Registry Monitor comparison

Some of the registry keys in the first post of this thread dont apply to certain operating systems. A few of them for instance only apply to Windows 9x and vice versa, which may confuse the "average" person who runs Windows XP. There is no point protecting against those keys in such an operating system.

 

Jason has this nice registry defence tester . http://www.ghostsecurity.com/index.php?page=regtest .

Based on a recent post by Jason, I played a hunch and tested it against Prevx, and Prevx passed (except for HKLM\system\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\BOOTEXECUTE which it evidently doesn't cover) , so it apparantly isn't doing polling.

 

That is right. And what's more a few keys only apply to XP SP2, which may also be unneded for other users. But this whole thing only affects 8-10 of the keys on this list. All other keys affect everybody. Monitoring every key for every OS mean a quite insignificant overhead, but a big simplification.
-hojtsy-

 

I haven't read whole the thread but I have a question about registry watchers in general. Will they not constantly alert you that applications are accessing the registry and become annoying?

And I also believe that StartupMonitor monitors some more keys on Win9x eventhough it's not that advanced of course. Perhaps RegProt is a better choice for me.

 

I think for the most part you will not get to many alerts except if it is a dangerous area that is likely to be compromised as shown by the links in hojtsy posts. Of course annoying to some maybe not that bad to another so it is a question of individual tolerance.

EDIT: And in case you weren't aware they don't monitor every location in the registry just as I said above the ones where damage could occur (list keeps getting bigger).

Hope this helps,

Chris

 

What would that keys be? If you happen to have any actual information to base your claim on, please share it.
-hojtsy-

 

@ Chris

My bad, they of course only monitor the startup areas and that is important of course. Still I would like to get an indication of how many popups an average user will get to see. Eventhough security is important it must not become irritating like IMO a sandbox.

My only experience that I have is with StartupMonitor and Regprot. StartupMon doesn't watch a lot of keys so I don't get that much notifications. And I removed RegProt because it kept notifying me about SC Keylog 2, a keylogger that I used to use (KAV doesn't like it either ).

@hojsty

I think StartupMon monitors all the keys in the screenshot on Win9x. Don't know the exact name of the registry keys though, maybe you can figure it out. But they are all different areas I assume, correct me if I'm wrong.


http://i147.exs.cx/img147/5880/screenshot0275fk.png

 

Running MJ Registry Watcher v1.2.4.1 , highest security set, been running for 19h 42m, 2,262 polls, 5 alerts

 

Just curious why Prevx isn't on the list? It also has reg protection. Is it because it's not really that good in that area (or doesn't cover as much as others), that it didn't make the list?

 

This screenshot is from StartupMonitor from Amazing Software Products. The table entry coresponds to the somewhat more well known StartupMonitor from Mike Lin. To increase the confusion there are yet more products called Startup Monitor. One should be extra carefull with it.

Prevx, Tiny FW, and AdWatch is missing from the table because their list of monitored keys is unknown to me. Any information would be appreciated regarding what keys these software are watching.
-hojtsy-

 

Thanks for your reply Hojtsy. I checked my computer with Regmon as you suggested, to try to determine which keys Prevx monitors, but I didn't see anything for Prevx listed unless it's "system:4" this is an unknown entry (to me anyway) in Regmon, could this be Prevx?

The only other entries in Regmon showing are common Windows function that are showing every once in a while like svchost.exe, lsass.exe, msmsgs.exe.

I don't use Adwatch or Tiny, so I can't help there. It appears that Prevx's registry monitoring doesn't appear in regmon, as far as I can determine anyway.

 

RegMon can only be used to discover the keys for pollers, which repeadetly read the affected registry areas. The following apps are not pollers, and thus can not analyzed with RegMon: PrevX, Tiny Fw, RegDefend.
I know of no easy way to analyze these applications, so it is either 1) up to the authors to publish the list of keys, or 2) somebody takes the time and attempts to modify each of the keys on the big list, and see what happens.
The benefit of 1) is that we may discover new keys not yet on the list.
-hojtsy-

 

@Howard

Thanks for the feedback, with 5 alerts per day I can live. About the "polling", personally I prefer a non polling app, so I think RegDefend, PrevX would be better. Startup Monitor and RegProt are also non polling apps btw.

