Registry Monitor comparison

Hi hojtsy,

Thanks a lot for the additional information. I believe that if you had downloaded a fairly current version, even if the trial had expired, you would have the most recent software so your results should be accurate.

Rich

 

Would PG3.0 Free offer the same protection as SSM?

 

Hi hojtsy,

This discussion has really taken off! Have you compiled any kind of document that includes all the suggestions posted here? It could take me all day to read through everyones comments but I probably will anyway.

If you or is anyone else has a list of registry entries I'll do my best to include all the important ones in our future plans.

Thanks,
Bill Pytlovany

 

If you are worried about leak tests then the best coverage you can get will be a combination of Zone Alarm Pro and ProcessGuard!

If you look here http://www.firewallleaktester.com/tests.htm you will see the results for ZAP and since PG 3(full version) also covers all the AWF,Thermite and Copycat tests you will see that they complement each other nicely.

Coincidently, I am using ZAP and PG!

I also use WinPatrol for the very good reason that there is a fatal flaw in PG, SSM etc - namely the human element! If you tend to click anything that moves, just to get rid of the pop-up, you could easily let a nasty through! Particularly if it is masqerading as something plausible. So I still like to have my Registry monitored and I still appreciate the multiple kill/delete on reboot facility of WinPatrol (not to mention all the other features like cookie control etc).

 

I have just added 20 more default keys to Registry Watcher, making the total 50 keys that are scanned for changes. It also writes a log of any suspect activity to a .log file on exit.

It saved my bacon yesterday. I had "picked up" some Microsoft updates about a month ago, and despite avoiding SP2, some of these had SP2 in their name in the Add/Remove list. After putting them on, my PC booted in 2-3 minutes instead of the normal 30 seconds I was used to. Also, everything would grind to a halt when you loaded anything that wasn't in cache, and it seemed that any disc access temporarily stalled the CPU! Anyway, I took my XP Pro SP1 CD, and installed the OS again. It kept all my apps and data and settings really well, and, the speed had come back (thankyou Lord!). However, the network settings weren't entirely preserved and it had set File and Print sharing on. I went online. I had been connected for about 30 seconds, when RegWatcher popped up with this :-

Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
Value Popup Blocker System32 Monitoring will be a new value with data
PopUpBlockerd.exe
Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
Value Microsoft DirectX will be a new value with data
PDSched.exe

My PC felt like treacle and Task Manager showed 97% utilisation by one of the SVCHOST.EXEs. I disconnected amidst a bevy of traffic. I found the nasties, deleted them, and got rid of the keys. There were a couple of other places it had hidden keys, so I incorporated them into my new default RegWatcher list. I found out about the RPC trojan dropper method that had been used, and applied the relevant Microsoft patch (no SP2 in its name TG!), switched off File and Print sharing that had let it in, and started running ZA to see what volume and sort of traffic was hitting my connection. It was mostly ports 135, 137 and 445 that were being investigated, and they're the 3 main File and Print sharing ports used by Windows.

PDSched.exe is nasty, but easy to delete, and has been known about since July this year. I can't even find PopUpBlockerd.exe on Google. I have them both quarantined if anyone's interested in discombobulating them.

Graphic

 

Hi GE, I am sure that Gavin at DCS would like the job
Please send a zip to submit@diamondcs.com.au "discombobulating" What a great word!

Thanks. Pilli

 

Hi folks, I recognize pdsched.exe as a Raxco - Perfect Disk scheduler. Is there a Trojan using the same name?
Jim

 

According to http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.CN , when it's attempting to fool us into thinking it has something to do with Direct X, then it ain't what it really is - a trojan. The other one that pretends to be something to do with popup blocking, is again not what it contends to be. Both files are 30-40K .EXEs and so cannot contain a substantial application suite in them!

RegWatcher at http://www.jacobsm.com/index.htm#sft will pop up and tell you if a trojan is trying to install itself. You have to remove any nasties it reports manually, although RegWatcher produces a log on exit, so you can easily refer to it while disinfecting yourself.

Graphic

 

Thanks Graphic, MJ rocks.
May I suggest two things:
- Why not register your user here on Wilders? After that nobody else could post in your name. (They never sent spam in 3 years, if you are afraid of that).
- Could you please include version information in the RegWatcher, both on the homepage, GUI and in the file? Would be easier to keep track.
- Am I right that among the newly added keys in MJ RegWatcher two was missing from the Post #1 List:
HKLM\SW\MS\Windows\CV\Explorer\ShellExecuteHooks, and
HKLM\SW\MS\Windows NT\CV\Accessibility\Utility manager ?

-hojtsy-

 

No.
In some areas PG provides more, in others SSM. I suggest you to repeat the question in a new thread in the Process Guard sub-forum to receive a more detailed answer. Try to keep this thread on topic.

At least you have a less urgent need of them, as those suggested firewalls already provide part of the protection provided by PG or SSM.

