Hi, I´ve found this security program which can be interesting:
MJ Registry Watcher (Version 1.2.4.5 - Zip Size 490K)
site: http://www.jacobsm.com/mjsoft.htm
License: freeware
Synopsis (by the author)
is a simple system tray program that monitors for changes to any of the startup folders, startup registry keys, and any files you want alerting on.
If a trojan attempts to change your startup settings, you will be alerted, and you can prevent any changes being made. It is fully configurable as to what keys and files are monitored, so, if you have a vested interest in protecting your file association for the mailto protocol (your default emailer), so that your preferred app loads them, and something else is trying very hard to undermine this association (Outlook for example), this will popup, offering to stop a new association attempt, after Outlook had loaded, say. The key that stores this association is hkey_lmus\software\classes\mailto\shell\open\command, and you could protect other associations by changing "mailto" to the desired type, for example, "jpegfile".
When monitoring, keys are opened in Read-Only mode, and the application only needs Write Registry access when it has detected a change. It keeps a log of any suspect activity, and displays any such information for the current session in the bottom panel. A log file has this appended to it and can be viewed by pressing the Log button. The file keeps a complete history of alerts.
Installation/write settings (by the author)
To install it, extract the files with pathnames, and you'll have a self-contained .exe file with a small help text file, the keys and files lists, and a couple of exclusion files in the MJRegWatcher directory. Create a shortcut to C:\MJRegWatcher\RegWatcher.exe and launch it. Then, use the Options, Settings, Automatic Startup Options screen to install it either just for the current user, or for all users. From this screen, you can also choose which key set to start it up with, or even uninstall it.
I don´t know if it is really portable or simply useful for other purposes.
Anyway I used regshot to see it. Can you tell me how to evaluate the following results?
Code: Select all
----------------------------------
Keys added:4
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
----------------------------------
Values added:6
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\a: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 6B 00 75 00 6D 00 65 00 6E 00 74 00 65 00 20 00 75 00 6E 00 64 00 20 00 45 00 69 00 6E 00 73 00 74 00 65 00 6C 00 6C 00 75 00 6E 00 67 00 65 00 6E 00 5C 00 44 00 41 00 52 00 44 00 5C 00 45 00 69 00 67 00 65 00 6E 00 65 00 20 00 44 00 61 00 74 00 65 00 69 00 65 00 6E 00 00 00
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
----------------------------------
Values modified:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 95 73 9F F4 56 05 27 97 CF 80 34 70 EC D0 54 9B C7 BF 87 4E 68 CA FA 7A EF 49 42 75 88 98 1F CF 2B B0 AD D0 BA 4D 25 59 4E C9 F4 8D 9A B9 30 CE 42 1A 1E E8 EC 8C 5D 3C 91 BA B0 76 83 FC 10 F5 30 10 D4 83 47 93 D0 21 E1 C4 05 AC FD 85 6E 1D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: D5 A2 8A B8 53 FA D8 F2 49 CD 4C C4 8C C0 35 DD B5 E0 05 47 03 47 55 81 FE 7A 6F D0 B5 5A A6 FC E4 B1 E8 EF 8D 44 32 07 F6 29 16 A3 C1 AF 9E 60 61 F8 AC DF 3C 1D FA 47 81 99 6B 26 FE D4 B7 FF AE D9 46 A9 46 6B E5 F2 80 4B 92 58 4D 8A A6 5F
----------------------------------
Total changes:11
----------------------------------
Aleph