Tiny Watcher: help on warnings

Main help page

Tiny Watcher tells you something changed, what should you do?

First, try to remember:

  • Did you install an application, a patch, a service pack, or a Windows update? This is the easy case, and fortunately the most common. You don't need to worry for malware; just a little "cleanup" is sometimes necessary (for programs who install themselves in a non-standard way).
  • Did you use a hardware (digital camera, etc.) for the first time? This can sometimes install "silently" new drivers and/or services.
  • Did you visit a web page with "special" features? This can sometimes install services (example: encryption protocol). Using IE security flaws, malicious programs can also get inside your machine (example: the scripting object can copy files to your disk, modify your registry, etc.).
  • Did you run a program for the first time? Did you get the binary from a trustable source? If not, watch out for viruses and other malwares!
  • If you remember that you did one of these things, and if you can clearly connect the warning message with it, you are nearly done. By "clearly connect" we mean that some element is identifying the change, like a file path toward the new installed feature (example: a path to "C:\Program files\MyNewApp\bgtask.exe", if you installed "MyNewApp" recently).

    If you don't remember anything, or if you cannot clearly connect the things you remember with the warning, you are in for more investigations. You might want to skip (button "Skip") this warning and see if other messages give you a better hint. In any case, try not to give up: do not choose "Confirm" unless you know what the warning is about. If you do give up, read the Easy way out paragraph.

    NB: It is very good practice to run the "Post Install Check" (shortcut in your start menu) right after any installation. This will spare you much of the efforts to remember...

    Easy way out.

    What if you want to give up anyway?

    So here you are: you tried to understand what Tiny Watcher complains about, you tried to remember what could have changed recently on your machine, and you found nothing.
    All right, we admit that sometimes it is quite hard to understand what happened. At the warning message level, Tiny Watcher is quite close to a system administrator tool, and not everybody is sysadmin... Check out a few real life stories to see if that cheers you up.

    You still want to give up on this message? Well just give up then. Hit "Confirm", so you won't see it again, and forget about it. Well, we suggest that you take this occasion to check again that your machine is safe against attacks: antivirus (with up to date virus base), and firewall (up and running). The world is a jungle...

    See also, in the FAQ, Why doesn't Tiny Watcher fix problems automatically?.

    Warning messages index

    Registry entry was created

    The general way to handle this warning depends on which area you get it in.

    Startup keys in registry

    These keys control which programs will be run at the different steps of the startup process. A new key in this area means that one more program will be run automatically. This in turn means a slower startup process, and sometimes a computer generally slower (if the program stays permanently in the background).

    Usual questions to ask yourself
    - Do you know what this program is? (which application did you install or which setting did you change in an existing application?)
    - Does it really need to run during startup? (answer to this is in the application documentation and/or sometimes on the Web)

    In most cases (you will be surprised to see how often), you can disable the new entry. To avoid any trouble, it is good practice to restart your machine and see if something does not work anymore. If you don't want to restart your machine right away it's fine, this can wait, but write yourself a note somewhere to remember to check things out. If something does look broken, run a "startup review" (shortcut in your start menu) and re-enable this entry.

    Examples of programs who put themself in the startup keys for disputable reasons

  • Programs who want to be loaded faster (they load themself at startup, so that any future use will seem instantaneous). If you don't use them often you don't want to have them do that.
  • Programs who check that their installation is correct (they verify their own files each time you logon).
  • Programs who show a "cute little icon" on the system tray (the right side of the taskbar). Sometimes the icon is nothing more than a shortcut.
  • And of course viruses... (but here the reason is clear).
  • Services keys in registry

    These keys control which services can be run on your machine. A service is nothing much more than a program that performs specific system related tasks. Much more information on services can be found on the Web. We recommend the detailed list of Win2000 and WinXP services on Black Viper's website.

    Tiny Watcher will not propose you to disable or remove specific service entries. To modify the services, you should use the regular Windows system tool (use the "Services" button, or type "services.msc" in the "Start" menu, option "Run..."), but please read some documentation first; you can break things in your system if you make mistakes in there.

