OVERVIEW

MJ Registry Watcher is a simple registry, file and directory hooker/poller, that safeguards the
most important startup files, registry keys and values, and other more exotic registry
locations commonly attacked by trojans. It has very low resource usage, and is set to poll
every 30 seconds by default, although you can adjust this to anywhere between 0 and 9999. A
configuration file stores all your settings for future use. MJRW not only polls the system, but
it also hooks it, so that most changes to keys, files and directories are reported
instantaneously. Key deletions are still caught by the polling loop though, since they cannot
be hooked.

COMMAND LINE ARGUMENTS

When launched with no command line parameters, MJRW will use the "Custom" key set. If you wish
to use an alternative set, then just specify the extension to the MJRegWatchKeys file name.
This can be :-

	txt		custom list of keys (default)
	1		highest security set
	2		high security set
	3		medium security set
	4		light security set
	def		default security set

For example, you could always start it on the highest set by using the command line :-
C:\MJRegWatcher\RegWatcher.exe 1

STARTUP OPTIONS

You can set up startup options more easily using the Options, Settings, Automatic Startup
Options. This will create a run key according to what you pick. You can also uninstall the run
key from this screen too. This enables you to set up a registry auto-start for MJ Registry
Watcher. It writes a value to the run key of either HKEY_LOCAL_MACHINE (all users) or
HKEY_CURRENT_USER (just the current user). This would normally raise an alert but the default
exempt values list includes an entry for MJ Registry Watcher. When you use it, it will display
what the current setting is in the dialog's radiogroup and checkbox.

TRAY ICON

The application minimises to a tray icon when run, and it is coloured as follows :-

	Grey		Prompt Mode
	Blue		Reject Mode
	Green		Accept Mode
	Black		Stopped
	Red		Alerts you haven't looked at yet

EMAIL ALERT CONFIGURATION

You can set how you want it to handle alerts. You can configure it to email any alerts. To do
this, use the "Options, Settings, EMail Alert Setup" menu item to set up the parameters you
need. An example :-

EMail Address to Send Alert to: Billy Spears <bs76@aol.com>;Sergeant Pepper <sp412@aol.com>
Host: smtp.btinternet.com
User Id: RobertPlant809/wholelottalove
From: rplant809@btinternet.com

The syntax for configuring the email alerts is as follows :-

EMail Address to Send Alert to: to_addresses/cc_addresses/bcc_addresses
Host: hostname/smtp-port
User Id: userid/password
From: from_address/replyto_address

Anything after the slashes (/) (including the slashes themselves) is optional. Some SMTP
servers require a valid From email address and a password in order to allow the email through
(spam combat measures). The amount you'll have to specify depends on your ISP and their SMTP
arrangements. The addresses that emails are sent to, can be multiple addresses in the form :-
Name1 <emailaddress1>;Name2 <emailaddress2>;Name3 <emailaddress3>;...
If you need to override the default SMTP port of 25, then follow the hostname with a slash
and the port number you wish to use. You can also prefix the port number with a plus sign ('+')
to use explicit TLS (SSL) transport, or a minus sign ('-') for implicit TLS.
For example, smtp.office365.com/+587

Please note that YOU SHOULD NOT CHANGE ANY OF THE TEXT BEFORE THE COLONS on each line.
After saving your email configuration, you can send a test email alert, to see if the details
are correct. If something is wrong, technical error details will be visible in the alert window
and log file. If the email is delivered correctly, you can then simply check the "Options,
Settings, Send Alerts by EMail" menu item, to start sending any alerts via your email setup.
If you mess up your email set up, you can reset it by deleting the MJRegWatcher.ema file in the
MJRW directory, and going into "Options, Settings, EMail Alert Setup" again.

ALERT SETTINGS

You can also choose between always prompting your attention when one occurs, automatically
accepting all changes, or rejecting all changes, using the top left radiogroup. Automatic
Rejection will undo all value changes, subkey additions, and file and directory additions, so
don't leave it on this setting if you are installing new software or hardware! Subkey
additions, and file and directory additions are quarantined, in that .reg files are made of the
subkeys in the directory MJQuarantine off of the installation directory. File and directory
additions are moved to this directory. If it is a new file (rather than a new directory), then
MJRW will rename the file before quarantining it, as follows :-

i_am_a_trojan.exe will be renamed to i_am_a_trojan_exe.mjq
i_am_a_trojan.jpg will be renamed to i_am_a_trojan_jpg.mjq

If the attempt to quarantine the file or directory fails, MJRW will try to move it at the
computer's next reboot. Hopefully, this should be a rare situation!

ALERT OPTIONS AND THE LOG

Whichever alert setting you choose, a log is kept of all alerts, even when running totally silently.
You can turn logging on or off, and the setting is remembered in the configuration file.

When there is an alert, the options available to you are determined by the type of key or filespec
that has changed. Here are the current buttons that may appear in addition to, or instead of, the
normal "Accept" and "Reject" ones :-

Ok			- Appears on its own for when MJRW cannot undo the change.
			  For example, a subkey has been deleted, or a file's details have changed.

Quarantine Added Subkeys	- Moves the added subkeys to the MJQuarantine directory.

Quarantine Added Files	- Moves the added files and/or directories to the MJQuarantine directory.

Prefix the Key/FileSpec	- Enables you to flag line as commented out, auto-reject, or auto-accept

Exempt Certain Values	- Allows you to add selected values to the exemptions list,
			  and then possibly prompts Yes/No whether to accept the change.

Exempt Certain Subkeys	- Allows you to add selected subkeys to the exemptions list,
			  and then possibly prompts Yes/No whether to accept the change.
			  Reloads key list at end of sweep if anything is exempted.

Exempt Certain Filespecs	- Allows you to add selected filespecs to the exemptions list,
			  and then possibly prompts Yes/No whether to accept the change.
			  Reloads key list at end of sweep if anything is exempted.

Prefix Key/FileSpec options :-

#	line is commented out, change is accepted, and key or filespec is no longer monitored.
!	future alerts automatically reject changes, and reject this current change.
=	future alerts automatically accept changes, and accept this current change.

Whatever options you choose to use on any given alert, the log file records your actions.

When an alert is prompting for your action on the screen, and you need all the changes from
now on to be accepted or rejected, you can change the automatic setting by using the tray icon.
Right-Click the tray icon and change the mode to Accept or Reject, whichever you require. This
is useful when you are being attacked and want to switch from Prompt mode to Reject mode. It is
also useful when you are installing some new software or updates and need to switch from Prompt
mode to Accept mode while an alert is showing.

KEY/VALUE/FILESPEC SPECIFICATION SYNTAX

The top panel is an editable text window with the keys and files you want to monitor. To make
it editable, use Options, Enable Keys List Editing.

Keys can use the shortcut hkey_lmcu to mean both keys hkey_local_machine and hkey_current_user,
and hkey_lmus to mean both keys hkey_local_machine and hkey_users\??? (any user rather than
current user). You can make branches of the key wild by putting ??? in the key where the path
should be matched against any registry subkey on the same branch. The rule is that you cannot
begin or end a key with ???, but you can have as many as you like in the key specification. You
can end in hkey_blahblahblah\blah\???\ which means match any key that is a subkey of
hkey_blahblahblah\blah and it will list any values and subkeys discovered under each matching
subkey. When you use ??? the list only has existent matching keys and values added to it. If
the key exists, but there are no values in it, it is still added to the list, so new value
additions are picked up. For example, a useful one (included in the default set of keys and
files) is :-

hkey_lmus\software\microsoft\windows\currentversion\run
which is equivalent to having both :-
hkey_users\???\software\microsoft\windows\currentversion\run
and
hkey_local_machine\software\microsoft\windows\currentversion\run

Filespecs can embed the following directives, so that filespecs are portable across different
versions of Windows :-

%windir%		Under XP = c:\windows\
%system%		Under XP = c:\windows\system32\
%programfiles%		Under XP = c:\program files\
%bootdrv%		Under XP = c:\
%mydocs%		Under XP = c:\documents and settings\yourname\my documents\
%allappdata%		Under XP = c:\documents and settings\all users\application data\
%userwin%		Under XP = c:\windows\ (but different under Vista 64!)

Please note that the files themselves are not protected, and changes made to them, or deletions
made, are recorded and optionally alerted, but they cannot be rolled back. Additions to
directories can be quarantined (moved to the MJQuarantine directory) or accepted.

They can also use the ??? notation to mean an asterisk at this position in the filespec
as a wildcard. For example, c:\???\SpecialDocuments\???.xls would match all Excel spreadsheets
in the directories c:\mine\SpecialDocuments and c:\yours\SpecialDocuments if they existed, and
%windir%???.exe would match all executables in the Windows directory.

Each key in this window is monitored for changes, additions and deletions to any of its values,
and its subkeys for any additions and deletions. Each file is monitored for any change to its
size, date and time, file attributes, or state of existence. Each directory spec has all of
its files and subdirectories (but not files in those subdirectories) monitored for any change
to their size, date and time, file attributes, or state of existence. Additions can be
quarantined (see 2nd paragraph above). An example wildcarded directory spec (included in the
default set of keys and files) is :-
%bootdrv%documents and settings\???\start menu\programs\startup
This is special in that it deliberately omits the common and user startup directories, because
they are monitored separately.

PREFIXES

You can prefix keys and filespecs with these mnemonics :-

# - the line is commented out, and is not monitored.

! - automatically reject any changes to this key.

= - automatically accept any changes to this key.

$ - automatically prompt for any changes to this key.

& - if this prefixes a key, it is additionally checked for hidden keys every 50 sweeps. If this
prefixes a filespec, this filespec is only checked every 50 sweeps. You can adjust this value
by going to the Engine Tuning submenu and selecting the "Hidden Key Search Frequency" option.

## - the line is a section indicator and any alert on a key in its section will show this line
above the rest of the alert. To end a section without beginning a new one, put a line which is
just '##' at the relevant place in the key list.

A filespec like &%system%drivers becomes cpu-feasible with the right number of sweeps set and is
included in each set. On the default setting of one scan per 50 sweeps, it is a useful indicator
of what new files are arriving in this important directory.

Keys and filespecs can be double-prefixed, if the first prefix is &. This means that
&$%system%???.exe and &$%system%???.dll can be used to check these every 50 sweeps but always
prompt if there's a change, even when running in Accept mode.

You can add new lines to this top panel, change anything you want, and then save the amended
list as the new default set. First, you have to Enable Keys List Editing in the Options menu.
Then you can change the lines in this top window. After a save, a backup of the original set is
in the file MJRegWatchKeys.old

MJRW internally expands the wildcards in this top window. The maximum number of lines after
expansion is 50,000. Also, under Win9x, there is a 64K limit for each window in MJRW.

OTHER PANELS

The middle panel shows lists of values and subkeys for the registry key the cursor is on in the
top panel, or details of the files/directories, if the cursor in the top panel is on a filespec.
It also shows the common and user startup directory contents. When the cursor is on a file in
this panel, you can use the View button to see its contents.

The bottom panel shows the most recent suspect activity, in ascending chronological order.
A log file is appended to with this information each time activity is detected.

PROCESS LAUNCHES

You can log all process launches using the option in the settings menu. When this is off, if a
launched process causes an alert within a single polling period, the details of this process
launch are prepended to the alert and recorded in the log. If it is on, all process launches
are logged. If emailing of alerts is on, process launch details are also emailed. For example,
with process logging on, the bottom window may have entries like these :-

** Wednesday 11/3/2009 19:10:13 **
Launched msimn.exe[1580]  explorer.exe[388]
** Wednesday 11/3/2009 19:10:33 **
Launched mjnewbro.exe[240]  msimn.exe[1580]  explorer.exe[388]

The numbers in square brackets after each process is the PID (process identifier number), as
seen under the process list in Windows Task Manager. On each line is the chain of processes
that ultimately launched the process at the head (on the left) of the chain. Under Win9x,
the process names have the full path. Under NT, this may not work. Under anything else, you
just get the process names and PIDS.

BUTTONS

You can jump into Regedit at the key you are on in MJ Regwatcher by pressing the "Regedit"
button. If you are on a wildcarded key (contains \???\ or begins with hkey_lm) you will be
presented with a list of matching keys or values, in order to choose the one you want to go to
in Regedit.

You can add all or just the selected subkeys of the key you are on, to the list of keys in the
top panel, by pressing the "Subkeys" button. If any subkeys are highlighted in the middle
panel, then just these are used to form the new keys in the top panel, otherwise all subkeys
are used. However, if you are on a wildcard key (one which contains \???\) then you can add only
those subkeys that have been selected in the middle window. After ascertaining the subkeys,
the list is displayed to you, and you can choose whether to add them or not to the keys in the
top window. This functionality is similar to registry drill-down. If you choose to add them,
and want to then have them "in play", you will have to "Save" the keys and then "Start" the sweeps.

When you are on a filename in the top window, instead of a registry key, the Regedit button
becomes an Explorer button, so you can "visit" the file in Windows Explorer, and the Subkeys
button becomes a View File button. They change back when you cursor onto a registry key. If you
are on a wildcarded directory, a list of matching directories appears when you press
"Explore" so you can choose which one to explore.

You can stop and start the sweeps using the "Stop" or"Start" button.

If you have made any changes to the keys list, you can save those changes using the "Save"
button. Remember to restart the sweeps using the "Start" button, because as soon as you make a
change to the keys list, the sweeps stop.

The "Log" button shows you the accumulated log entries all the way up to the most recent. It will
do nothing if there have never been any alerts. Right-Click this button to edit the log.

The "Help" button displays this text file. Right-Click this button to edit the help file.

OPTIONS MENU

There is an "Options" button which drops down a menu, with additional "Settings" and
"Engine Tuning" submenus.

You can toggle the edit mode of the keys list window.

You can edit the exempt subkey/filespecs or value names files, so that these entries do not
cause alerts, or are excluded from file listings. Each name must be on a separate line by
itself.

You can define your own custom keys and exemptions that are stored in files that survive a
software update. These "Customizations" are stored in files with the extension .cus and are
merged into the appropriate key or exemptions list whenever MJ RegWatcher is launched.

You can backup the registry or the key(s) you are on. The Registry Backup option makes a .reg
format backup of the registry in the file MJRegBackup\MJRegBackup.reg off of the installation
directory. It makes a copy of the old .reg file backup before overwriting MJRegBackup.reg, if
one existed, and calls it MJRegBackup.old. These reg files are only to be restored as a last
resort (ie. before reinstalling OS or reformatting hard drive)!

You can manually quarantine files or directories.

You can fine-tune the loop's engine parameters, and thereby CPU usage.

You can select different key list security levels and save changes to each one separately.

You can search for strings in both the top and middle windows.

You can change the alert audio settings. You can switch off the alert sound, or set it to any
.WAV file you like. When you select a new .WAV file for the alerts, the file you picked is
copied over the file mjrwalert.wav in the installation directory. To restore the original alert
sound, set the alert sound to klaxon.wav, which is a copy of the original alert sound.

You can reset the window placements back to the default settings.

You can reset the engine tuning parameters to the default values.

You can change the way MJ Registry Watcher starts up with your system.

You can set a delay on the first sweep to allow other security programs to use the registry at
PC startup, without it triggering alerts from MJ Registry Watcher.

RUNNING MJ REGISTRY WATCHER AS A SERVICE 

You will need administrator access rights to set up the MJ RegWatcher Service. You can use the
item under the Options menu to "Install MJ RegWatcher Service". REMEMBER TO UNINSTALL THE
INTERACTIVE MJ REGISTRY WATCHER (using Options, Settings, Automatic Startup Options or
disabling the scheduled task or Startup menu item) before you start using the service since
they cannot be run simultaneously. Once interactive MJRW is uninstalled, and the service has
been installed, you can start the service by running services.msc (or Administrative Tools,
Services from Windows) and going to the entry "MJ RegWatcher Service Stub" and starting it.
Once running, it will continue to run until the PC is shutdown, surviving logins and logouts,
and automatically starting up when the PC is started (and before anyone logs in). If someone
tries to terminate it without stopping the service stub, it will be re-launched automatically.

To remove the service, you have to stop the service running using services.msc (or Windows
service manager with Administrative Tools, Services). Navigate to "MJ RegWatcher Service
Stub" and stop it. Then launch interactive MJ Registry Watcher (by running RegWatcher.exe from
the installation directory) and choose "Uninstall MJ RegWatcher Service" from the Options
menu. REMEMBER TO INSTALL THE INTERACTIVE MJ REGISTRY WATCHER (using Options, Settings,
Automatic Startup Options or enabling/creating the scheduled task or Startup menu item) if you
want MJ Registry Watcher interactive mode to start up automatically when someone logs in.

The service has some important differences from the interactive mode :-

1) Only Accept and Reject modes are supported. Prompt mode defaults to and sets Accept mode.
2) There is no tray icon or visible application interface. It runs invisibly.
3) Keys and filespecs prefixed with $ to always prompt, will instead Accept or Reject depending
on which mode is set.
4) The configuration of the service is taken from that used by the normal interactive configuration.
5) Only one instance of the service can be run at a time, and it cannot be run at the same time as
an interactive session.
6) To be informed about alerts while the service is running, you can :-
  a) Run the application mjrwmon.exe from the installation directory to monitor the service
  b) Use the alert sound set in interactive mode
  c) Use the email settings set in interactive mode
  d) Keep a view open and refreshed on the log file mjregwatchkeys.log

FUNCTION KEYS

F1 - This help file
F2 - Find a string in the Keys Window (Top Pane)
F3 - Find again in the Keys Window
F4 - Find a string in the Subkeys and Values Window (Middle Pane)
F5 - Find again in the Subkeys and Values Window
F6 - Minimise MJRW back to the system tray
Ctrl+Alt+F6 - When MJRW is minimised, pressing this hotkey combination will restore the MJRW
window to the screen

MJ RegWatcher Copyright Mark Jacobs : Website http://www.jacobsm.com/mjsoft.htm#rgwtchr

CHANGE LOG

Changes 1.1.2.1 to 1.1.3.1
1) Clicking on tray icon toggles minimise/restore of app interface.
2) Colours and fonts of Help and Log file displays improved (IMO).
3) Added "Change Accepted" message to display and log, when a change is accepted.
4) Fixed bug where User or Common startup entry changes would be reported with double-spaced lines.

Changes 1.1.3.1 to 1.1.4.1
1) Fixed bug where only the first "Change Accepted" message would go into the log.
2) Moved the CV Run keys up to the top of the display, so it is easier to see what is run at startup.
3) Added Registry backup feature.
4) F1 Function key activates help.
5) When the Save Keys button is pressed, a backup of the original list is made in MJRegWatchKeys.old

Changes 1.1.4.1 to 1.2.1.5
1) Added "Change Rejected" message when appropriate.
2) All keys now have both values and subkeys checked, and listed in the middle panel.
3) Can now handle alerts automatically, with a choice of always prompt (default), accept or reject.
4) Improved panel arrangement and added another splitter.
5) Used a proper status bar instead of the toolbar's caption.

Changes 1.2.1.5 to 1.2.1.6
1) Fixed bug with subkey change detection messing up subsequent value checking.
2) Fixed bug where detection of value change would prompt with Yes/No and then another with OK.
3) Suffixed each value listed with the type of data it holds in brackets.
4) Added key hkey_local_machine\software\policies\microsoft\windows\safer\codeidentifiers.

Changes 1.2.1.6 to 1.2.1.7
1) Widened scope of values checked to all possible registry types, including exotic ones like Quadword.
2) Added "Regedit" and "Subkeys" functionalities.
3) Revamped the keys in the default list to provide better trojan detection.

Changes 1.2.1.7 to 1.2.1.8
1) The top panel can now handle filenames.
2) There is now a configuration file that stores refresh rate, window positions and sizes,
prompt accept or reject setting, and the last line you were on in the top window.
3) When there is a registry key value change alert, you can accept the change and comment out
the key, by pressing a new "Comment Out Key" button.
4) There is now a facility to add names of certain registry values to an exemption list.
5) Lots of improvements to the user-interface, even though it looks practically identical to
version 1.2.1.7. For example, when an alert pops up, the top panel will now highlight the key
causing the alert, enabling much easier Regedits to get rid of added subkeys.

Changes 1.2.1.8 to 1.2.1.9
1) The top panel can now handle individual values (instead of entire keys)
2) The top panel can specify hkey_lmcu and \???\ key mnemonics for easier PC coverage.
3) When there is an alert, you can selectively exempt values from future alerts.
4) Default key list rewritten to use the new mnemonics.
5) Exempt values now have to specify the entire path of the key to the value you want to exempt.
6) More improvements to the interface and underlying code.

Changes 1.2.1.9 to 1.2.2.1
1) Tuned up default key list to balance resource utilisation against security better.
2) Corrected bug where one of the buttons became visible when it shouldn't have been.
3) Added some better default exclusions.
4) Corrected bug where startup directory changes were not reported in the log if auto-accepted.
5) Regedit button will go to the nearest branch in the registry, if the key chosen does not exist.
6) Now shows exactly how many values and keys it is protecting, and when the definitions were loaded.

Changes 1.2.2.1 to 1.2.2.2
1) Tidied up UI.
2) Added Options button/menu and its items' functionality.

Changes 1.2.2.2 to 1.2.2.3
1) When the key set is changed, any subsequent changes are saved to the new key set, rather than
always saving it to the Custom Set.
2) Better Options menu positioning.
3) Keys now protect from Trojan.Riler and such-like attacks on the Winsock2 binary data values.
4) Maximum individual value data length increased from 25K to 65K (arpcache was too big on some PCs!).
5) Introduced a light security key set, for less powerful PCs to run without using up too many resources.
6) Moved Exempt Values editor from right-click on Log button to Options menu.
7) Command Line Parameters - Instead of the key list filename (which no longer works now), MJRW takes
an extension to the MJRegWatchKeys file name (defaulting to "txt" if not specified). This can be :-
	a) txt		custom list of keys
	b) 1		highest security set
	c) 2		high security set
	d) 3		medium security set
	e) 4		light security set
	f) def		default security set
So, you could always start RegWatcher up in high security mode by using the command line :-
c:\mjregwatcher\regwatcher.exe 2

Changes 1.2.2.3 to 1.2.2.4
1) Improved performance by only opening the keys once instead of twice per key, and by making
the monitoring loop less severe on the CPU - you can now load the highest security key list and
it only takes 3% every 5 seconds.
2) Corrected the arpcache key in all lists to use windows and not windows nt (which doesn't exist).

Changes 1.2.2.4 to 1.2.2.5
1) Made monitoring loop even lighter on resources, and made sure that you can't do things while it
is in the monitoring loop, unless they are allowable (browse help file...).
2) Changed program close operation to allow clean closing during a monitoring loop.
3) Added mnemonic hkey_lmus to mean both keys hkey_local_machine and hkey_users\???.
4) Got rid of duplicates between current user and all users in the keys lists and tidied them up.

Changes 1.2.2.5 to 1.2.2.6
1) Fine-tuned loop to use minimal CPU pressure.
2) Further refinement of the key lists.
3) Corrected bug with Stop button. If it was pressed during the loop, it would toggle the display
incorrectly, and not stop. Now, it will do nothing unless pressed when the loop is not running.

Changes 1.2.2.6 to 1.2.2.7
1) Added option to maintain a list of exempt subkeys from alerting you.
2) Added LSA and OLE keys to default lists.

Changes 1.2.2.7 to 1.2.2.8
1) Made application dual-threaded so that UI could function during a checking loop.
2) Slowed down loop so CPU utilisation is low.
3) Fixed bug with hkey_user subkey exemption.

Changes 1.2.2.8 to 1.2.2.9
1) Fixed bug with Backup Current Key. When there were multiple keys on the current line,
a pick-list is presented to the user. This would show the matching keys for the line, and allow
you to multi-select them for backing up. However, this list would be blanked out when a checking
loop started. Now, it doesn't blank it out.
2) Fixed bug with value exemptions being case sensitive when matched against an expanded wildcard
value, and sometimes failing to match an exemption as a result. Similar hkey_user subkey bug above.

Changes 1.2.2.9 to 1.2.3.1
1) Fixed a couple of minor irritations.
2) Now, an alert trying to pop up when you are editing one of the exemptions lists
will not cause an error.
3) If a change is accepted, the middle panel now auto-refreshes to display the new values,
and the top panel will reflect the key that changed more accurately.
4) Added some new exemptions for Windows 9x.
5) Implemented ability to wildcard exemptions using "???". The exemptions files have been updated
accordingly.
6) Added 4 more crucial system files to the monitoring lists.

Changes 1.2.3.1 to 1.2.3.2
1) You can now have the timer set to zero to indicate constant checking.
2) When exemption alerts are detected in the checking loop, and no other proper alerts occur,
CPU usage was higher than when no alerts had been detected. This has now been cured. Exemptions
will move the display to the alerting key, but not raise an alert.
3) Added menu options to fine-tune the checking loop parameters.
4) Discovered that changing a value in HKEY_CLASSES_ROOT\???\shell\open\command automatically
changes the corresponding entry in HKEY_LOCAL_MACHINE and vice versa, and so I removed the
local machine keys from all lists.
5) Fixed bug with wildcard expansion algorithm that got librarypath but missed packedcatalogitem!

Changes 1.2.3.2 to 1.2.3.3
1) Fixed bug with changing the timer's repeat rate. The loop engine now responds to changes
immediately.
2) Fixed bug with blank lines causing errors, and subsequent malfunction of the program.
3) Made top window read-only when MJRW is started, and added an option to toggle the read-only
setting.
4) Added function key F6 functionality to minimise MJRW back to the tray.
5) Added value hkey_local_machine\system\currentcontrolset\control\session manager\environment\path
to all lists.

Changes 1.2.3.3 to 1.2.3.4
1) Now makes a noise when a non-exempted alert occurs, even in quiet modes.
2) Added hkey_local_machine\system\currentcontrolset\control\session manager\environment\comspec
to all lists.
3) Now displays how long it has been running for (up time). Consecutive differences between up times
on each loop, less the sweep delay time, can be used to time the sweep run.
4) Now displays what mode it is running in, on the tray hint. Saves having to Restore/Minimise
to see.

Changes 1.2.3.4 to 1.2.3.5
1) Now recovers gracefully from failed key writes.
2) Options to turn the alert sound off, and to change the WAV file used.
3) Directories protection implemented.
4) Added %bootdir%documents and settings\???\start menu\programs\startup to all sets.
5) Implemented prefix support for :-
! - reject when in prompt mode
= - accept when in prompt mode
& - use additional key checking / slowed down filespec checking
6) Now prompts when manually closed.
7) When a change is made to the top window, checking is suspended, until the changes are saved,
and the checking loop manually restarted.
8) Quarantine implemented.
9) %windir%tasks added to all lists.
10) Split off settings menu items into a separate submenu.
11) Added key hkey_lmus\software\microsoft\windows\currentversion\policies\network to all sets.
12) Corrected bug with subkey additions.
13) Added buttons to support quarantining additions and various other functions.
14) Many other refinements and improvements.

Changes 1.2.3.5 to 1.2.3.6
1) Fixed bug with Prompt/Accept/Reject setting.
2) Added exempt files capability using exempt subkeys file. Added %windir%tasks\sa.dat to the
exempt subkeys and filespecs list, by way of example. This is just the Start Assistant (Wizard)
for creating new tasks for the scheduler.
3) Addressed a cpu utilisation issue.
4) Fixed multiple occurrences of a bug where it would not display the updated key data after
an alert which was accepted, until you moved off the key and back on to it.

Changes 1.2.3.6 to 1.2.3.7
1) View File now puts up details of file in title bar of viewer.
2) Auto-Accepted value changes now refresh the middle window correctly.
3) If the log viewer is open when an alert occurs, details are appended to bottom of the window.
4) Tray icon colour is grey for prompt mode, green for accept mode, blue for reject mode, and
red when running minimised silently and there are alerts.
5) Window pane dimensions now resize correctly, both when starting up and reading configuration
details, and when you manually reset the display using the menu option.

Changes 1.2.3.7 to 1.2.3.8
1) If it is stopped, the system tray padlock is coloured black. I also lightened the green on
accept mode, because I am red/green colour-blind, and found it difficult to tell whether an
alert had happened!
2) Added hosts file locations to all lists.
3) Now continues the sweep when a key is prefixed on an alert, rather than stopping completely
and waiting for the user to save and restart.
4) Improved hidden key comparison report to more easily see what has changed.

Changes 1.2.3.8 to 1.2.3.9
1) Made file viewer, help and log windows searchable, using the Ctrl+F and F3 key combinations to
mean Search and Search Again, respectively.
2) Added &%system%drivers to the custom list.
3) Spruced up help file.
4) Some minor code improvements.
5) Changed tray icon hint to show number of sweeps.

Changes 1.2.3.9 to 1.2.4.1
1) Corrected bug with prefixing keys (would do nothing with subkeys).
2) Added DSO threat detection to all sets with key
hkey_lmus\software\microsoft\windows\currentversion\internet settings\zones\0
3) Changed default frequency for & scans to 50, since 20 used too much CPU with &%system%drivers

Changes 1.2.4.1 to 1.2.4.2
1) Added wordwrap facility to file display windows.
2) Added Set picking options to the right-click context menu of the tray icon.
3) Added ability to choose the file you want to view, by looking at which one the cursor
is on in the middle window.
4) Added Automatic Startup Options to the Settings menu, to facilitate easy auto-starting
for MJ Registry Watcher.
5) The whole of %system%drivers\etc is monitored instead of just the hosts file (why not!?!)
6) hkey_lmus\software\microsoft\windows\currentversion\explorer\shell folders is now
commented out because it got on my nerves. It would change paths from DOS format to
Windows format and back again, every time you ran a DOS app.
7) hkey_lmus\software\microsoft\windows\currentversion\internet settings\zones\???\currentlevel
added.

Changes 1.2.4.2 to 1.2.4.3
1) Added uninstall facility to the automatic startup options.
2) Added %system%userinit.exe to all key sets.

Changes 1.2.4.3 to 1.2.4.4
1) Corrected bug which, on Win9x systems, would attempt to clear the root directory on exit.

Changes 1.2.4.4 to 1.2.4.5
1) Ability to disable all logging.
2) Cannot shut down MJRW if an alert is showing.
3) Added hkey_local_machine\system\???\control\lsa\lsapid to the Exempt Values list.

Changes 1.2.4.5 to 1.2.4.6
1) Added wildcard filenames capability for filespecs.
2) Added WINDOWS and SYSTEM32 executable filespecs to all but the light key sets.
3) Made mousewheel scrolls affect the window the mouse is over, even if it does not have focus.
4) Removed duplicate keys caused by new filespecs in (2) from all key sets.
5) Added Print capability to file viewer window.

Changes 1.2.4.6 to 1.2.4.7
1) Corrected bug on "View File" which would get the row number wrong (and hence the file you
wanted to view), when the character position in the list of files exceeded 64K. Only occurs
on the &%system%???.dll filespec key.
2) Increased maximum keys and filespecs (after expansion) to 50,000.
3) Corrected bug with it sometimes not viewing a file, even with the cursor on it.
4) Loading large files for viewing is now much faster.
5) Made alert annotation possible through the use of '##'-prefixed comments. See "Prefixes" above.
Added annotations throughout all key sets. Tailor these to your heart's content.
6) Added option to delay the first sweep by a configurable number of seconds.
7) Enhanced display to show countdown to next sweep.
8) Settings menu now displays current settings on the relevant options.
9) Window co-ordinates are now stored in the configuration file with the MJRW window in normal
state, even when the window had been maximised. This causes a brief flash of MJRW on the screen
before it exits. Before, the maximised coords would have been stored, and restored the next time
MJRW loaded.
10) Moved the "Enable Keys List Editing" option to the main Options menu, making it easier to go
into edit mode.

Changes 1.2.4.7 to 1.2.4.8
1) Added registry hooking techniques to allow almost instantaneous reporting of registry key
changes. The polling technique (sweeps) still runs as before.
2) When in prompt mode and an alert happens, the MJRW window is restored. It is now minimised
to the tray, once the alert has been dealt with. If MJRW was already visible before the alert
occurred, it is not minimised after the alert has been dealt with.

Changes 1.2.4.8 to 1.2.4.9
1) Thoroughly improved the quarantine system, which now offers to quarantine at reboot if the
possible trojan cannot be moved away immediately. Also, corrected a bug with Win9x systems and
the use of the MoveFileEx function during the quarantine process.
2) Changed the boot drive file lists to cover more possibilities. They are now :-
%bootdrv%documents and settings\???\start menu\programs\startup
%bootdrv%ntldr
%bootdrv%???.bat
%bootdrv%???.com
%bootdrv%???.dll
%bootdrv%???.exe
%bootdrv%???.ini
%bootdrv%???.lib
%bootdrv%???.pif
%bootdrv%???.scr
%bootdrv%???.sys
%bootdrv%???.vxd
3) Added right-click options on the Help and Log buttons so that these files can be more easily
edited.
4) Corrected small bug on "Explore" button, which wouldn't highlight the relevant file under
Explorer under certain circumstances. Now it does.

Changes 1.2.4.9 to 1.2.5.1
1) Provided a throttle for the fast loop on hooked registry triggers, which is 10 milliseconds
by default, to ease CPU usage. It can be set to zero, which disables registry hooking, and
continues to use pure polling.
2) Changed alert sound from karate cry to the sound of rhenium wire in a photoflash lamp as it
flashes (rhenium vaporises at 10105 F). The original karate sound is in orgalert.wav

Changes 1.2.5.1 to 1.2.5.2
1) Made key prefixes apply for all modes, not just Prompt Mode.
2) Added prefix $ so that you can make keys automatically prompt for any changes, whatever mode
MJRW is running in.
3) Made alert messages clearer as to why a change is accepted or rejected.
4) Changed alert sound to klaxon.
5) Made alert window display in top to bottom order, with the most recent at the bottom - it makes
it easier to read.
6) Corrected a bug with prefixing keys. Now, the prefixing will briefly show MJRW, as it
prefixes the key(s).
7) Now keys and filespecs can be double-prefixed, if the first prefix is &. This means that
&$%system%???.exe and &$%system%???.dll can be used to check these every 50 sweeps but always
prompt if there's a change, even when running in Accept mode.

Changes 1.2.5.2 to 1.2.5.3
1) Now allows the user to set a minimum time period between fast sweeps, so that if Opera is
downloading and the registry is constantly triggering MJRW's hook, a fast sweep is only done
every 30 seconds (default value, set from the options menu). This means that, under normal
conditions, a fast sweep is always ready to trap a change instantly, but has to wait at least
30 seconds after that, before it can run again to trap another triggered change. It can be set
as low as 1 second to duplicate 1.2.5.2's current behaviour. The polling sweep continues to
run normally. This significantly reduces CPU usage during Opera browsing sessions, OE checking
mail every couple of minutes, and Google web accelerator PC's, for example.

Changes 1.2.5.3 to 1.2.5.4
1) Now loads up large files into the viewer faster.
2) Re-organised menus to group the "Engine Tuning" parameters together. Spruced up menu item
descriptions, prompts and help file.
3) Slightly eased CPU usage by making the filespec inspections more efficient.
4) Made some tweaks so that it is now Vista-compatible. For example, the Regedit button goes
to the correct key under Vista, whereas 1.2.5.3 always went to the registry root, whatever key
you picked. MJRW needs to run with for Admin privileges in order to work properly with Vista.
5) Changed default "Hook Release Time" (fast sweep frequency) to 3 seconds. People who run
applications that constantly change the registry, will have to either put up with higher CPU
usage, adjust this value upwards, or switch off registry hooking by setting the
"Registry Hook Throttle" timing to zero. Users of 1.2.5.3 will retain whatever settings they
had with this new version, so this will only affect new users.
6) System tray hint displays what OS you're running. Either Win9x, Win2K/XP or Vista.
7) Changed the way the status bar displays text, so that MJRW (and all my other stuff too) works
properly under Windows Blinds.
8) Added exemptions %system%drivers\fidbox.dat and %windir%tasks\schedlgu.txt to the Exempt
Keys and Filespecs list for Vista.

Changes 1.2.5.4 to 1.2.5.5
1) Now requires paid for licence (cost 4 GBP).

Changes 1.2.5.5 to 1.2.5.6
1) Allows 5 minutes unlicensed usage before timing out.

Changes 1.2.5.6 to 1.2.5.7
1) Fixed bug with quarantining directories.
2) Logging flag is now stored in the configuration file, so the setting is remembered next
time.
3) Alerts can now be emailed to, say, a supervisor. User and PC information is included with
the email alert, so that the originating machine can be identified.
4) Files and directories can now be manually quarantined, if so desired.
5) The trial period has been increased to 15 minutes, so that deeper investigation of the
program's features can be done.
6) Fixed a bug with the padlock remaining red after "OK" type alerts. Other minor bugs fixed.

Changes 1.2.5.7 to 1.2.5.8
1) Added file and directory hooking techniques to allow almost instantaneous reporting of
any changes to files and directories (OS cache permitting).
2) Added option to reset engine parameters to their defaults. The defaults have been
changed to take into account the hooking mechanisms. The polling is now set to sweep every
30 seconds by default, instead of every 10 seconds.
3) When a hooked sweep is triggered, any filespec prefixed with & is checked immediately,
rather than once every 50 sweeps.

Changes 1.2.5.8 to 1.2.5.9
1) Reduced CPU usage by hooking only the directories specified in the filespecs, rather
than the whole drive.
2) Added debug output, toggled by right-clicking timer up/down arrows.

Changes 1.2.5.9 to 1.2.6.1
1) The application is now free of charge and does not require a licence file any more.
If you find this software useful, please use the Paypal and Google Checkout buttons at
http://www.jacobsm.com/mjsoft.htm to make a donation.
2) Tray hint now has no limit to the length of the text presented.
3) Added exempted discoveries to the debug log.
4) Once triggered, debug now stops re-reporting trigger until reset.
5) Made alerts for the winlogon key always prompt the user, whatever the mode is.

Changes 1.2.6.1 to 1.2.6.2
1) Corrected bug when file/directory hooking failed (like under Win9x sometimes), so that
it quietly returns to polling for changes to these, rather than going haywire.
2) Made the top window row remain selected after an exempted change occurs on another row.

Changes 1.2.6.2 to 1.2.6.3
1) Added filespec mnemonics %mydocs% (My Documents), %alldocs% (Shared Documents) and
%userwin% (Under XP = c:\windows\ but different under Vista 64!).
2) Improved log and help search facilities.
3) Other cosmetic and efficiency improvements.

Changes 1.2.6.3 to 1.2.6.4
1) Enhanced alert email functionality to allow the specification of User ID/Password and the
From email address. The format for the configuration of the outgoing email alerts is documented
above under the section EMAIL ALERT CONFIGURATION above.
2) Fixed a bug which caused the specification of an "Always Reject" value on a line by itself,
to not delete the value if none existed before one was created. This means that specifying
!hkey_lmus\software\microsoft\windows\currentversion\run\QuickTime
just before the line
hkey_lmus\software\microsoft\windows\currentversion\run
now properly ensures that MJRW will not allow the QuickTime run value to be created, or if one
exists, will not allow it to be changed.
3) Alerts will occasionally be able to report recently launched processes so that finding the
cause of an alert is easier.
4) There is now the ability to log all process launches. This can be switched on or off (default),
and the setting is remembered in the configuration file.

Changes 1.2.6.4 to 1.2.6.5
1) Corrected bug with trailing space being left in registry key to autostart MJRW at logon.
2) Added a new section of additional keys and filespecs to tighten up all entry points to the PC.
Also changed every instance of "open\command" to "???\command" to protect all possible actions.
If you have tailored keyspecs, please make sure they are backed up before overwriting the files
with these new ones. Then simply add in the new section, entitled ## Additional Security, to your
tailored keyspecs, and globally change "open\command" to "???\command" if you want.
3) Added extra output information when running in debug mode (right-click up/down arrows on timer)
like the line it is checking when a trigger is noted.
4) Augmented the exemption keys and filespecs file. If you have altered your own, again, please
make a backup copy before overwriting with this new one.
5) Added hkey_local_machine\system\???\services\tcpip\parameters to all sets.
6) Made polling interval indicator editable, and made it take any value between 0 and 9999 seconds.
7) Set a system hotkey so that pressing Ctrl+Alt+F6 will restore the MJRW window if it is
currently minimised to the tray.
8) Bundled extra WAV alert sounds into the distribution zip, rather than as a separate download.

Changes 1.2.6.5 to 1.2.6.6
1) Corrected bug with it not prompting to Quarantine added subkeys.
2) Added an alert option to put added subkeys into the Exempt Keys and Filespecs list.
3) When adding keys or values to the exemptions lists during an alert, it now puts them
in with any wildcard that was specified in the original keys list.
4) Increased the width of the buttons on an alert so the texts are more legible.
5) Removed duplicate definition of appinit_dlls from all keys lists.

Changes 1.2.6.6 to 1.2.6.7
1) Added the ability to add filespecs to the exemptions list.
2) Corrected bug with exemption additions from alerts putting the prefix in the list in
addition to the key or filespec, if there was a prefix.
3) Most alerts which cannot be undone and used to offer only an OK button, will now also have
an extra option to exempt certain values/subkeys/filespecs.
4) After exempt subkeys or filespecs are added from an alert, the end of the sweep will reload
the list so that the exemptions are set. This also happens if you prefix keys during an alert.
5) When hooking fails completely, it now fails gracefully and correctly falls back to polling only.
6) Fixed bug with exemptions starting with hkey_lmcu and hkey_lmus being ignored.
7) When an exempted value or subkey was changed on the PC (which don't cause an alert),
the middle window did not reflect the change. Now it does.
8) Reduced execution priority to below normal to ease CPU utilisation.

Changes 1.2.6.7 to 1.2.6.8
1) Changed the use of the word "Registry" to "Reg" because of the Brontok virus rebooting the
PC when it detects a window with "Registry" in the title.
2) Added the ability for MJRW to erase chosen values from any key without having to go into
RegEdit. Again, this is because Brontok reboots if you launch RegEdit.
3) Removed %alldocs% from the mnemonics because it didn't work. Replaced it with %allappdata%
which points to the common repository for application data. Under XP, this is usually
c:\documents and settings\all users\application data\
4) Corrected over-long widths of 3rd and 4th buttons on the viewer window after an alert.
5) Added option to take you to the MJ software website.
6) Added option to check for updates, which will list the newest changes and optionally take
you to the website.

Changes 1.2.6.8 to 1.2.6.9
1) When browsing for an alert sound, the file picker now starts in the MJRW directory.
2) All key sets except the Light set have had hkey_classes_root\???\shell\???\command and
hkey_lmus\software\classes\???\shell\???\command added, and any duplicates caused by these
additions removed. This adds much more protection, especially when I discovered a virus that
attacks the Windows help subsystem by redirecting help requests!
3) I have added a mnemonic %cookies% which points to the Internet Explorer cookie store directory.
I have added Internet Explorer cookie protection, with the key %cookies%???.txt in its own section,
to all key sets except the Light security set.
4) Corrected misplacement of 3rd and 4th buttons on the viewer window after an alert.
5) Corrected misreporting of "Files Added/Deleted :- blah blah blah - No Files Found".
6) Added buttons to any alert prompt, to allow you to switch into either Accept or Reject modes.
7) Improved update checking so that the new .zip file can be downloaded and opened automatically.