-hojtsy-

 

I have now registered. What I'm writing now should prove that! The 2 keys you mention are now in that list of 50 predefined ones on RW. I found another today, and I'm debating whether to put it in. It's hkey_users\.default\software\microsoft\internet explorer\extensions\cmdmapping , but this brings to mind ways of trying to check all user keys that match a certain pattern under HKEY_USERS. I have already got reg exp based pattern matching algorithms in the library I wrote, so I could allow the top window to specify wildcards or reg exps in the key definitions. That way, you could cover all users, but narrow it down to, say, those with cmdmapping in the name. The version information will go in that release, and I'll try to keep everything synched up, webpagewise.

Graphic

 

I totally got a thrill out of this whole thread- I learned so much I had been wondering about, and despite my lengthy research I couldn't possibly have obtained another learned, detailed, side-by-side analysis of the various reg mons anywhere else out there--cus one doesn't exist except right here! I have the newest, baddest version of RegW, and it's way fine! Sure wish I'd had it last week when a script kiddie completely did me in by getting through my Linksys router (the quite recent patch for the vulnerability of which got screwed up when SP2 went in). The creep got all the way down to messing up my BIOS....

I do wonder, however, if there is a help file with RegWatcher that either didn't make it on download, or that got deleted accidentally by me somehow. I figured out without one what was going on, and then Googled for my leftover questions (and MJ, your llink was fritzed today, btw...). I'm just curious, cus I'd like to send the link to some not so experienced friends....The press for the program is good, and I congratulate you MJ on your hard work and accomplishments.

(Quick aside question- I have had nothing but trouble with SP2 on my Home ed. and soon will be going Pro, but in the meantime I want to uninstall SP2 also and go back to SP1, and go get the SP1 updates from the WinCatalog to install before going online again. Does anyone know a date from which to start the search, when SP1 was first updated?? I learned from experience this is really the only way to re-enter the fray, and I lost my old list of all the updates I'll need... Thanks, and sorry for the off subject tangent).

 

@Graphic Equaliser- Congratulations on becoming a member. There are some really nice, friendly folks here. Your presence will definitely add, both to expertise here, & to the community.

The downloads of RegWatch must have accelerated a bit. I hope you don't have a sudden bandwidth problem. Perhaps you might consider adding a *Donate* link to your site. Just a thought.

 

Thankyou for your kind comments. MJRW has no help file or version info as of yet. I think my next release of it will have a quick help screen, some extra keys for HKEY_USERS, and version info in the standards Windows format (inside the .EXE), and this version info will be on the website too. I will also try to put a button on the screen for displaying the log file, which stores all the old alerts from previous runs. Further enhancements are further off, but may include wildcards in the registry keys monitor list, or whatever gets suggested that sounds useful (and implementable!). But bear in mind, the app is just a mere registry monitor, and should really stay that way to ensure minimal resource usage.

MJRW started off as a hobby project, and was based on ideas in Startup Control Panel by Mike Lin, which I wanted to take further. It is now becoming quite a useful little intrusion detector, as well as being able to protect file associations and anything else in the registry. Regards,

Graphic

 

To the developer of my favorite registry monitor, a big Welcome to Wilders, Graphic.

 

firstly does Dazed_and_Confused really look that good?
Secondly does anyone know is the registration for Regmon free? couldnt find the site.

Jimbob

 

Regmon is free and you can read more about the program at the link below.

Regmon works on Windows NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for Itanium and x64.

 

And the first question?

 

I have just done the finished first version of RegWatcher at http://www.jacobsm.com/index.htm#sft - version 1.1.2.1

This has 52 keys and covers most of Hojtsy's key list for the comparison. This has a help screen, a log file interface, and version information. The webpage documents it better too, with the version number on the download link.

That will be the last update for a while (barring severe bug fixes) - please enjoy. And thanks for your support,

Graphic

 

Do you need to have combak and usrbak as start up items in RegWatcher?

 

The usrbak and combak directories are holding places for backups of the user and common startup directory links. Sometimes, Windows doesn't get rid of them, although RW should wipe them out when it exits. They are nothing to worry about, and can be left as they are. Anything in these directories is wiped out before a backup of links is made into them. I hope that's clear.

Graphic

 

Graphic,


Hello again.

Regarding your post here concerning the version information...

• You state the version is in the Title bar when RW is restored from the system tray. I don't see this (reference pic).
• Regarding your reference to the "Help" screen. What are you referring to?

Thanks!!!

Edit: I posted this response here as I assume it's probably more appropriate in this forum - the other is primarily for TDS support.

 

Daisey, please download the latest version (1.1.3.1) off my website at http://www.jacobsm.com/index.htm#sft

I now put the changes to the program on my website, as well as on the help screen in the program. Here is what it should look like :-

http://www.jacobsm.com/RegWatcher.jpg

Graphic

 

Does anyone know if the registry monitor in SSM is superior to MJ Reg Watcher? It seems like it would be considering that MJ RW only alerts you to a change but doesn't allow you to do anything about it. But doesn't SSM allow you to undo the change? Correct me if I'm wrong here, I never actually tried MJ RW. Plus SSM is just as configurable as MJ RW, not to mention all the other great features of SSM.