TeaTimer already does a great job at detecting changes, though while seeing it in use in a live environment, there were a number of features that it could have to make it a much more valuable tool for dealing with new and unknown spyware/malware.
Some spyware apps manage to insert themselfs into some unmonitored areas not caught by TeaTimer, i'll list the ones I identified below. Some may be impractical, such as services changes (Though these should not change often unless installing something, perhaps have a 'Temporarily Disable' menu item to allow programs to install without 10-15 alerts)
1: Detect changes to additional registry start locations:
* HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Some spyware in the future may make use of this area to hook certan exe files and run their own in its place
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\<AppInit_DLLs>
- .DLL files can be added here to attach themselfs to any program (Such as Firefox) and hinder or modify operation
- This is where some of the nasty malware hides, they have a copy of themselfs in every process, making it very difficult to manually remove before another instance reloads its self automatically.
* HKLM\System\CurrentControlSet\Services
- Services should not be changing much without your approval, some basic added/deleted notification could be added here
- Possibly also existing services where their .exe path changes suddenly (Redirection of a legitimate service)
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
- This important key does not appear to be monitored currently for changes, which can sometimes be used as another launch location
* HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
* HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
- These keys are also important and can allow spyware to attach themselfs directly to winlogon.exe
2: Source identification of registry change
Another feature, that would be extremely helpful, is if TeaTimer has the ability to track down the program, and/or program thread that initiated the change and offer a list of options to deal with the process, such as:
- Deny all changes by thread/program
- Force close thread/program
- Force close and delete
This might require some pretty tricky coding, such as hooking windows read/write registry functions to be able to track what application is comitting these changes.
And also this could be iffy when malware has a .dll injected into winlogon, closing winlogon.exe will result in a very unhappy system!
I hope some of these ideas are useful, it alone could make TeaTimer a stand-alone tool to make sure your system is doing nothing it's not supposed to without your approval