Hi,

I would like to take this opportunity to thank the developers of SpyBot S&D: I have found it very useful.

I have noted here (http://forums.spybot.info/showthread.php?t=2953&highlight=teatimer+registry+entry) that TeaTimer monitors approximately 35 registry keys.

I would like to have it monitor more entries. What should I do?

Thanks for your help, and regards:

SR

To the best of my knowledge the list of registry keys that are monitored by TeaTimer is predetermined and can not be altered.

Hi,

Thanks for your prompt reply: I have one more query. I am describing a scenario that does not happen in all cases. If you could tell me what the issue is.

An executable (say, 'ctfmon.exe') is registered to run at startup. I don't want to run it. I change the startup settings through Spybot S&D tools. Teatimer pops up with a message:
Category: System Startup GLobal Entry
Change: Value Deleted
Entry: ...
Old Data: ...

I 'Allow' the change, checking the Remember decision box. The next day (probably, the next time I restart my PC), Teatimer has a popup: changes to the <program> have been accepted based on my white list, the executable is still there in the list of startup programs: in fact I have noticed that there are now two entries of the same program visible through Spybot S&D Tools-System Startup Section: One is switched off, other is turned on.

This scenario happens with only some of the entries that I have tried to put off.

When I allow an entry (with remember option), is it that any action associated (delete/add) with that entry is allowed?

Thanks and regards,
SR

r_somnath:

You should not have checked "Remember this decision" when doing an "Allow change" when the startup entry ctfmon.exe was being deleted. Firstly, there was no reason to use "Remember this decision" since it is should have been a one time action. Secondly, you now have an entry in Spybot's "Allowed registry changes" file (RegKeyWhite.sbe) that looks something like this:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
When you restart your system the OS attempts to put back the startup entry for ctfmon.exe. Since you did an "Allow change" with a "Remember this decision" for changes to the HKCU\...\Run key for ctfmon.exe, you have in essence preauthorized TeaTimer to allow that change.

Go into TeaTimer's "White & Black List", look for and remove that entry from the "Allowed registry changes". To do this:Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":

Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes

Note: If you don't see all four buttons, try expanding the window to the right.
You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

Now go into Spybot > Tool > System Startup and delete the entry for ctfmon. When you get TeaTimer's pop-up dialog for the deletion of the registry entry do an "Allow change" without a "Remember this decision".

After you have allowed the removal of the registry entry, refresh TeaTimer's snapshot files as follows:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.


The next time you restart your system you will probably get a pop-up dialog for the addition of a startup entry for ctfmon.exe, do a "Deny change" with the "Remember this decision" option.

Note: Just removing the startup entry for ctfmon.exe most likely will not prevent it from starting unless you take other actions. See:
Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599

Hi 'md usa spybot fan',

Thank you for your prompt reply. I understood what you said. However, I was not able to locate 'RegKey*.sbe' files.

The article on ctfmon was also very informative.

Best Regards,

SR

However, I was not able to locate 'RegKey*.sbe' files.
There is really no need to locate the files. The interface to those files is through the "White & Black List" as described.

If you are curious the files are located in one of the following directories depending on the OS you are running:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Excludes
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Excludes
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes