Tiny Watcher: help on warnings
First, try to remember:
If you remember that you did one of these things, and if you can clearly connect the warning message with it, you are nearly done. By "clearly connect" we mean that some element is identifying the change, like a file path toward the new installed feature (example: a path to "C:\Program files\MyNewApp\bgtask.exe", if you installed "MyNewApp" recently).
If you don't remember anything, or if you cannot clearly connect the things you remember with the warning, you are in for more investigations. You might want to skip (button "Skip") this warning and see if other messages give you a better hint. In any case, try not to give up: do not choose "Confirm" unless you know what the warning is about. If you do give up, read the Easy way out paragraph.
NB: It is very good practice to run the "Post Install Check" (shortcut in your start menu) right after any installation. This will spare you much of the efforts to remember...
What if you want to give up anyway?
So here you are: you tried to understand what Tiny Watcher complains about, you tried to remember what could have changed recently on your machine, and you found nothing.
All right, we admit that sometimes it is quite hard to understand what happened. At the warning message level, Tiny Watcher is quite close to a system administrator tool, and not everybody is sysadmin... Check out a few real life stories to see if that cheers you up.
See also, in the FAQ, Why doesn't Tiny Watcher fix problems automatically?.
The general way to handle this warning depends on which area you get it in.
These keys control which programs will be run at the different steps of the startup process. A new key in this area means that one more program will be run automatically. This in turn means a slower startup process, and sometimes a computer generally slower (if the program stays permanently in the background).
Usual questions to ask yourself
- Do you know what this program is? (which application did you install or which setting did you change in an existing application?)
- Does it really need to run during startup? (answer to this is in the application documentation and/or sometimes on the Web)
In most cases (you will be surprised to see how often), you can disable the new entry. To avoid any trouble, it is good practice to restart your machine and see if something does not work anymore. If you don't want to restart your machine right away it's fine, this can wait, but write yourself a note somewhere to remember to check things out. If something does look broken, run a "startup review" (shortcut in your start menu) and re-enable this entry.
Examples of programs who put themself in the startup keys for disputable reasons
These keys control which services can be run on your machine. A service is nothing much more than a program that performs specific system related tasks. Much more information on services can be found on the Web. We recommend the detailed list of Win2000 and WinXP services on Black Viper's website.
Tiny Watcher will not propose you to disable or remove specific service entries. To modify the services, you should use the regular Windows system tool (use the "Services" button, or type "services.msc" in the "Start" menu, option "Run..."), but please read some documentation first; you can break things in your system if you make mistakes in there.
However, there are sure cases of services that are needlessly activated. There are also viruses who install new services. If you don't see why Tiny Watcher detected a change in the service keys area (you installed nothing new recently, and did nothing that seems connected with the service name), then you might want to be cautious.
NB: the name of the service is included in the registry entry path, right after "Services\". For example, in the following path, the name of the related service is cisvc:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cisvc\ImagePath
These keys are a few other ways for programs to be run automatically. Any new entry in this area should be watched carefully.
With the added point that it is usually more suspicious to have a registry entry being changed than a new entry being created, most of what you need to know about registry entries is said in the paragraph above.
We suggest that you do not try to disable the following system entries. Also note that a change over time in one of these entries has to be watched carefully.
| Entry path | Value |
|---|---|
| HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ SysTray | SysTray (InprocServer32=stobject.dll) |
| HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ WebCheck | WebCheck (InprocServer32=%SystemRoot% \ System32 \ webcheck.dll) |
| HKLM \ software \ microsoft \ windows \ currentVersion \ ShellServiceObjectDelayLoad \ Network.ConnectionTray | Network Connections Tray (InprocServer32=C: \ WINNT \ system32 \ NETSHELL.dll) |
| HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ BootExecute | autocheck autochk * |
| HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ VmApplet | rundll32 shell32,Control_RunDLL "sysdm.cpl" |
| HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ Shell | Explorer.exe |
| HKLM \ software \ microsoft \ windows NT \ currentVersion \ Winlogon \ Userinit | C: \ WINNT \ system32 \ userinit.exe |
| HKCU \ software \ microsoft \ windows \ currentVersion \ Run \ internat.exe | internat.exe |
Ini files (files with a .ini extension, usually located in Windows directory) have been used less and less since they were replaced by the registry. Most of today's applications don't use ini files at all. However, since some ini entries are still active (notably under Windows ME/98/95), and since a few lazy malwares have been using them quite recently, Tiny Watcher checks a few of them.
Basically, any change in these ini entries must be seen with suspicion, except if you can clearly identify the program that needed to use this old fashioned feature.
Except for Windows ME/98/95, the ini entries checked by Tiny Watcher should not be present on your machine (and therefore should not appear in a startup review).
See also comments in the above paragraph.
system.ini-[boot]-shell = Explorer.exe
This is perfectly normal (it is the way Windows runs the explorer when you log in).You will also have a "scrnsave.exe" entry if you use a screen saver:
system.ini-[boot]-scrnsave.exe = C:\WINDOWS\SYSTEM\xxx.SCR
If you do not use a screen saver, then watch out, since this entry is commonly used by malwares.
This is perfectly normal for programs to create files, but creating them in Windows system directories is another story. Except for installation purposes, no application should ever do that. Even for installation, there are not plenty of reasons to put files in system directories. Here are a few examples:
This warning will be generated for a file that could be read previously but cannot be anymore. This is highly suspicious.
For example, the system file "pagefile.sys" (in NT, Win2000 and XP) cannot be accessed at anytime except by the system itself. The system is not supposed to create many files that cannot be accessed, and if it does so, these files will be created - and stay - unaccessible.
This warning should only be displayed if you updated the related application. If you did not, this is a strong clue of a malware infection.
