Tiny Watcher: details
Main help page
Tiny Watcher allows you to "disable" or "remove" files and registry entries. Do not use this feature unless you know what you are doing.
Disabling system related items can cause problems to your system; in the worst cases, Windows will refuse to start on the next time you reboot - you might have to reinstall Windows to fix the problem. In a way this is a good news: reinstalling will quite always get you out of trouble. But you will surely waste your time doing so.
Users who understand a bit more how Windows works will probably find by themselves how to re-enable (rename) the missing item (without having to reinstall Windows!).
The snapshots in details
Tiny Watcher creates a snapshot for several sensitive areas of your system:
running processes (anytime)
running processes at logon time
startup registry keys
services registry keys
other sensitive registry keys
sensitive directories (c:\, Windows directory, "system32" directory, etc.)
other sensitive files
(see also the detailed check list paragraph)
The first time Tiny Watcher runs (normally right after install), it will create the snapshots for everything but the "running processes at logon time". The snapshot for these will be taken, not so surprisingly, at logon time. Therefore, this happens the next time you log in after having installed Tiny Watcher on your machine.
Tiny Watcher is not the right application to clean up a "dirty" machine. However, it is very useful to keep a machine clean.
An ideal way to use Tiny Watcher is to install it on your machine at a moment you are quite confident that everything is in order. Though, if you have already installed Tiny Watcher, you can still cleanup your machine at any time. Tiny Watcher will adjust its snapshot automatically.
The warning window
When Tiny Watcher detects a difference between your current machine state and what was monitored before, you will see the Warning window:
Selection: select an item in the upper table (left column) to see its description in the text zone below.
Multi-selection: if several items are selected at the same time, pressing a button will perform the related action on all these items, if applicable. In particular, the buttons "Confirm", "Disable", "Enable", "Remove" and "Volatile" (see below) can apply to more than one item at a time.
Sorting: you can sort the table by clicking on the column headers. Clicking twice on the same column header reverses the sorting order (ascending/descending).
Resizing: the window can be resized (by dragging its borders with the mouse in the usual way) and will conserve its size and position the next time Tiny Watcher runs.
Closing: if the window is closed with the cross in the upper right corner, the items that are still displayed in the list and that have not been disabled will appear again the next time Tiny Watcher runs (except of course if the problem they are related to has disappeared from your machine).
Contextual menu: starting in version 1.11, right-clicking on the "item" column shows a contextual menu on the item. The choice "Show content" is available in this menu for warning messages that contain a file path.
Web search will run your default browser on Google to search for the selected text. When the window appears, Tiny Watcher will automatically select the first executable file mentioned by the warning message. You can modify the text selection as you wish if needed. Do not hesitate to use this button to get more information about a file. Common Windows files (for example .exe and .dll files) are usually described or at least mentioned in more than one place on the Web. This will often give you enough information to decide how to consider the item.
Help (shortcut key F1) will show specific help related to the selected item.
Explorer will open a Windows explorer, if possible in a directory related to the warning message.
Registry will open the registry editor. Do not modify the registry unless you know what you are doing.
Services will open the Services snap-in (Windows administration tool; not available for Windows ME, 98 and 95).Do not modify service settings unless you know what you are doing.
Confirm all is equivalent to select all the items in the list and then hit "Confirm".
Note: starting in version 1.11, this button is replaced by the "Select all" button (see below).
Select all selects all the items in the list. See the Multi-selection paragraph above.
Confirm will update the snapshot with the selected item. By doing this the item won't be showed anymore during future checks unless it changes.
Disable: this button, when available, allows to disable the selected item. For a registry startup entry, for example, this will change the value of the entry so that the executable file won't be run anymore. This is a reversible action; if you edit the registry (with regedit or other tool) or if you perform a startup review, it is possible to reactivate the entry. In this case, Tiny Watcher will display an Enable button instead of the "Disable" one. Do not disable items without knowing what they are. Read also the general warning paragraph.
Enable: button showed instead of the "Disable" button when the selected item is already disabled (and can be re-enabled).