    However, there are sure cases of services that are needlessly activated. There are also viruses who install new services. If you don't see why Tiny Watcher detected a change in the service keys area (you installed nothing new recently, and did nothing that seems connected with the service name), then you might want to be cautious.

    NB: the name of the service is included in the registry entry path, right after "Services\". For example, in the following path, the name of the related service is cisvc:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cisvc\ImagePath

    Other keys in registry:

    These keys are a few other ways for programs to be run automatically. Any new entry in this area should be watched carefully.

    Registry entry was changed

    With the added point that it is usually more suspicious to have a registry entry being changed than a new entry being created, most of what you need to know about registry entries is said in the paragraph above.

    Startup review of a registry entry

    We suggest that you do not try to disable the following system entries. Also note that a change over time in one of these entries has to be watched carefully.

    Entry pathValue
    HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ SysTray SysTray (InprocServer32=stobject.dll)
    HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ WebCheck WebCheck (InprocServer32=%SystemRoot% \ System32 \ webcheck.dll)
    HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ Network.ConnectionTray Network Connections Tray (InprocServer32=C: \ WINNT \ system32 \ NETSHELL.dll)
    HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ BootExecute autocheck autochk *
    HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ VmApplet rundll32 shell32,Control_RunDLL "sysdm.cpl"
    HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ Shell Explorer.exe
    HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ Userinit C: \ WINNT \ system32 \ userinit.exe
    HKCU \ software \ microsoft \ windows \ currentVersion \ Run \ internat.exe internat.exe

    Ini entry was created / changed

    Ini files (files with a .ini extension, usually located in Windows directory) have been used less and less since they were replaced by the registry. Most of today's applications don't use ini files at all. However, since some ini entries are still active (notably under Windows ME/98/95), and since a few lazy malwares have been using them quite recently, Tiny Watcher checks a few of them.
    Basically, any change in these ini entries must be seen with suspicion, except if you can clearly identify the program that needed to use this old fashioned feature.

    In Windows ME/98/95

    Changing the screen saver (or setting one) will modify the system.ini-[boot]-scrnsave.exe entry.
    If you know that you did not change the screen saver, then watch out, since this entry is commonly used by malwares.

    Startup review of an ini entry

    Except for Windows ME/98/95, the ini entries checked by Tiny Watcher should not be present on your machine (and therefore should not appear in a startup review).
    See also comments in the above paragraph.

    In Windows ME/98/95

    You should see the mandatory "shell" entry:

    system.ini-[boot]-shell = Explorer.exe

    This is perfectly normal (it is the way Windows runs the explorer when you log in).

    You will also have a "scrnsave.exe" entry if you use a screen saver:

    system.ini-[boot]-scrnsave.exe = C:\WINDOWS\SYSTEM\xxx.SCR

    If you do not use a screen saver, then watch out, since this entry is commonly used by malwares.

  • Note that if a malware (worm) replaces the explorer.exe file, or puts itself as a fake screen saver (.scr file) inside your system directory, Tiny Watcher would detect it during a deep file scan.
  • File was created

    This is perfectly normal for programs to create files, but creating them in Windows system directories is another story. Except for installation purposes, no application should ever do that. Even for installation, there are not plenty of reasons to put files in system directories. Here are a few examples:

  • Windows (the system itself) can of course add files in its own directories. It happens in rare situations, though, like when you install additional components.
  • Connecting new peripherals to your machine (plug and play or not) will sometimes automatically create files (drivers, etc.) in your system directories. You might be asked to insert the CD that came with the hardware, or the Windows install CD, but it is not always the case; for the most popular drivers, chances are that Windows already has a way to install the driver by itself, sometimes very discreetly.
  • Installers sometimes put their uninstaller executable in Windows directories. This is not a good practice (the application directory in C:\Program files or a subdirectory of C:\Program files\Common Files would be a better choice) but if you end up with only one executable file with quite a self-explanatory name (like xxx_uninstall.exe or uninstxxx.exe) things are not that bad. Anyway you have often no choice but to accept this added file, otherwise you won't be able to uninstall the application properly.
  • File cannot be accessed anymore

    This warning will be generated for a file that could be read previously but cannot be anymore. This is highly suspicious.
    For example, the system file "pagefile.sys" (in NT, Win2000 and XP) cannot be accessed at anytime except by the system itself. The system is not supposed to create many files that cannot be accessed, and if it does so, these files will be created - and stay - unaccessible.

