MJ Reg Watcher [system monitoring tool]

Submit portable freeware that you find here. It helps if you include information like description, extraction instruction, Unicode support, whether it writes to the registry, and so on.
Post Reply
Message
Author
User avatar
AlephX
Posts: 663
Joined: Thu May 11, 2006 10:53 pm
Contact:

MJ Reg Watcher [system monitoring tool]

#1 Post by AlephX » Thu May 18, 2006 11:52 pm

[2018-07-15 Mod note: OP subject changed for clarity; original was "Reg Watcher + question"]

Hi, I´ve found this security program which can be interesting:

MJ Registry Watcher (Version 1.2.4.5 - Zip Size 490K)

site: http://www.jacobsm.com/mjsoft.htm

License: freeware

Synopsis (by the author)
is a simple system tray program that monitors for changes to any of the startup folders, startup registry keys, and any files you want alerting on.
If a trojan attempts to change your startup settings, you will be alerted, and you can prevent any changes being made. It is fully configurable as to what keys and files are monitored, so, if you have a vested interest in protecting your file association for the mailto protocol (your default emailer), so that your preferred app loads them, and something else is trying very hard to undermine this association (Outlook for example), this will popup, offering to stop a new association attempt, after Outlook had loaded, say. The key that stores this association is hkey_lmus\software\classes\mailto\shell\open\command, and you could protect other associations by changing "mailto" to the desired type, for example, "jpegfile".
When monitoring, keys are opened in Read-Only mode, and the application only needs Write Registry access when it has detected a change. It keeps a log of any suspect activity, and displays any such information for the current session in the bottom panel. A log file has this appended to it and can be viewed by pressing the Log button. The file keeps a complete history of alerts.

Installation/write settings (by the author)
To install it, extract the files with pathnames, and you'll have a self-contained .exe file with a small help text file, the keys and files lists, and a couple of exclusion files in the MJRegWatcher directory. Create a shortcut to C:\MJRegWatcher\RegWatcher.exe and launch it. Then, use the Options, Settings, Automatic Startup Options screen to install it either just for the current user, or for all users. From this screen, you can also choose which key set to start it up with, or even uninstall it.

I don´t know if it is really portable or simply useful for other purposes.
Anyway I used regshot to see it. Can you tell me how to evaluate the following results?

Code: Select all

----------------------------------
Keys added:4
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv

----------------------------------
Values added:6
----------------------------------
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\a: "C:\My Documents\MYCOMP\Personal Data\first.hiv"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\a: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 6B 00 75 00 6D 00 65 00 6E 00 74 00 65 00 20 00 75 00 6E 00 64 00 20 00 45 00 69 00 6E 00 73 00 74 00 65 00 6C 00 6C 00 75 00 6E 00 67 00 65 00 6E 00 5C 00 44 00 41 00 52 00 44 00 5C 00 45 00 69 00 67 00 65 00 6E 00 65 00 20 00 44 00 61 00 74 00 65 00 69 00 65 00 6E 00 00 00
HKU\S-1-5-21-407404009-2007238923-643028249-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"

----------------------------------
Values modified:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 95 73 9F F4 56 05 27 97 CF 80 34 70 EC D0 54 9B C7 BF 87 4E 68 CA FA 7A EF 49 42 75 88 98 1F CF 2B B0 AD D0 BA 4D 25 59 4E C9 F4 8D 9A B9 30 CE 42 1A 1E E8 EC 8C 5D 3C 91 BA B0 76 83 FC 10 F5 30 10 D4 83 47 93 D0 21 E1 C4 05 AC FD 85 6E 1D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: D5 A2 8A B8 53 FA D8 F2 49 CD 4C C4 8C C0 35 DD B5 E0 05 47 03 47 55 81 FE 7A 6F D0 B5 5A A6 FC E4 B1 E8 EF 8D 44 32 07 F6 29 16 A3 C1 AF 9E 60 61 F8 AC DF 3C 1D FA 47 81 99 6B 26 FE D4 B7 FF AE D9 46 A9 46 6B E5 F2 80 4B 92 58 4D 8A A6 5F

----------------------------------
Total changes:11
----------------------------------
Thank you!
Aleph
Last edited by AlephX on Fri May 19, 2006 8:33 am, edited 1 time in total.

Toxteth O'Grady
Posts: 169
Joined: Wed Feb 15, 2006 12:06 am

#2 Post by Toxteth O'Grady » Fri May 19, 2006 6:46 am

This looks like a nice, additional layer of defence against all the harm the bad guys on the internet want to do to you. :wink: Thanks for the info, I'll give it a try.

I'm not an expert, but this looks like a portable program.
The MRU entries are modified by Windows itself. MRU = most recently used, obviously they change all the time.
The updated cryptography value is irrelevant as well. At least, I read somewhere that it can be updated by starting other programs that don't use cryptography at all.

User avatar
AlephX
Posts: 663
Joined: Thu May 11, 2006 10:53 pm
Contact:

#3 Post by AlephX » Fri May 19, 2006 8:34 am

Thank you! :D

I´ve seen other applications doing the same thing... good to know!

User avatar
Andrew Lee
Posts: 2228
Joined: Sat Feb 04, 2006 9:19 am
Contact:

#4 Post by Andrew Lee » Wed May 24, 2006 6:30 am

Thanks! Posted to the database.

bitcoin
Posts: 57
Joined: Sun Dec 31, 2017 6:32 pm

Re: Reg Watcher + question

#5 Post by bitcoin » Wed Jul 04, 2018 6:31 pm

the author updated MJ RegWatcher to v1.2.8.5 on April 24th

https://www.jacobsm.com/mjsoft.htm#rgwtchr


also updated these recently:

MJ Emails - Last Update 9/6/2018
MJ News Reader - Last Update 14/4/2018
Maths Penknife - Last Update 24/4/2018
Grapher - Last Update 14/4/2018
MJ Player - Last Update 24/4/2018
MJ Zoomer - Last Update 14/4/2018
MJ Browser - Last Update 14/4/2018

User avatar
Midas
Posts: 4386
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Reg Watcher + question

#6 Post by Midas » Thu Jul 05, 2018 3:47 am

Wow! Major resurrection for a very popular registry monitor from yore... ;)

User avatar
smaragdus
Posts: 2069
Joined: Sat Jun 22, 2013 3:24 am
Location: Aeaea

Re: MJ Registry Watcher

#7 Post by smaragdus » Sun Jul 15, 2018 2:24 pm

While updating MJ Registry Watcher I accidentally deleted a file and I as a consequence I got this:

Image

MJ Registry Watcher spawned two processes quicker than I could hit 'CTRL+A' + 'DEL' in Process Hacker (restoring the deleted file didn't help either), MJ Registry Watcher was so fast that I got innumerable icons in system tray and processes in task manager. These two processes were immortal and propagated at an amazing rate. Hitting hard hectically in Process Hacker was a futile effort- the battle was rather uneven and I had no chance against the mighty MJ Registry Watcher. I couldn't get to start menu because the error pop-ups were stealing focus immediately after I clicked on Classic Shell. Before resorting to the power button I luckily managed to restart using Process Hacker (a very benevolent character) again. ScreenToGif is a superior program but in these circumstances I was unable to use it so I switched to good old LICEcap and managed to save a screen of this horror. I don't know a solution for killing such fast multiplying processes, even Process Closer which has saved me before was helpless to terminate the furious, unperishing MJ Registry Watcher.

User avatar
Midas
Posts: 4386
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Reg Watcher + question

#8 Post by Midas » Mon Jul 16, 2018 3:57 am

:shock: What a nightmare! :lol:

Post Reply