Remove: this button, when available, deletes the item that caused the warning. Watch out: except for files and directories (that are sent to the recycle bin), this action is not reversible since the item is permanently deleted. Always consider using the "Disable" button instead, if available. For a process, this button terminates the process abruptly (starting in version 1.11).
Volatile: this button, when available, marks the selected item as "volatile". Tiny Watcher will not display warnings about changes of this item anymore.
Note: this feature was added in version 1.11.
Perform a startup review when you want to verify what programs are launched at startup time. To run such a review, use the "startup review" shortcut (in your "Start" menu's "Tiny Watcher" folder).
Select an item in the upper table to see its description in the text zone below. Use the buttons in the usual way. In particular, use the "Disable" (or "Enable") button to decide if an item should run or not at startup time.
Watch out, though, not to disable or remove mandatory system items, (e.g. "explorer.exe" or "userinit.exe"). Perform a web search ("Web search" button) to get information about an item before disabling it.
Tiny Watcher's options
One can access to the Options window by two ways:
- by using the shortcut "view or edit options" (this is equivalent to running Tiny Watcher with "-options" in the command line).
- when the Warning window is displayed, one can also choose "Options" in the menu.
Checking speed: speed used by Tiny Watcher to perform its checks. 100=fastest; 1=slowest. Despite the name, this is a way to slow down Tiny Watcher. The default value after install is 100. A slower speed allows Tiny Watcher to use less resources (CPU/hard disk) while it works in the background. We suggest to leave this value at 100. However, you might want to use a slower speed if you use the Windows task scheduler to run Tiny Watcher automatically.
Monitor deleted files: check this to have Tiny Watcher generate a warning each time a file or directory is deleted. Though malware sometimes delete files on your system, there are always detectable through other changes, and all of them are detected by Tiny Watcher. Therefore, you do not have to turn on this option to increase your security.
Web search command: this is the URL given to your browser when the "Web search" button is activated in the Warning window. The default search command performs a search on Google. Note that the command should contain the string "%s" that will be replaced by the searched text.
Show content command: this is the command executed when you choose "Show content" in the contextual menu of the Warning window. The default command runs Windows "notepad". Feel free to replace it to run your favorite editor (an editor that can show binary files as hexadecimal codes is sometimes convenient). Note that the command should contain the string "%s" that will be replaced by the file's path.
Volatile files: the files from this list are usually modified by the system or by regular applications. Therefore, Tiny Watcher will not monitor changes in these files; only their creation will be generating a warning. Names using wildcards * and ? are allowed.
Ignored files: the files from this list will be completely ignored by Tiny Watcher. Names using wildcards * and ? are allowed.
"Logon time checks" group
Checking speed: same as "checking speed" above, but specific to logon time. You might want to use a slower speed during the logon time checks so that Tiny Watcher does not slow your logon process significantly.
Delay before running checks: it can be sometimes useful to wait a few seconds that all startup processes have started or that some transient processes have terminated.
On the other hand, keep in mind that waiting too long might create a problem, since the user will sometimes start to work (and therefore launch processes) before Tiny Watcher examines the list of processes. This would make Tiny Watcher generate a warning ("1 instance instead of 0 during logon time"). Luckily, the user will in this case recognize right away that the "suspicious" process is the one he just launched.
Show progress gauge: check this one if you want the progress gauge to be displayed during logon time checks. Some users might prefer to combine a slow checking speed and a non visible gauge to have Tiny Watcher the more discreet possible. Only the about box will be displayed in that case (and of course the detected warnings).
Reset process instance counters: you will only need to use this if you removed previously authorized programs from your startup list and want Tiny Watcher to notify you if they come again.
Tiny Watcher stores in its snapshot the number of authorized instances of a process at logon time. By default, no instance is authorized (the number is zero). Once the user confirmed a bigger number of instances, this new number is stored in the snapshot. The consequence is that the number of authorized instances can only increase. This option checkbox is the way to tell Tiny Watcher to perform a new counting (from zero) during next logon time checks.
"More options" menu
Custom Registry Keys: shows/edit the customizable list of registry keys and entries scanned by Tiny Watcher.
Directories and files: shows/edit the customizable list of directories and files scanned by Tiny Watcher.
