Tiny Watcher: FAQ, know problems & real life stories

Main help page

FAQ

How can I make Tiny Watcher silent during logon time?

Why doesn't Tiny Watcher fix problems automatically?

The job would be endless. Each new program written anywhere in the world has its way to install itself on your computer and to use its resources. There is no clear limit between the ones who "abuse" your computer's resources and the ones who don't; in fact, it all depends on your opinion. For example, you might allow an application to run in the background all the time on your machine, if this application is important to you. You will refuse it to the programs that you only use occasionally.

Why doesn't Tiny Watcher allow me to terminate a suspicious process?

Version 1.11 supports the feature. Before that, you can always kill a process using Windows task manager. However, note that killing a process is usually not an appropriate answer, even if the process is a virus or other malware. Malwares use different tricks to run again later, like putting themselves in a startup registry key, or replacing/infecting system executables. If you have been infected, the best is always to discover by what, then find and follow the removal instructions given by an antivirus software or any other source. Removal instructions for virusses are usually published in several places on the Web.

I disabled or removed by mistake a file or directory with Tiny Watcher. Is it too late?

Normally not.

Disabling a file or directory results in renaming it (by appending ".watched_disabled" to its name). This is enough in most cases to counter any threat or see "how hard" the system needs this item. You can always restore the original name using Windows Explorer (Tiny Watcher will display the warning again during next scan, you can then choose to confirm or not).

If you use "remove" instead of "disable", Tiny Watcher sends the file or directory to the Windows recycle bin. So if you did not empty your recycle bin, and it was not too long ago (the recycle bin has a limited size) you can restore your file or directory. Open the recycle bin, find the file and choose "restore". By the way, it is rarely a good idea to empty the recycle bin.

I disabled or removed by mistake a registry entry with Tiny Watcher. Is it too late?

One more time, you have to know what you are doing if you choose to touch registry entries. In some cases this can make your machine unable to restart normally. In the worst cases, reinstalling/repairing Windows will solve all problems.

Disabling entries allows you to backtrack since it simply renames the entry (by adding "watched_disabled." to its name). You can still find the entry in regedit and rename it back. Use Tiny Watcher's log if you forgot the entry's name.

If you use "remove" instead of "disable", the entry is deleted. You might be able to use Tiny Watcher's log to recreate the entry. This is not straightforward but possible...

Known problems

In version 1.5 (1.501)

  1. Cannot confirm on warning "Another process is using the same name but a different executable file".

  2. In some cases this is normal but Tiny Watcher does not allow to choose "Confirm".
    (first mentioned by Ed Bradford, David Agopian, and Peter Hillier-Brook; thank you all!)

  1. Assertion failure "out of memory".

  2. The problem is still under investigation. It could be related to an invalid or blank file name in one of the scanned directories. Kevin signaled two "?" files installed in WINNT directory; the problem disappeared after uninstalling the application that had created these 2 files.

    	Module Watcher, watcher.exe 1.501* (OL)
    	File C:\Documents and Settings\oribu\My Documents\programs\watcher\tlib\t_util.cpp, line 931
    	Application C:\Program Files\Watcher\Watcher.exe
    	tstr::_alloc: out of memory
    
    (thanks to Kevin Condon and several others)

  1. Assertion failure "chkProcess".

  2. The problem is still under investigation. It seems to happen because of a damaged file or a program leaving a "trailing lock" on a file. David reported that it only happened once on his machine, then things went fine the other times.

    	Module Watcher, watcher.exe 1.501* (OL)
    	File C:\Documents and Settings\oribu\My
    	Documents\Programs\watcher\chkProcess.cpp, line 529
    	Program: G:\Program Files\watcher\watcher.exe
    
    (thanks to David Dooley)

In version 1.112

  1. In Win ME/98/95, task manager shows "Tiny Watcher (not responding)".

  2. When Tiny Watcher is working in the background (without a visible window), if you open the task manager (press Ctrl-Alt-Del), you might see Tiny Watcher in the process list with the label "not responding". This is normal and does not require any action. Just wait that Tiny Watcher finishes its job (this might take a few minutes, depending on the speed you chose in Tiny Watcher's options).

In version 1.106

  1. Warning "Cannot access the executable file" on a process.

  2. Until version 1.11, Tiny Watcher did not allow the "Confirm" action on this type of warning. The message will therefore come again at each logon (and each time you run Tiny Watcher).

    Solution: version 1.11 allows the "Confirm" action on this warning.

  3. Files often detected as "modified" but that are not malware.

  4. Solution: version 1.11 allows to declare a changed file as "Volatile". Further changes on a "volatile" file will be ignored by Tiny Watcher.

