Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Currently the only reason for that is that I do not have or want every one of these tested softwares to be installed on my machine. About the ease of Reg Mon: You do not need to believe me, just try it yourself.
    The weakness of Reg Mon is that it only lists the registry keys which are repeadetly read by the software, it does not tell what does it do with the read values. So to be sure that the software correctly reports removals of startup entries you need to check it by removing entries and waiting for an alert. Ideally this should be repeated for each startup location which is monitored. I have a real life, and I don't have that much time for this, so I rather asked for this specific information to be obtained by somebody else.
    Yes, if would have or want Adwatch installed on my computer. But if any of you have or want Adwatch I would be grateful if he could send in the list of monitored keys, obtained from Sysinternals Registry Monitor. About other, yet unlisted softwares: I will include them of course if they are worthy of mention here.
    -hojtsy-
     
  2. BillPStudios

    BillPStudios Security Expert

    Joined:
    Sep 15, 2004
    Posts:
    23
    Location:
    Scotia, NY
    I can confirm that WinPatrol will not alert users when a typical startup entry is removed. Its not something we've addressed but its not a bad idea since historically some virus programs have been know to remove popular an anti-virus programs. It would be one symptom of an infiltration but I suspect other obvious conditions would cause Scotty to alert our users.

    The list of reg entries found here are great and I'm grateful to hotsy for getting the discussion going. It's given me a lot to think about but I'd rather not get into a competition over reg entries as the holy grail for evaluating a products value.

    I'm a big fan of the free products that have been mentioned in this thread. I consider them as colleagues in our efforts to fight mysteryware. Our competition are the b%^#*%ards who use scare tactics on unsuspecting users. They claim to be free, then warn users they have 100 serious infections (usually tracking cookies) followed by an offer to help only if they are paid $49.

    I may not be right but its the way my brain works.

    Thanks again,
    Bill
     
    Last edited: Sep 17, 2004
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Does anyone knows what keys are watched by Ad-Watch, Spy Sweeper and PrevX?

    Thank you,
    Atomas31
     
  4. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Note: there is a new and even better Sysintenals Autoruns 5.01. If you are using an older version check it out! A new key to chew on:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    Will add this key soon to the big table, no software monitors it yet.
    __________________________________
    I agree that the list of reg entries should not be the only measurement of the products value. You should also consider stability, resource usage, ease-of-use, support, other features, costs, compatibility, etc. I believe that the perceived importance of these factors, and thus the perceived value of specific products will differ from person to person. I did not intended to compare the value of specific products. That each of you should do yourself, based on your preferences. My goals with the thread are:
    - I intend to help the product comparison with some not-so-well-known information.
    - I was interested myself in the key lists, which could help me to select a software. I am always looking for an even better one.
    - I hoped to pressurize any of the authors to improve the monitored key list: up to now this was failure, as none of them did a change for a long time.

    -hojtsy-
     
  5. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    I believe the final release (1.0) of Prevx watches this. Don't quote me on that. :p I'm not too sure.
     
  6. BillPStudios

    BillPStudios Security Expert

    Joined:
    Sep 15, 2004
    Posts:
    23
    Location:
    Scotia, NY
    Authors are funny about stuff but you did accomplish a great discussion on what keys need to be monitored and why. You've also pressured me to look more closely at our keys and which ones should be included in future versions. WinPatrol 8.0 didn't add a lot of new keys with the exception of the file type association list.

    Our biggest problem this year hasn't been in detecting threats but in making it easy for users to remove them. So much mysteryware comes in multiples that its a real challenge. In the past, I've referred people to CWShredder when all else fails but I read we won't be seeing updates in the near future.

    You can bet WinPatrol 9.0 will include more registry keys and it will be thanks to your thread here.

    Thanks!
    Bill
     
  7. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Hi Bill
    I love WinPatrol-a great program
    Rita
     
  8. Hi,

    Good news!
    RegRun 4 Gold automatically traces all keys in the list.
    Please download the latest version trial version and see what you think:
    http://www.greatis.com/regrung400b2.exe
    Home page:
    http://www.regrun.com

    After reading this thread I decided to take some of your suggestions and I have added all items that are important for startup.
    Here some changes and other info on entries that were discussed here as well as other I added that were not mentioned.

    1. HKLM\SW\MS\Windows\CV\RunOnce\Setup
    "Setup" key contains information for Microsoft setup.
    It is not used for start programs.