    File was changed

    This warning should only be displayed if you updated the related application. If you did not, this is a strong clue of a malware infection.

    Startup review of a shortcut

    Only shortcuts from the startup folders are reviewed. Since Windows does not use shortcuts to start critical system components, it is usually quite safe to disable any shortcut. After that, it is good practice to restart your machine and check that the application related to the disabled shortcut still works. In case of trouble (once again, this should be rare), run another startup review with Tiny Watcher and re-enable the shortcut.

  • Note that disabling a shortcut in a startup folder will in deed disable it but will not remove the file itself from the startup folder: it will just be renamed. Therefore, during following startups, the program pointed to by this shortcut won't be run (as expected), but Windows will ask the user to choose an application to run the disabled shortcut file... This will for sure be puzzling for the user (even if the user is yourself), so you might want to use the "Disable" button only for a temporary solution. You can either move the disabled shortcut file outside of the startup folder, or use the "Remove" button instead of the "Disable" one when reviewing shortcuts.

    File was deleted

    This warning will only appear if you have selected the Monitor deleted files option.

    Directory was created

    Few applications have a good reason to create a directory in the places that Tiny Watcher checks. In other words, this warning will usually show that an application is contributing to slowly transform your system directories into a mess...
    A few exceptions are:
    - peripherals who install a bunch of drivers altogether and create a directory to make it cleaner.
    - Windows itself, when you install additional components.
    The root of the system disk (usually C:\) in particular, should never receive any new directory. Only out of date applications still insist to install themselves there; avoid to install them if you can, since you cannot expect any good from a program who starts by installing itself in the wrong place.

  • Note that you do not need to worry about malware too much: they usually avoid to create new directories, since this would make it easier for a user to notice them.
  • Tiny Watcher allows you to "disable" a directory. This will rename it, the purpose of this being to give you a chance to see what stops to work on your machine if this directory is removed. If you disabled a directory and notice that something does not work anymore, try renaming this directory back (remove ".watcher_disabled" from the end of the directory name).
  • You cannot remove (delete) a directory directly from Tiny Watcher. This is a potentially harmful operation for your system. We suggest that you explore the directory (the "Explorer" button will lead you there) and take your time to decide what is in it and how necessary it is. Some applications might allow you to decide another place for this directory to be. Some other might create completely useless directories. Unfortunately you have to figure out by yourself.
  • Directory was deleted

    This warning will only appear if you have selected the Monitor deleted files option.

    Cannot obtain executable file's path for a process

    This should not happen except for very special system processes. Perform a web search ("Web search" button) to find information about the related process.

    Another process is using the same name but a different executable file

    Tiny Watcher considers abnormal that several processes run from different executable files who share the same name. While this is not a system limitation, this is highly unlikely to happen in normal situations. On the other hand, this is a well known trick used by malware to run undetected by calling their executable file with the name of an existing program (like "explorer.exe").
    This warning is therefore a strong clue of the presence of a malware on your machine. Identify the suspicious executable file and get proper antivirus information and help.

    There is no way to tell Tiny Watcher to ignore this situation; user cannot choose the "Confirm" button.

    In the very rare case you want to run two different executables who share the same name, you can rename one of the two; this should not change the way it works, and Tiny Watcher will stop complaining.

    Cannot access the executable file of a process

    This should not happen except for very special processes. For example, antivirus programs and programs related to security sometimes "lock" their executable file. In doubt, try to perform a web search ("Web search" button) to find information about the related process (it is not sure you will find anything, though).

    If you know you can trust the application related to the process, choose "Confirm"; Tiny Watcher will not give you this warning about this process anymore.

    Process detected for the first time

    In case of doubt, refer to the Standard processes minimal information paragraph, and perform a web search ("Web search" button) to find information about the related process.

    During logon time

    This warning message means that a new process is running during logon time. In addition, this process has never been seen before by Tiny Watcher.

    If you recently installed an application, this means that this application will start a program each time you logon (therefore your startup will be slower). You might consider getting more information to see if this process is really necessary during startup. See also the Startup review paragraph.

