Hi All,

I created a little "health-oriented" RE app designed to ease the eye strain of poring over those multi-thousand entry Regmon logs. You know the ones I mean, those created by apps that seem to enum everything in your Registry just for the sake of doing so. You stare at them long enough to try to find out if they're doing something bad like trying to access your poor old Mom's bank account records or something, and your eyes will start to bleed.

The app parses the Regmon log Registry Key "Path" string of each entry and cuts it off at a subdirectory (\) level set by the user (Filter Level). A CRC32 value is then calculated on the remaining string. Any further occurrences of the same CRC32 value are considered "duplicates" and are discarded.

The string the CRC32 value is calculated on is actually a combination of the Process, plus the filtered Path string, and optionally the Request (CreateKey, OpenKey, QueryValueEx, etc.). Entries with one or more CLSID {} values can be handled separately so unique values are preserved irregardless of the Filter Level chosen.

The results seem accurate, thousands of redundant Regmon entries can be reduced to a couple of hundred unique ones (depending on the settings chosen) in milliseconds. Of course only the first occurrence of a duplicate is kept and is really only the "root" of the entry, but by selecting a series of Filter Level settings you can choose the degree of detail you want to reveal.

The app works equally well on Filemon logs. Full ASM source is included, so if you don't like something, you can change it. Bug reports, inaccurate results or other comments are welcomed. Enjoy

Cheers,
Kayaker

EDIT: File updated for > Win2K

Downloaded 64 times and not even a reply ?

Thanks kayaker for the great idea and great works, very usefull stuff

Anyways it seems that i have some errors, don't have time to look more at it atm but all i can say is that the program crashed the first time i launched it, now it runs but gives me an read error at "0x77e12b22" because it uses address "0x00e003e1" (and others when error comes back again)
it happens sometimes in launching the program, clicking on about or settings...

And...i use win 2k sp3

Any idea ?

regards

Probably most people are like myself - downloaded app as it may become useful, but not actually used it as such yet.

Thanks for the feedback guys! I figured it'd be one of those handy apps to have around, not necessarily shake the RE world to its foundation, lol . It was actually JMI's woeful story of having to sift through 20,000+ Regmon log entries that finally spurred me to code this idea I'd had for quite a long time. Of course it was meant as an ASM coding example as well for anyone who might be learning the stuff.

That sounds like an odd error backeyes, thanks for mentioning it. I put an SEH handler in the main parsing routine which should catch all errors there, but I have a sneaking suspicion what it might be since it doesn't sound like it came from that proc. I always preserve registers in any of my own procs I call, but only coding in Win98 on my own stuff I always forget that preserving ebx, edi and esi in the main message handling code as well is CRITICAL (as I'm beginning to learn). We just went over this in another thread too, lol.

By default a Windows API function will (can) freely modify eax, ecx and edx. Also by default it will preserve ebx, esi and edi if it uses them. It doesn't seem critical to preserve ebx, esi and edi if you use the code yourself in Win98 (at least I've never had any problems with it which is why I've developed this bad programming habit I suppose), but obviously it's deadly in Win2K and above. JimmyClif warned me of this (and it looks like you were right, bud , and Snoop found the exact same thing with ebx in his keygen recently.

So, lesson learned big time. I added the appropriate push/pops to the WM_NOTIFY routine where I think the error might be coming from, so if you could try this update and confirm it fixed the problem or not I'd appreciate it. It's the only thing I can think of offhand, and chances are the problem might not happen to others. I did get someone to beta test it on Win2K before releasing it and there were no problems on that system. If it works I'll update the previous link.

Thanks,
Kayaker

EDIT: Previous file updated now.

yep it works now

well done and thanks for the fix

regards
backeyes

So Kayaker:

If you have fixed my problem with having 20,000+ lines of regmon output to review, what am I going to do to keep me busy for late night problem solving to keep me out of trouble?? Oh well, I guess I could always go back to actually disassembling and debugging. It's getting too cold at night to go back to trying stealing hubcaps again.

Glad my previous sad tale of travail (sniff, sniff, pun intended ) helped inspire you to give us this useful tool. Wait, I know, I can finally take the time to try to figure out how the heck to actually get a mouse to work in Softice in my Win98se partition. I have a touch pad mouse on my Keyboard, a wireless trackball, and even a M$ serial mouse installed. All three operate just fine while I'm in Win2k sp3, and the cordless works fine in Softice DS 2.7 on Win2k, but I haven't gotten Win98 to recognize both the cordless (which is USB) and the serial M$ Mouse at the same time and Softice on that partition will not recognize any of the mice. It is a definite bummer no have no mouse in Softice at all.

There you go, another "woeful" challenge for our definitely "not all wet" coding Moderator.

Regards.

Hey,

You have got to be kidding me........

You of all people should be able to navigate without a mouse.

Lazy old timer

Later, Woodmann

Woodmann:

1. It WAS a fumble! (inside joke )

2. I can "navigate" without the mouse, it's just frustating that I can not get the damn thing to work as it is "supposed" to. For example I can switch windows in Softice with the keyboard commands, but if I move the mouse it just flashes the pop-up menu across the screen, in general alignment with the vertical position of the mouse.

And I got spoiled debugging on my Mac using the mouse. There I could more easily open multiple windows anchored to the registers and/or the stack and watch the data get moved in and out of memory. Thing I liked best about it was that I could have a white screen with black letters, which probably is only something I got used to, but I sure like it a whole lot better than a black screen with various colors for text.

M$ has the serial mouse in my device manager, but so far, no matter what I have tried, it still tells me the device is not available or not functioning properly and "searching" for new equipment fails to recognize their own friggen product. Maybe its a conflict between the various mice, but one that's not occuring in my Win2k setup.

And besides, when one gets to be my venerable age its nice to be able to lean back in the chair and "navigate" with the cordless trackball, leaving my other hand to "play" with whatever else may be handy. But enough about "self-abuse." Sure glad my mother was wrong and I haven't gone blind yet!

Regards.

>>It's getting too cold at night to go back to trying stealing hubcaps again.

Interesting wording, does this mean you've so far been unsuccessful at stealing hubcaps? Mind you, I can understand the discomfort. Being more than a few miles north of you, various body parts have already begun to stick to cold metal objects...

>>Glad my previous sad tale of travail (sniff, sniff, pun intended ) helped inspire you to give us this useful tool.

Ahh JMI, it simply means you're an inspiration to us all

>>It is a definite bummer no have no mouse in Softice at all.

Sorry, can't help you there other than offering misery loves woeful company solace. At home, Logitech cordless + Win98SE == glorious 4.05 SI mouse support. At work (shhhh..), Logitech cordless + Win98SE == DiddlySquat. Go figure. Either locale + DS2.7 == mouse on steroids that won't sit still for a second!

I respectfully bow out of this challenge

Cheers,
Kayaker

OK,

The two of you's have got me on this one.
I shall gracefully bow out of this thread

Later, Woodmann

Guys:

I knew in my heart it was wrong to be feeding that damn mouse the steroids. Sorry. Will go back to the "regular" mouse food diet right away.

And I used the money my parents gave me for the ballet lessons for Dr. Pepper and never learned to do anything "gracefully."

Regards.