    2. HKCU\SW\MS\Windows\CV\Explorer\Shell Folders.
    I added only Startup value for tracing.
    Note!
    Some of the values "Cache", "Cookies" are changed during Windows session to LocalService account. After finishing Internet connection they are switched back.

    3.HKLM\SW\MS\Active Setup\Installed Components
    Active Setup is traced by RegRun internally.
    Active Setup option in Control Center, Options, Registry Tracer.
    Also you can trace any file extension using RegTracer.
    The Add/Remove commands are in the same place.

    4.HKLM\System\CCS\Control\Session Manager\FileRenameOperations
    This was already included and is called Anti Replacement in RegRun.

    5. HKLM\SYSTEM\CurrentControlSet\Services
    Services are monitored internally.
    This key is added to trace list under Windows 98/Me.

    6. HKLM\SW\MS\Windows NT\CV\IniFileMapping
    Added traces for win.ini and to system.ini.
    Other .ini files are not important.

    7. Winlogon values:
    Run, Load, Shell are contolled by RegRun Start Control internally.

    8. HKLM\SW\MS\Windows NT\CV\Winlogon\WmApplet
    Typo!
    It must be
    HKLM\SW\MS\Windows NT\CV\Winlogon\VmApplet
    Vitrual Memory manager for Winlogon.
    Used only if no page file on boot volume and the user needs to set it up.

    9. HKLM\SW\MS\Windows NT\CV\Winlogon\System
    Looks like it's not used for startup.

    Here are some other items that were not discussed here that I have added:
    HKLM\SW\MS\Windows NT\CV\Winlogon\Taskman
    This value is used to launch Task Manager.
    Anyone can specify any program to run instead of Taskman.exe which could be dangerous.
    By default this value does not exist.
    Format is REG_SZ.
    I added "Procman.exe".
    It is successfully executed during startup.
    Note!
    This is Winlogon Taskman.
    After finishing startup Windows uses standard task manager.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    This key is very important.
    Spyware often uses this key to install its own components.

    Comments, suggestions are appreciated:
    http://www.greatis.com/regrun3support.htm

    Best regards,
    Dmitry Sokolov
    RegRun's developer
     
  9. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Thanks Dmitry RegRun is a great program that is a part of my everday security.

    Thanks,

    Chris
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    RegRun looks like a serious bit of kit. How regularly does it monitor these keys though? I mean Tea Timer is pretty quick to warn of a change while WinPatrol can take a minute or two to get round to looking?
     
  11. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Watchdog which is the monitor can be cusomized to however many minutes you want. It is set at default to check every 10 minutes.

    It is a nice suite of utilities. Hopefully you will d/l the NIVA 4 beta and give it a test.

    Thanks,

    Chris
     
  12. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Thanks Dmitry,
    FINALLY an Author catches up with The List! Now we got one step before the spyware writers by already monitoring several less obvious keys which were not yet widely used for attacks.
    I will query to update post #1 soon, but you know it's much more hassle now that direct editing of old posts are disabled.
    -hojtsy-
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Why not just start a new thread - link to it from your last post here (also include a link to this thread in it for review purposes) and send a PM to one of the mods asking them to stick the new and de-stick the old.
     
  14. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I have just found this thread as recently I have been giving serious consideration to this type of software as I realise that not every monitor is watching the same keys. I am very interested in this whole discussion especially the 'new to me' Regrun. I have some back reading to do but I have certainly found a lot of information to digest and try to work out which one is the next to add to my security.

    It would be great to have a new thread with the information gathered from this one to have a comparison list to help others who are trying to source the best tool. I don't mind paying for a program if it does the task it is meant to just need to study how to use it first :oops: I value all the opinions already posted in this thread.
     
  15. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    hi,
    If I would start a new thread every time The List needs to be updated the information you found in this thread would be scattered between 20 threads, and I would definitely be unable to follow them.
    Regrun will be updated in post #1 in a few hours, based on my understanding of post by Dmitry. Dimitry could you please check post #1, if I understood your post correctly.