    If you didn't install a new application recently, get more information about the process, since it might be a malware.

    Outside logon time

    It is normal that Tiny Watcher displays this warning once for each new program detected. If you know that this is in deed the first time for the related application to be seen by Tiny Watcher, just choose "Confirm". For example, if you used Windows Paint (mspaint.exe) many times, but this is the first time you run Tiny Watcher with Paint open, you will get a warning looking like this:

    Process MSPAINT.EXE <C:\Program files\Accessories\MSPAINT.EXE> :
    Process detected for the first time

    Check that the given path makes sense (i.e. points to where the related application is supposed to be installed) and hit the "Confirm" button.

    Process executable file's path has changed

    Executable files are not supposed to "move around" on your disk. If you did not reinstall the related application (or installed a new version of it in a different directory), then the situation is suspicious. Check both paths given by the warning message. One of them might point to a worm.

    If you understand why the path changed, just choose "Confirm".

    File's hashcode has changed for a process

    Simply put, this means the file was modified. This warning should only be displayed if you updated the related application. If you did not, this is a strong clue of a malware infection.

    Number of running instances during logon time changed: 'n2' instead of 'n1'

    In case of doubt, refer to the Standard processes minimal information paragraph, and perform a web search ("Web search" button) to find information about the related process.

    "1 instead of 0"

    This warning message means that a process is now running during logon time. The process has been seen before by Tiny Watcher but never during logon time.

    If you recently installed an application, this means that this application will start a program each time you logon (therefore your startup will be slower). You might consider getting more information to see if this process is really necessary during startup. See also the Startup review paragraph.

    "n instead of m" (n>m)

    This warning message means that more process instances than usual are running during logon time. The process has been seen before by Tiny Watcher, but fewer instances where running during logon time. Please get more information on the Web to see if this is normal.

    New scheduled task

    One way to create a new task is by using directly the task scheduler (in Control Panel, "Scheduled Tasks"). Applications sometimes propose you (in their settings, for example) to schedule specific operations.

    If you did not create the new scheduled task yourself (by using directly the task scheduler or through another application), then you might want to get a closer look.

  • the last part of the executable file's path will usually tell you which is the related application.
  • to get detailed information about a task's schedule (date, time, frequency, etc.), please use the task scheduler.
  • Scheduled task was changed / Scheduled task parameters were changed

    Like for the warning New scheduled task, if you did not change the task yourself, and do no see why the related application (see executable file's path) would have changed it, get a closer look.

    Startup review of a scheduled task

    The Startup review will list all the tasks that are scheduled on your machine (independently from their schedule).
    To get detailed information about a task's schedule (date, time, frequency, etc.), please use the task scheduler.

    General warning

    This message signals problems encountered while Tiny Watcher performed its checks. You are not supposed to do anything special about it; Tiny Watcher is just letting you know that something went in its way.

    "Previous checks were never completed"

    The last time Tiny Watcher ran, something happened that prevented it to finish its job. For example, a program error (GPF / "blue screen" / etc.) or sudden reboot of the computer while Tiny Watcher is working will generate this message on the next run.

    "System problem"

    Tiny Watcher was unable to perform one of its checks due to an abnormal system state. If this message appears systematically, please contact us.

    "Invalid configuration parameter"

    One of your customized configuration parameter has an invalid value. Look in watcher.ini file for the entry specified in the warning message. Remove or fix the entry.
    NB: documentation on customized configuration parameters is not available at the moment. Please contact us for more information.

    "Settings have been erased or changed outside Tiny Watcher. This is highly suspicious. Please check documentation."

    Except if you ran Tiny Watcher for the first time, or if you modified Tiny Watcher configuration files on purpose, this message shows that another application altered sensitive Tiny Watcher's files. It is probably time to worry. Please contact us so we know it happened.

    "Tiny Watcher has been upgraded from version ... to version ..."

    This message is completely normal if you just upgraded Tiny Watcher. It should appear only the first time Tiny Watcher runs after an upgrade, as a message box followed by a warning in the message list. Any other case is highly suspicious (i.e. having this message while you did not upgrade Tiny Watcher, or having this message appear repetitively).