU/* would mean an estimated 50 more keys/values. Enumerating HKU/* could happen only once per scan cycle, and then for each immediate subkey, the HKCU keys could be checked/stored.
    -hojtsy-
     
  20. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Yet one more key, currently undetected. See this report about usage.


    1 2 3 4 5 6 7 8 9
    S R P R T S G W M
    M P G R T S R P J
    - - - - - - - - - (K) HKLM\SW\MS\Windows NT\CV\WOW\boot

    -hojtsy-
     
  21. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    When I amend the set of keys in MJRW to cover all of your list, and add in :-

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\o_O\o_O\dllname
    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\gpextensions\o_O\dllname
    hkey_local_machine\system\currentcontrolset\services\winsock2\parameters\o_O\o_O\o_O\librarypath
    hkey_users\o_O\control panel\desktop\scrnsave.exe
    hkey_users\o_O\software\microsoft\internet explorer\extensions\cmdmapping
    hkey_users\o_O\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist
    hkey_users\o_O\software\microsoft\windows\currentversion\explorer\fileexts\o_O\application
    hkey_users\o_O\software\microsoft\windows\currentversion\run
    hkey_users\o_O\software\microsoft\windows\currentversion\runonce

    I have 684 keys and files it's monitoring. On my 1.4GHz Athlon system, when minimised, it pulses at 10% utilisation every 5 seconds - not bad at all. But possibly intrusive unless cut down a bit. This set we have offers ultimate security, in that nearly every dll, sys and exe system file path is covered for all users on the PC. It is exhaustive in 2 ways :-
    1) It covers nearly everything
    2) It exhausts the CPU!
     
  22. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Help Wanted!
    I am seeking help from anyone running Giant Antispyware. I would need the person to execute the free Sysinternals Registry Monitor to get the list of the keys polled by Giant. I can not do it because my Giant demo license is already expired and Giant would not run. Anyone willing to help, please PM me.
    -hojtsy-

    Edit: I did receive generous help in this matter. Thanks.
     
    Last edited: Nov 25, 2004
  23. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I am having trouble monitoring the key
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist

    It is the value MRUList that is causing the problems. Every time a file with the relevant extension is opened, the MRUList is rewritten, which causes MJRW to alert. It is not possible to exempt this value, unless I bring back pathless value name exemptions, which causes problems because someone may create a value MRUList under hkey_lmcu\software\microsoft\windows\currentversion\run which would cause a new auto-start app to go unnoticed by MJRW. So, I decided to monitor these instead :-

    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\application
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\a
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\b
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\c
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\d
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\e
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\f
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\g
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\h
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\i
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\j
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\k
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\l
    hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts\o_O\openwithlist\m
     
    Last edited: Nov 25, 2004
  24. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi,
    Grr Registry Rearguard (GR) will be removed from the table, because it has very
    small coverage, and there are no improvements over time. It will be replaced
    with Giant Antispyware (GA), which has very interesting features.

    Some new keys were discovered:

    1 2 3 4 5 6 7 8 9
    S R P R T S G W M
    M P G R T S A P J
    - - - - - - + - - (K) HK**\SW\MS\Internet Explorer\AboutURLs link
    - - - - - - + - - (K) HK**\SW\MS\Internet Explorer\extensions
    - - - - - - - - - (K) HKLM\SW\MS\Windows\CV\URL\Prefixes link
    - - - - - - - - - (V) HKLM\SW\MS\Windows\CV\URL\DefaultPrefix link
    - - - - - - + - - (K) HKLM\SW\MS\Windows\CV\Internet Settings\SafeSites link
    - - - - - - + - - (K) HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers link
    - - - - - - - - + (K) HK**\SW\MS\Windows\CV\RunServicesOnceEx


    The key "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers" does have an asterisk in the name: it is not a wildcard. I will swicth to a different wildcarding scheme in post #1.

    -hojtsy-
     
  25. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Jeez - it goes on! I found some more vulnerabilities in the registry, but from the theoretical viewpoint of a hacker. It appears that certain dlls are loaded when you connect a USB device, for example.

    hkey_local_machine\system\currentcontrolset\control\{36FC9E60-C465-11CF-8056-444553540000}

    and its subkeys and values, handles all the USB access to the PC. There are several DLLs in an assortment of differeing levels of tree recursion under this key, which load dlls. What should we do about this? Wait until a hacker uses this "hole" and then patch it, or pre-empt everything a hacker could possibly get up to?!?

    P.S.Thanks for the new keys - keep them coming!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.