Regional options: shows the "regional options" window. It allows you to decide which font and language you want for the interface (if you installed the French version of Tiny Watcher, you can switch to English; other languages might become available for download in the future).
Customizable list of registry keys and entries
This list is editable from the Options dialog box. The following syntax rules apply:
- one line per key or entry.
- full path must be used, starting by HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, etc.
- a path finishing by \* defines a key; all entries in this key will be scanned.
- a path finishing by \** defines a key with recursive scan; all subkeys will be scanned as well.
- adding % at the end of a path (e.g. ...\*% or ...\**%) turns on the filtering of entries. Only entries considered relevant will be compared to the snapshot. For example, entries containing a simple number ("DWORD" value) will be filtered out.
- a path finishing by an identifier defines a single entry.
Customizable list of directories and files
This list is editable from the Options dialog box. The following syntax rules apply:
- one line per directory or file.
- full path must be used, starting by c:\ or d:\, etc.
- a path can start with $windows\ to refer to the Windows directory (replaces c:\windows or c:\winnt etc.).
- a path finishing by \* defines a directory; all files in this directory will be scanned.
- adding % at the end of a path (e.g. ...\*%) turns on the filtering of files. Only files considered relevant will be compared to the snapshot. Files in the "Ignored files" or "Volatile files" list will be filtered out.
- a path finishing by an identifier defines a single file.
The log file
Each important action of Tiny Watcher (notably the updates of the snapshots and the user choices) is logged into a file that you can visualize by using the shortcut "view log file".
The first part of this file will always contain the complete trace of the creation of the current snapshot.
Use the log file for historical reference. For example, you can see when a particular file was detected for the first time, or if it was already on your disk when the current snapshot was taken.
Command line parameters
You normally do not need to know the syntax of the command line (since the necessary shortcuts are created in your "start" menu. This is given for reference only.
-deep: performs a deep scan of files instead of a quick scan (predefined shortcut: "deep scan").
-review: performs a review of Windows startup points (predefined shortcut: "startup review"). This will give you a chance to review (and reconsider) startup items.
-logon: this option is reserved to run Tiny Watcher at logon time, usually by a shortcut placed in the user "startup" directory ("Start Menu\Programs\Startup"). This shortcut is originally created by the installer. This performs the check of the processes running at logon time, followed by the regular checks.
-help: opens your default browser to access the online help (this page).
-options: opens the Options window.
Since viruses often run processes, modify the registry, and create files in Windows system directories, it is possible that Tiny Watcher will detect a virus. Read the real life story (Tiny Watcher VS the Mydoom.BU worm) to see how this can happen.
However, since Tiny Watcher will be able to detect the virus only after your machine is infected, you would take a risk and have to remove the virus by yourself after you discover that you have been infected. Tiny Watcher does not replace an antivirus program.
Professional antivirus programs use signature databases and other tricks to allow them to recognize a virus inside an executable file without having to run this file. Tiny Watcher does not do that (it was not designed to do that).
Furthermore, in the case your machine is already infected before Tiny Watcher is installed, it might not detect anything wrong, since the first snapshot will include the infected files. Only an antivirus program (using a virus signature database) can help you in this case.
Just for your information, here are the different areas where Tiny Watcher could detect viruses:Processes: A virus will have to run a new process at some point. If this process is still running when Tiny Watcher performs its checks, a warning will be generated ("process detected for the first time").
Startup list: A virus will often use one of the available ways to be run at Windows startup (or logon). Since Tiny Watcher checks most of the startup system provided by Windows, it will probably show a warning.
Scan of files: A virus will often create some files on your disk. Since creating a new directory could attract the user's attention, a common trick used by viruses is to hide their files among existing files. Windows own system directories are prefered places since no user knows exactly what files are in there. Tiny Watcher might therefore detect a file created of modified by a virus in a system directory.
Note that a deep scan performs a better (and slower, unfortunately) comparison of the files with the snapshot. This detects if an exisiting system file has been replaced or modified. An idea would be to use the system task scheduler to program a deep scan every once in a while (from once a day to once a week seems a reasonable interval).
Which processes are used by Tiny Watcher?