Changes 1.2.6.9 to 1.2.7.1
1) Devised a watchdog process which ensures MJRW is difficult to terminate with a process
manager (like Windows Task Manager). The process is called arwwdwin.exe and resides in the same
installation directory as MJRW. It is invisible when it is launched by MJRW. MJRW and
arwwdwin.exe ensure that each other are running at all times, and only a PC
restart/shutdown/logoff or a manual exit of MJRW can stop both processes.

Changes 1.2.7.1 to 1.2.7.2
1) Now ignores changes due to the case of letters being changed. Windows is case-insensitive.
2) Corrected exemption of filespecs with wildcards - these now work correctly.
3) Allowed MJRW to initialise properly when launched with Windows Task Scheduler.
4) Made watchdog process minimise more quickly at launch.
5) Added several new alert sounds to the package.

Changes 1.2.7.2 to 1.2.7.3
1) Uses Microsoft-approved method of reading regional settings.
2) EMail support is now improved with full diagnostic error messages in the log when things
don't work properly. This makes for easier email debugging and logging.
3) Automatically resets EMail configuration file when details are not filled in properly.
4) Some new exemptions added for Windows 7.

Changes 1.2.7.3 to 1.2.7.4
1) Automatic backup of registry occurs about every 28 days. The last 15 are kept.
2) Option to restore any automatic registry backup.
3) Changed default sweep engine parameters to do 5 lines every 47 milliseconds.
4) Updating MJRW using the menu option now renames the old zip file properly.
5) Other minor bug fixes and cosmetic improvements.

Changes 1.2.7.4 to 1.2.7.5
1) Added option to switch automatic registry backup on or off, and this setting is stored in
the configuration file so that it is remembered between PC reboots.

Changes 1.2.7.5 to 1.2.7.6
1) Fixed corner-case access violation when doing an automatic registry backup.
2) The email alert setup now allows for the SMTP port to be configured differently from the
default of 25. To override the default SMTP port of 25, follow the hostname with a slash
and the port number you wish to use. For example, smtp.microsoft.com/587

Changes 1.2.7.6 to 1.2.7.7
1) Added DLL injection detection.
2) Improved email alert delivery reliability.

Changes 1.2.7.7 to 1.2.7.8
1) More choice on keys or values you can exempt when there is an alert.
2) Right-Click Options button to go to the first key (usually the run keys).
3) Added some Windows 8 keys and a terminal server autostart key to all key sets.

Changes 1.2.7.8 to 1.2.7.9
1) Added "Pause Scanning" option to tray icon menu with options for pausing the sweep
for various amounts of time, ranging from 1 minute up to 4 hours before sweeps resume.
2) Added "Check for Updates" option to tray icon menu.
3) Added option to minimize MJRW when a user tries to close the program when the main
window is visible.
4) Added hkey_lmus\software\microsoft\windows\currentversion\explorer\plmvolatile to
the exempt keys and filespecs list. Windows 8 updates this key whenever a Metro tile
changes its content.
5) Added customization files that survive a software update. There are 3 files - one
for Key Lists, one for Exempt Values, and one for Exempt Keys and Filespecs.

Changes 1.2.7.9 to 1.2.8.1
1) Improved interface slightly by making more room for the buttons and rearranging menu items.
2) Improved "Subkeys" button functionality and made its prompts clearer.
3) Improved start up methodology to support service start ups.
4) Implemented service version and stub loader. See help for more details on service mode
under section "RUNNING MJ REGISTRY WATCHER AS A SERVICE".
5) Added exemptions for registry session information being created and destroyed on
login and logout.

Changes 1.2.8.1 to 1.2.8.2
1) There is now a new option on the "Customisations" menu called "Always Add Exempted Items to
Customisation Files". If this is checked when an alert occurs and you decide to exempt the
key, value or filespec that causes the alert, the exemption is written to the relevant
customisation file instead of the relevant exemption file. Customisation files are never
overwritten by an update to MJ RegWatcher, whereas exemption files are occasionally updated.
This setting is saved in the configuration file so that it is remembered between sessions.
2) Engine uses even less CPU resource.
3) Added some exemptions for Adobe Flash Player update, new IE stuff and some others. If you
have your own exemptions that you'd like to preserve, please transfer them to your
customisation files before updating.

Changes 1.2.8.2 to 1.2.8.3
1) Improved resource usage
2) Added some new exemptions

Changes 1.2.8.3 to 1.2.8.4
1) On email alerts, you can set TLS (secure SSL transport) by prefixing the port number
in the configuration line for the host, with a '+' for explicit TLS and '-' for implicit TLS.
See EMAIL ALERT CONFIGURATION above. For example, smtp.office365.com/+587
2) Fixed leak in non-paged pool memory usage.
3) When a file can't be deleted, you now get the option to retry the operation.
4) Improved detection of OS version for the tray hint.

Changes 1.2.8.4 to 1.2.8.5
1) Updated SSL libraries and strengthened ciphers to TLSv1.
2) Improved algorithms.

Changes 1.2.8.5 to 1.2.8.6
1) Further updated SSL libraries and strengthened ciphers.
2) Hot Key Enable/Disable toggle implemented.
3) Added extra keys to cover Creer's list.
4) Fixed bug with service app not picking up configured key set to use.

Changes 1.2.8.6 to 1.2.8.7
1) Email configuration now allows for blank username so you can use "No Authentication"
for an outgoing SMTP server.

Changes 1.2.8.7 to 1.2.8.8
1) Windows 11 support.
2) Circular registry entries now won't prevent MJRW from starting up.
3) Tray icon colour correction.
4) Distribution zip file was missing update information.

Changes 1.2.8.8 to 1.2.8.9
1) Rid MJRW of the shackles of supporting 640 by 480 screens (a thing of the past), and improved the layout.
2) Secure email support now uses modern ciphers and transport, with a certificate valid until 2030.
3) Loading a customisation file for the first time, that didn't previously exist, no longer hangs MJRW for several seconds.
4) Coloured background of each panel to make it easier on the eye.