  5. Machine refuses to shutdown or logoff when Tiny Watcher has warnings to display.

  6. Workaround: if Tiny Watcher is showing a warning list, please close its window before shutting down. If Tiny Watcher's icon is in the system tray, please click on it and then close Tiny Watcher's window before shutting down.

    Fix: version 1.11 fixes this problem.

  7. Error message when system tray icon is activated by using the "Enter" key.

  8. Workaround: please activate the system tray icon with the mouse or the "space" key.

    Fix: version 1.11 fixes this problem.

  9. Error message when choosing "Disable" action on a new directory.

  10. The message mentions "File C:\Documents and Settings\oribu\My Documents\programs\watcher\chkFile.cpp, line 389".

    Workaround: choose the "Ignore" button in the error message box.

    Fix: version 1.11 fixes this problem.

  11. Problems related to "special characters" in file names.

  12. File names containing the equal (=) character would continue to generate a warning "File created" even after being confirmed by user.

    File names containing characters that cannot be displayed in the default language would continue to generate a warning "File created" even after being confirmed by user. Additionally, an error message would be displayed:

    "twcstombs conversion failed; some characters have been replaced by '?'; this is sometimes a minor problem, you may choose 'ignore'"

    Fix: version 1.11 fixes these two problems.

Real life stories

Tiny Watcher VS the Mydoom.BU worm

In most cases, if you get infected by a malware (virus, worm, adware, spyware, etc.), Tiny Watcher WILL detect it.

I got infected by the Mydoom.BU worm... I know, I was quite stupid to open that attached file - what the heck was I thinking? Well, sometimes one is distracted, on a hurry, and right at this moment arrives that email with exactly the kind of message that seems to make sense, and for 10 seconds my mouse clicks were faster than my reasoning...

Running Tiny Watcher's "post install check" (shortcut in the "Start" menu), it found me the following things:

Looking for "nec.exe" on the Web ("Web search" button) led me directly to pages talking about the Mydoom.BU worm. I applied the removal instructions to get out of trouble.

Note that in this particular case, disabling (or removing) the new registry entries and file detected by Tiny Watcher was enough to neutralize the worm. However, the worm also modifies a system file called "hosts" (no extention) to make several popular antivirus websites unreachable. Starting in version 1.11, Tiny Watcher also checks the "hosts" file. It is also good practice to run a deep scan after such an event.

"Mysteriously new device driver"

Sometimes, unfortunately, you might have to make long reasonings to understand a change detected by Tiny Watcher... This story is an example...

As I logged on one morning, I got two warnings from Tiny Watcher. Two new registry entries had been created in the "services" area. The paths were:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\FsVga\EventMessageFile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FsVga\ImagePath

This told me that the new service name was "FsVga" (the "EventLog" service is used by all the other services to record events for system administration purpose).
A file path in both entries pointed to the related device driver:

C:\WINNT\system32\drivers\fsvga.sys

Looking at the version information of fsvga.sys (right clic on the file, then select the "version" tab) told me:

Full Screen Video Driver

Searching on the Web did not give me much: I learned only that the driver is standard with Win2000 and WinXP. Up to here, everything was looking fine, except for one thing:

I had been using my machine for several months, with a display device (obviously), and using the "full screen" (I suppose, whatever it might mean), so why suddenly did I need a new driver?

Looking in the Services snap-in (click on Tiny Watcher's "Services" button or use right-clic on "My Computer", "Manage", "Services and applications", then "Services"), I could not find any service named "FsVga" or anything looking like that. This is not enough to conclude that the driver is not used by Windows because the Services snap-in does not show all the services (some system services are omitted). My supposition at the moment was that the registry entries for the driver were added, but the driver was never activated... (I chose 'Confirm' in the warning window). Much later, I discovered that FsVga is only used by the Console (DOS box) when opened in full screen...

We thought this story could be useful because it shows a classic process of investigation. Luckily, most of the cases are quite easier to solve than this one. See for example the next story.

"LSASS is not a virus"

An example of quite common and easy solved encounter...

The other day, I had Tiny Watcher complaining about a new registry entry in the services area. The message was mentioning "LSASS.EXE". By running a "Web search", I found many references to LSASS.EXE connected with virusses (Lovgate, Sasser, Nimos, ...). Sweat, sweat, sweat...

After calming down, I noticed the name of the service (included in the registry key path). I ran another search on this name; this was a cryptography related service... It took me a few more minutes to remember that I recently visited my new bank's website. I guess what happened is just that the browser activated the new service transparently so that I could exchange crypted information...


Main help page