Tiny Watcher runs as a simple executable (no dll needed). The process "watcher.exe" exists only while Tiny Watcher is performing its checks (usually at your demand or right atfer logon).
There is no use of Windows services and no process running permanently in the background.
NB: There used to be an existing worm using a process called "i-worm.watcher.exe". This is a preferred strategy of worms to use names of existing programs. In normal conditions, Tiny Watcher is not supposed to generate any warning about its own process. If you see a warning about "watcher.exe", you should take it seriously.
Tiny Watcher checks the following points.
All running processes.
A hashcode check (SHA-1) is made on each process executable file. When a process executable is seen running for the first time, a "new process" warning is generated. Tiny Watcher also signals when two executable files run with the same process name (example: a worm calling itself "explorer.exe" running from c:\).
Registry keys or entries
NB: you can add keys to this list in the options window.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute (entry)
All the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services are checked.
Other sensitive keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components (key)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects (key)
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (entry)
win.ini, [windows], load
win.ini, [windows], run
system.ini, [boot], shell
system.ini, [boot], scrnsave.exe
During a quick scan, only the dates (creation and last modification) of the monitored files are compared with the snapshot (a change in a file's content made by a non-malicious program can be detected).
During a deep scan, a hashcode check (SHA-1) is made on the monitored files, therefore any change in a file's content can be detected.
Note that a deep scan is automatically performed to create the snapshot (the first time Tiny Watcher runs).
Content (files and subdirectories) of the following directories is checked.
NB: you can edit this list in the options window.
- Windows directory (c:\Windows or c:\WinNT or other name, depending on your machine)
- Windows system32
- Windows system32\drivers
- Windows system
- Windows system\iosubsys
- Windows system\vmm32
Shortcut files (.lnk) in startup folders:
- For all users (e.g. "C:\Documents and Settings\All Users\Start Menu\Programs\Startup", depending on your machine)
- For the current user (e.g. "C:\Documents and Settings\Owner\Start Menu\Programs\Startup", depending on your machine)
The following separate files are also checked:
- <windows>\system32\drivers\etc\hosts (in version 1.11 and above)
All scheduled tasks.
Executable path and parameters are checked. Schedule itself (date, time, frequency, etc.) and user authentication data (user and password) are not checked.
Standard processes minimal information
Here is a list of the common processes that you might expect to find on a clean Windows 2000 or XP machine (and probably NT). This list is not complete (and is not meant to be). If a process that is not in this list is running on your machine, start by looking on the Web for information.
alg.exe||XP only, ICS internet connection sharing and firewall. One instance only.|
csrss.exe||Client Server Runtime Sub System. Always one instance per user session (XP allows more than one user session at a time).|
ctfmon.exe||Alternative User Input Services. Notably, handles the language bar.|
explorer.exe||Windows Explorer. In the main Windows directory (and nowhere else). At least one instance per user session; you can have more if you chose the Explorer option "Launch folder windows in a separate process".|
NB: this is "Explorer", not Internet Explorer!
internat.exe||Input Locales. Multilingual keyboard functions.|
lsass.exe||Local Security Authority Service. Always running. One instance only.|
mdm.exe||Machine Debug Monitor. Not mandatory. In c:\program files\common files\microsoft shared\...|
mstask.exe||Task scheduler. Not mandatory if you do not want to schedule tasks.|
services.exe||Windows Service Controller. Always running. One instance only.|
smss.exe||Session Manager Sub System. Always running. One instance only.|
snmp.exe||Windows Simple Network Managment Protocol.|
spoolsv.exe||Splooled fax & print job.|
svchost.exe||Service host. Several instances are usually running in the same time (e.g. 5 instances on XP and 2 on W2K). Runs a dll (and is therefore sometimes used by viruses hidden in dlls).|
System||"The" System process. Always running. One instance only.|
System Idle Process||Always running. One instance only.|
taskmgr.exe||Windows Task manager. Always running.|
vcmd.exe||Windows Voice Commands (in speech subdirectory of Windows). Not mandatory.|
winlogon.exe||Windows Logon. Always one instance per user session.|
winMgmt.exe||Windows Management Instrumentation (in system32 subdirectory of Windows).|
Main help page