@hojsty

Actually, the screenshot was taken from CodeStuff Starter, but I was wrong, StartupMon doesn't monitor all the keys in the screenshot. With the help of System Safety Monitor and Startup Control Panel (from AK Software) I figured out that the keys monitored (on Win 9X) by Mike Lin's StartupMon are:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

hojtsy,

Please consider making the following minor changes to the very informative first post in this thread.

1a. Please add the version(s) to the product name where version is missing so a reader has some idea of whether the information is reasonably current. An approximate release date would also be helpful.

1b. For MJ Registry Watcher, please identify the security set level. (I assume either default or highest although that feature may have been introduce only recently).

1c. For WinPatrol, please add the license type. Also consider using more descriptive labels such as "donation" for Spybot S&D and SSM.

2. I find the columns a bit confusing to scan in some cases. I eventually just printed that page and highlighted two columns using a ruler.

Please add a (single) row of product column numbers every ~10 lines for the sections that are longer than ~15 lines. Or try adding a blank column between columns #5 and #6. Either of these will improve readability by providing a visual reference.

3. The row that identifies "free" tools could be clearer. As far as I know, WinPatrol (free) tracks the same keys as WinPatrol Plus. Thus I expected WinPatrol to be considered either a free application or to have an annotated value. Similarly, my understanding is that MS AntiSpyware will be free for home use (although that is obviously speculative).

One possiblility would be to have three values with the key placed next to the row label (e.g., "Free (P = Personal use only)" or "Free (* = for some users)"). Or you might add an additional row labeled something like "Additional features in purchased version". Finally, perhaps this entire row should be eliminated and replaced with a slightly more informative description for each product (see comment #1c.)

Thanks to the OP for maintaining this valuable summary and to all those who contributed details.

BillR

 

Incorrect. Mike Lin's Startup Monitor, and DiamondCS RegProt is a poller. You may have fallen for the misleading marketing, and GUI messages.

BillR,
I will work on your suggestions. Unfortunately the forum markup language is highly unconfortable for tables. For example it is quite much impossible to display two spaces next to each other, to make a row gap bigger. And if a line gets too long it gets broken instead of horizontal scrolling - quite bad for tables. I am afraid that the covered keys for WinPatrol, and RegDefend are obsolete, and changed, so they should be reanalyzed. Also there are a small number of new keys I know of, but not yet listed. I will look into these matters.

-hojtsy-

 

Thanks for your considered reply and diligent work, hojtsy. I look forward to seeing the revisions.

I hope you will be able to find a way to add a visual gutter to group the long columns. From my perspective a pair of periods would serve as well as -- or even better than -- a pair of spaces to define a gutter. Since horizontal space is at a premium (especially since I hope other products will eventually be added), perhaps a single character such as a slash (virgule), a vertical slash (pipe), or the even more minimal colon would work without forcing more than one current line to overflow.

This technique also might allow you to reserve a few columns for additional products as information for those becomes available without forcing additional reformatting each time.

Again, my thanks to you and other contributors to this excellent thread.

BillR

 

Hello again, P2K.

I was just re-reading this thread and wondering if what you describe above is already being done on my machine by my firewall (Zone Alarm Pro v6). This product has apparently gone way beyond what a typical firewall is supposed to do. When I run new programs, it (just like PG) prompts me to allow / disallow the prog. It appears that it also warns me when one program tries to communicate to another process. Not sure what "DLL Injection" means, but is this ZA activity basically what SSM does (as your describing in your thread)?

 

Hi Daisey, different thread, same 'me'.
I just learned a bit about dll injection from beta testing Online Armor.
OA inserts a dll into the target applications thread that then intercepts certain API calls by the target, for example, a call to the Registry and then audits it and may block it or pop up a warning, and with the beta, also writes an entry in a log file, to see what registry key was being accessed.
So, a 'bad' application will also try to 'inject' it's dll into an application thread to intercept a perfectly valid API call, but then instead of 'logging', it does something.... wait for it ...... 'bad'.

Now that's about all I know, I have no idea how to do this injection stuff, dll or insullin or drugs for that matter. And no idea how to stop, the dll anyway. That's up to the security guys, I hope they know what they're 'doin.