    I would like to broaden the topic now: if somebody discovers a spyware in one of the more exotic registry autostart locations (that means NOT HK*\SW\MS\Windows\CV\Run*), could you please post the location and the spyware name. Such experiences would justify the monitoring of those keys even for those cozy guys who tend to believe in statements like "this exploit is not yet used so it is not dangerous". :D

    best regards
    -hojtsy-
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Thanks guys. Remarkable thread. I dont understand a lot of what you are referring to but know that this sort of collaboration when taken up by vendors such as greatis can only help. As greatis/Dimitri seem to be the only vendors actively participating and acknowledging so; and as I am on the search for this type of software, I will almost certainly be heading off their way. Thanks again.
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    I downloaded a trial of RegRun Gold, but I have to admit I am pretty comfused about the primary benefits of the product. Are there any specific areas of the program that I should be looking at? For protection at this point I use: KAV 4.5.104, ZoneAlarm Pro, Ewido, Giant Anti-Spy, Ad-aware, Spybot, SpywareGuard, SpywareBlaster, and I use CCleaner for registry cleaning. I am waiting for ProcessGuard 3.0 to try it out. Do I need RegRun for anything? I think RegRun needs a specific highlights paper to point potential buyers to the key features. But it looks like a very interesting product.

    Thanks,
    Rich
     
  18. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi richrf,

    The primary benefit of Regrun is protecting your registry. Websites (using exploits) are able to alter your registry even with all your other security.
    If regrun detects something changing your registry, it can alert you and let you restore it immediately. There are other benefits, but that is the main one.
     
  19. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Devinco,

    As always, thanks for your quick response.

    I currenlty have RegProt, TeaTimer, and Adaware Watch. I've turned off RegProt, and TeaTimer becasue they appear to overlap with Adaware Watch, and all of the alterts were getting a bit annoying. Please correct me if I am wrong.

    Insofar as RegRun is concerned, it appears that it amplifies on the protection that the other programs that I have mentioned provide. Am I correct? If so, how do I turn on this protection in my trial version so that I can verify. There are som many features in this program, it is like finding a needle in a haystack.

    Any further information or advice is appreciated.

    Rich
     
  20. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi richrf,

    You can enable Watch Dog (the registry monitor component) under Options in the RegRun Control Center.

    Nick
     

    Attached Files:

  21. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Rich,

    You should only need/use one registry monitor. AdWatch is not listed here and I don't know if it can monitor user configured registry keys. That is the important thing so you can add all the keys that hojtsy listed to monitor. If adwatch can add custom keys, then add the list of keys in post 1. If not, then I would go for regrun.
     
    Last edited: Oct 21, 2004
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Nick and Devinco for your help. I will check out the configurability of Adware Watch.

    Cya,
    Rich
     
  23. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I have been running Registry Watcher for several days now. I got it from HERE.

    RegWatcher is configurable. That is, you can add or delete registry items that you want this program to monitor. It maintains this list on a simple, easily edited text file.

    RegWatcher uses only 2 threads occupying 671.1K of memory. It is a polling scanner. Scans every 10 seconds. When it scans it uses just 1.5% of my 233Mhz cpu's cycles. Each scan is done in the blink of an eye. Between scans, RegWatcher's cpu usage is below measurable levels.

    To uninstall simply delete the file folder where you put RegWatcher. It adds no files other than those in its own folder.

    I really like RegWatch, & I am very grateful to this thread for having put me onto it, & for giving me the registry items that it should monitor.

    Mahalo...... bellgamin
     
  24. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hmmm! Another contender!

    I've been running WinPatrol for the last few weeks and I must say I really like it. It not only keeps you informed about changes to your autostarts, BHOs, IE helpers and running processes etc, it also gives you the opportunity to do something about it by terminating malware processes simultaneously.

    Thus if you get hit by several 'alien' processes that work in tandem with each other (thus preventing you from terminating each of them on an individual basis) you can select all of them together (by using the control key in the usual way) and then kill them all at once. You can also get WinPatrol to simultaneously delete them at reboot if all else fails.

    I'm not sure if the other contenders have this multiple kill ability.
     
    Last edited: Oct 22, 2004
  25. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    I downloaded WinPatrol and Registry Watcher. Both seem very simple and to the point. Just a quick - and very simple-minded question.

    It looks like with Registry Watcher I can just plop in the keys that I want to monitor and that's it. Is there any reason to use RegProt, Ad-Watcher, Tea Timer, or any of these other programs if Registry Watcher is doing the same thing and more? Am I missing something?

    Thanks.
    Rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.