To poll or not to poll.....

When I came across RegDefend I was intrigued with the whole polling/hooking methods used by various registry protectors and did some expirmenting. While nearly all other apps I tested used polling (TeaTimer, SpySweeper, MS Anti-Spyware), RegDefend and Ad-Watch used hooking techniques.

I wasn't surprised about RD because that's the main selling point of it, but I was a bit about Ad-Watch. The difference between RD and AW is that RD will alert before the change takes place, whereas AW alerts after the fact.

 

So adwatch is hooking but only alerts after the change? That doesn't make much sense to me, if it was hooking it should always block before the change and alert to the user.

 

Hi Jason,

Ad-Aware's Ad-Watch does bring up an alert when a change takes place (I just re-tested it again with IE6) and it offers you an "accept" or "block". If you click on "Accept" the change, it then takes place. If you click on "Block", then the change will not take place of course.

snap

 

I have the feeling that adwatch would be using usermode hooking since it works on Win9x-XP, I'll have to verify that later though.

 

Ad-Watch's response to adding a value to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is pretty much instant, but only after RD prompts me to allow/deny. I isolated Ad-Watch with Regmon for a few minutes and did not see it polling.

Nick

 

The way I tested it was to use SysInternal's RegMon to check which apps were polling. Ad-Watch doesn't poll the registry, unless it manages to bypass RegMon's detection somehow.

Also, from my experiments the change is definitely allowed by Ad-Watch. If you click Accept, it will leave the registry as is. If you click Block, the registry will be reverted to the previous state. However, the change does take place initially.

I agree it's odd that it does not block the behaviour before the change occurs.

The only time Ad-Watch will check all the keys it monitors is when it starts and when the protection is enabled.

 

I'm pretty sure Ad-Watch is using the Win32 API function RegNotifyChangeKeyValue() to monitor changes.

This method apparently has a weakness because it cannot detect changes caused by a call to RegRestoreKey(). I haven't checked this though.

Can RegDefend detect changes caused by a call to RegRestoreKey() ?