Cheers

Jim

 

Good to hear from you again, JW.

Thanks for the info., JW. I guess that I was wondering if I already have this threat covered using both PG and ZA Pro.

 

Hi again, well, PG has a checkbox to prevent this globally, but I doubt that ZA would.
But then timing is important, because, when booting up, something that starts sooner seems to be able to inject dlls very easily, if there's not something else already running to stop it.
For example, I've been testing OnLine Armor and when I looked at the running processes, I saw a number of OA dlls in most threads which all started after OA.
A few processes that probably started about the same time as OA and all that started before OA did not contain the OA dlls. OA could only inject into new processes.
The bad guys try to start as early as possible and inject their poison pill in as many processes as possible. I.e., before PG or OA have started.
The open question then is, is there anything available to detect these early injection dlls. And I don't know.
But if PG, OA and any others can stop something bad from setting up shop in the first place, then we need worry a little less about this.

Hope this helped,

Jim

 

DLLs (Dynamic Link Libraries) are collections of code for doing various tasks that are then used by programs (e.g. a word processor may call a DLL for spell checking or drawing graphs). Having such features in a separate file means that they only need to be loaded into memory when used.

DLLs can also be used to change program behaviour by altering key functions and this is used legitimately by software like mouse and touchpad drivers and some Windows desktop utility software. This can however also be used by malware to hijack legitimate programs in various ways (e.g. using web browser to send data through a firewall, monitoring keyboard input to pick up passwords, etc).

PG/SSM and ZA both can control program execution and DLL injection so it would make sense to only have one program handle these. However PG/SSM can also block code injection (altering programs directly in memory), driver/service installation and direct memory access (as demonstrated by the SDTRestore exploit). Unless ZA can handle these also, I would suggest not dispensing with PG/SSM completely. Also, does ZA allow you to customize protection settings for other programs in the same way that PG/SSM do?

 

Hi Paranoid2000
Maybe you can make a comment about what I've just seen, as follows:

PG didn't stop OnLine Armor from injecting 6 dlls in many processes.

Here's the process list on my machine:
smss
csrss
winlogon
services
lsass
Ati2evxx
svchost
spoolsv
cisvc
dcuserprot PG
svchost
ISRservice
PcCtlCom Trend PC-cillan
regsvc
MSTask
OnlineArmor
Tmntsrv Trend
tmproxy Trend
vsmon Zone Alarm
WinMgmt
svchost
PDSched Trend
minilog Zone Alarm
---------------------------------------
All The following have OA dlls injected
Ati2evxx
......
including even some of PGs programs.
pgaccount PG
procguard PG
and more, to the end of the list.

If dcuserprot is PGs means to stop dlls from loading (by other than the
main program), then it should have stopped OA.
Unless it couldn't because it hadn't completely established itself by
the time OA started.

Or unless OA has a way of avoiding PGs protection, which would mean that
a 'baddie' could also (assuming it had been allowed to establish itself).

I don't know how these get sequenced for starting and I don't know if a
process can delay other processes from starting until it has completely
loaded and is ready to 'protect' me. But that would be a good thing, either PG or OA batting first.

Jim

 

Is OA listed in your PG protection list? If so, was it authorised to modify protected applications? (BTW this is seriously OT for this thread, so please consider opening a new one to continue discussion of problems with specific programs).

 

Thanks for responding, P2K. I wasn't suggesting that I would drop PG/SSM, but whether or not I need to add SSM to what I have already (ZA/PG).

Not sure what SSM can do, but ZA doesn't allow much program configuration. See pic.

 

There doesn't seem to be too much information about what exact behaviour ZA Trust levels cover (this forum post seems the best available) so the only way to be sure on this would be to run tests using the likes of SDTRestore, APM, registry editors and other testing tools.

As to whether SSM is worth adding, that really comes down to whether you wish to have finer control over programs (e.g. allow X to be run by Y but not Z) - this can provide benefit with some vulnerable software (e.g. allowing Outlook Express to start Internet Explorer when you click an email link but blocking anything else from running IE). SSM also offers registry and .ini file monitoring but I believe you have those covered with other utilities do you not?