Only shortcuts from the startup folders are reviewed. Since Windows does not use shortcuts to start critical system components, it is usually quite safe to disable any shortcut. After that, it is good practice to restart your machine and check that the application related to the disabled shortcut still works. In case of trouble (once again, this should be rare), run another startup review with Tiny Watcher and re-enable the shortcut.
This warning will only appear if you have selected the Monitor deleted files option.
Few applications have a good reason to create a directory in the places that Tiny Watcher checks. In other words, this warning will usually show that an application is contributing to slowly transform your system directories into a mess...
A few exceptions are:
- peripherals who install a bunch of drivers altogether and create a directory to make it cleaner.
- Windows itself, when you install additional components.
The root of the system disk (usually C:\) in particular, should never receive any new directory. Only out of date applications still insist to install themselves there; avoid to install them if you can, since you cannot expect any good from a program who starts by installing itself in the wrong place.
This warning will only appear if you have selected the Monitor deleted files option.
This should not happen except for very special system processes. Perform a web search ("Web search" button) to find information about the related process.
Tiny Watcher considers abnormal that several processes run from different executable files who share the same name. While this is not a system limitation, this is highly unlikely to happen in normal situations. On the other hand, this is a well known trick used by malware to run undetected by calling their executable file with the name of an existing program (like "explorer.exe").
This warning is therefore a strong clue of the presence of a malware on your machine. Identify the suspicious executable file and get proper antivirus information and help.
There is no way to tell Tiny Watcher to ignore this situation; user cannot choose the "Confirm" button.
In the very rare case you want to run two different executables who share the same name, you can rename one of the two; this should not change the way it works, and Tiny Watcher will stop complaining.
This should not happen except for very special processes. For example, antivirus programs and programs related to security sometimes "lock" their executable file. In doubt, try to perform a web search ("Web search" button) to find information about the related process (it is not sure you will find anything, though).
If you know you can trust the application related to the process, choose "Confirm"; Tiny Watcher will not give you this warning about this process anymore.
In case of doubt, refer to the Standard processes minimal information paragraph, and perform a web search ("Web search" button) to find information about the related process.
This warning message means that a new process is running during logon time. In addition, this process has never been seen before by Tiny Watcher.
If you recently installed an application, this means that this application will start a program each time you logon (therefore your startup will be slower). You might consider getting more information to see if this process is really necessary during startup. See also the Startup review paragraph.
If you didn't install a new application recently, get more information about the process, since it might be a malware.
It is normal that Tiny Watcher displays this warning once for each new program detected. If you know that this is in deed the first time for the related application to be seen by Tiny Watcher, just choose "Confirm". For example, if you used Windows Paint (mspaint.exe) many times, but this is the first time you run Tiny Watcher with Paint open, you will get a warning looking like this:
Process MSPAINT.EXE <C:\Program files\Accessories\MSPAINT.EXE> :
Process detected for the first time
Check that the given path makes sense (i.e. points to where the related application is supposed to be installed) and hit the "Confirm" button.
Executable files are not supposed to "move around" on your disk. If you did not reinstall the related application (or installed a new version of it in a different directory), then the situation is suspicious. Check both paths given by the warning message. One of them might point to a worm.
If you understand why the path changed, just choose "Confirm".
Simply put, this means the file was modified. This warning should only be displayed if you updated the related application. If you did not, this is a strong clue of a malware infection.
In case of doubt, refer to the Standard processes minimal information paragraph, and perform a web search ("Web search" button) to find information about the related process.
This warning message means that a process is now running during logon time. The process has been seen before by Tiny Watcher but never during logon time.
If you recently installed an application, this means that this application will start a program each time you logon (therefore your startup will be slower). You might consider getting more information to see if this process is really necessary during startup. See also the Startup review paragraph.
This warning message means that more process instances than usual are running during logon time. The process has been seen before by Tiny Watcher, but fewer instances where running during logon time. Please get more information on the Web to see if this is normal.
One way to create a new task is by using directly the task scheduler (in Control Panel, "Scheduled Tasks"). Applications sometimes propose you (in their settings, for example) to schedule specific operations.
If you did not create the new scheduled task yourself (by using directly the task scheduler or through another application), then you might want to get a closer look.
Like for the warning New scheduled task, if you did not change the task yourself, and do no see why the related application (see executable file's path) would have changed it, get a closer look.
The Startup review will list all the tasks that are scheduled on your machine (independently from their schedule).
To get detailed information about a task's schedule (date, time, frequency, etc.), please use the task scheduler.
This message signals problems encountered while Tiny Watcher performed its checks. You are not supposed to do anything special about it; Tiny Watcher is just letting you know that something went in its way.
The last time Tiny Watcher ran, something happened that prevented it to finish its job. For example, a program error (GPF / "blue screen" / etc.) or sudden reboot of the computer while Tiny Watcher is working will generate this message on the next run.
Tiny Watcher was unable to perform one of its checks due to an abnormal system state. If this message appears systematically, please contact us.
One of your customized configuration parameter has an invalid value. Look in watcher.ini file for the entry specified in the warning message. Remove or fix the entry.
NB: documentation on customized configuration parameters is not available at the moment. Please contact us for more information.
Except if you ran Tiny Watcher for the first time, or if you modified Tiny Watcher configuration files on purpose, this message shows that another application altered sensitive Tiny Watcher's files. It is probably time to worry. Please contact us so we know it happened.
This message is completely normal if you just upgraded Tiny Watcher. It should appear only the first time Tiny Watcher runs after an upgrade, as a message box followed by a warning in the message list. Any other case is highly suspicious (i.e. having this message while you did not upgrade Tiny Watcher, or having this message appear repetitively).