Page 1 of 1

MJ Reg Watcher [system monitoring tool]

Posted: Thu May 18, 2006 11:52 pm
by AlephX
[2018-07-15 Mod note: OP subject changed for clarity; original was "Reg Watcher + question"]

Hi, I´ve found this security program which can be interesting:

MJ Registry Watcher (Version 1.2.4.5 - Zip Size 490K)

site: http://www.jacobsm.com/mjsoft.htm

License: freeware

Synopsis (by the author)
is a simple system tray program that monitors for changes to any of the startup folders, startup registry keys, and any files you want alerting on.
If a trojan attempts to change your startup settings, you will be alerted, and you can prevent any changes being made. It is fully configurable as to what keys and files are monitored, so, if you have a vested interest in protecting your file association for the mailto protocol (your default emailer), so that your preferred app loads them, and something else is trying very hard to undermine this association (Outlook for example), this will popup, offering to stop a new association attempt, after Outlook had loaded, say. The key that stores this association is hkey_lmus\software\classes\mailto\shell\open\command, and you could protect other associations by changing "mailto" to the desired type, for example, "jpegfile".
When monitoring, keys are opened in Read-Only mode, and the application only needs Write Registry access when it has detected a change. It keeps a log of any suspect activity, and displays any such information for the current session in the bottom panel. A log file has this appended to it and can be viewed by pressing the Log button. The file keeps a complete history of alerts.

Installation/write settings (by the author)
To install it, extract the files with pathnames, and you'll have a self-contained .exe file with a small help text file, the keys and files lists, and a couple of exclusion files in the MJRegWatcher directory. Create a shortcut to C:\MJRegWatcher\RegWatcher.exe and launch it. Then, use the Options, Settings, Automatic Startup Options screen to install it either just for the current user, or for all users. From this screen, you can also choose which key set to start it up with, or even uninstall it.

I don´t know if it is really portable or simply useful for other purposes.
Anyway I used regshot to see it. Can you tell me how to evaluate the following results?

Code: Select all

----------------------------------
Keys added:4
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv

----------------------------------
Values added:6
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\a: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 6B 00 75 00 6D 00 65 00 6E 00 74 00 65 00 20 00 75 00 6E 00 64 00 20 00 45 00 69 00 6E 00 73 00 74 00 65 00 6C 00 6C 00 75 00 6E 00 67 00 65 00 6E 00 5C 00 44 00 41 00 52 00 44 00 5C 00 45 00 69 00 67 00 65 00 6E 00 65 00 20 00 44 00 61 00 74 00 65 00 69 00 65 00 6E 00 00 00
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"

----------------------------------
Values modified:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 95 73 9F F4 56 05 27 97 CF 80 34 70 EC D0 54 9B C7 BF 87 4E 68 CA FA 7A EF 49 42 75 88 98 1F CF 2B B0 AD D0 BA 4D 25 59 4E C9 F4 8D 9A B9 30 CE 42 1A 1E E8 EC 8C 5D 3C 91 BA B0 76 83 FC 10 F5 30 10 D4 83 47 93 D0 21 E1 C4 05 AC FD 85 6E 1D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: D5 A2 8A B8 53 FA D8 F2 49 CD 4C C4 8C C0 35 DD B5 E0 05 47 03 47 55 81 FE 7A 6F D0 B5 5A A6 FC E4 B1 E8 EF 8D 44 32 07 F6 29 16 A3 C1 AF 9E 60 61 F8 AC DF 3C 1D FA 47 81 99 6B 26 FE D4 B7 FF AE D9 46 A9 46 6B E5 F2 80 4B 92 58 4D 8A A6 5F

----------------------------------
Total changes:11
----------------------------------
Thank you!
Aleph

Posted: Fri May 19, 2006 6:46 am
by Toxteth O'Grady
This looks like a nice, additional layer of defence against all the harm the bad guys on the internet want to do to you. :wink: Thanks for the info, I'll give it a try.

I'm not an expert, but this looks like a portable program.
The MRU entries are modified by Windows itself. MRU = most recently used, obviously they change all the time.
The updated cryptography value is irrelevant as well. At least, I read somewhere that it can be updated by starting other programs that don't use cryptography at all.

Posted: Fri May 19, 2006 8:34 am
by AlephX
Thank you! :D

I´ve seen other applications doing the same thing... good to know!

Posted: Wed May 24, 2006 6:30 am
by Andrew Lee
Thanks! Posted to the database.

Re: Reg Watcher + question

Posted: Wed Jul 04, 2018 6:31 pm
by bitcoin
the author updated MJ RegWatcher to v1.2.8.5 on April 24th

https://www.jacobsm.com/mjsoft.htm#rgwtchr


also updated these recently:

MJ Emails - Last Update 9/6/2018
MJ News Reader - Last Update 14/4/2018
Maths Penknife - Last Update 24/4/2018
Grapher - Last Update 14/4/2018
MJ Player - Last Update 24/4/2018
MJ Zoomer - Last Update 14/4/2018
MJ Browser - Last Update 14/4/2018

Re: Reg Watcher + question

Posted: Thu Jul 05, 2018 3:47 am
by Midas
Wow! Major resurrection for a very popular registry monitor from yore... ;)

Re: MJ Registry Watcher

Posted: Sun Jul 15, 2018 2:24 pm
by smaragdus
While updating MJ Registry Watcher I accidentally deleted a file and I as a consequence I got this:

Image

MJ Registry Watcher spawned two processes quicker than I could hit 'CTRL+A' + 'DEL' in Process Hacker (restoring the deleted file didn't help either), MJ Registry Watcher was so fast that I got innumerable icons in system tray and processes in task manager. These two processes were immortal and propagated at an amazing rate. Hitting hard hectically in Process Hacker was a futile effort- the battle was rather uneven and I had no chance against the mighty MJ Registry Watcher. I couldn't get to start menu because the error pop-ups were stealing focus immediately after I clicked on Classic Shell. Before resorting to the power button I luckily managed to restart using Process Hacker (a very benevolent character) again. ScreenToGif is a superior program but in these circumstances I was unable to use it so I switched to good old LICEcap and managed to save a screen of this horror. I don't know a solution for killing such fast multiplying processes, even Process Closer which has saved me before was helpless to terminate the furious, unperishing MJ Registry Watcher.

Re: Reg Watcher + question

Posted: Mon Jul 16, 2018 3:57 am
by Midas
:shock: What a nightmare! :lol: