Exe Watch alerts you when new executable files are discovered
One of the things that you can do to improve security on your system is to keep an eye on files that could be malicious.
While it is certainly possible to keep track of all new files and file modifications on a system, it is usually too time consuming of a task to be a viable solution.
Another option is to limit the monitoring to select folders or locations only. While that takes less time it is also not nearly as accurate as monitoring all of a system.
Exe Watch is a lightweight portable application for the Windows operating system that monitors executable files in any folder, and on external devices that get connected to the system.
What it does basically is to monitor storage locations for new executable files. If it finds any it alerts the user so that the newly detected file can be inspected more closely.
All you have to do is download the program and run it after it has been downloaded. It sits quietly in the system tray area from then on out monitoring the system in the background.
The program supports four file extensions at the time of writing: exe, jar, bat and com.
The system tray icon flashes when it detects a new executable file, and a double-click on its icon displays the informational prompt that you see on the screenshot above.
Here you are notified about the file location and name on the system.
These can be copied to the clipboard if the need arises. What the program does not offer is to open the folder a file was detected in which means that you need to do that manually.
A right-click on the program's system tray icon displays additional options. You can open a history log file for instance which lists all detections and opens in the default plain text editor on the system when you select that option.
This can be useful if you want to check previous hits, for instance if you have been away from the PC or if too many files were detected in a short period of time.
Here you can also enable the application's autostart feature so that it is started when you boot the PC and a Panic Mode. There is unfortunately no information about what it is for though.
Conclusion
Exe Watch is a lightweight application that can improve the security of Windows systems. While it requires that someone is paying attention to the screen, it can highlight newly added executable files easily.
A manual of sorts containing information about the program's functionality, an option to blacklist folders and an option to modify the monitored file extensions would be very useful and improve it further.
Someone explain what just happened http://imgur.com/LWSREgB ?
Some of the processes have “sssssssssssss” appended as a command line parameter.
You does not need such software, ProcessHacker already include such future. Right click on the tray icon – notifications – [your choice]. It also can “alert” you if a new driver starts or stops, a process gets terminated and so on.
Doesn’t make any sense to watch .exe processes in generally, that doesn’t prevent any malware since the executable only loads the more important drivers/.dll files. A .vbs/.bat or whatever can also do such calls which means to watch only executable not preventing anything from been executed.
All av’s I know also watch (and deep inspecting) all executables. If you use such product you definitely not need that or if you use a sandboxie.
Conclusion:
Useless to watch single processes if nothing gets blocked or a newbie user doesn’t know if it really infect your pc, and of course it doesn’t protect you against data leaks.
You seem to be misunderstanding this. This tool is not watching processes, but executable file creation. I don’t think Process Hacker can do this.
I ran this for a couple of days – interesting to see what it discovered. Didn’t do any installs or download any exes, or do any portable updates. These were the only two items that came up
19-09-2014 14:36 — D:\Portable\Internet\Chrome\Data\profile\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\K9SWTPTQ\macromedia.com
19-09-2014 16:18 — C:\Users\username\AppData\Local\Temp\$$$$$_epCheck_temp\7za.exe
21-09-2014 21:19 — C:\Users\username\AppData\Local\Temp\procexp64.exe
uTorrent portable also downloads an exe update even if you don’t friggin want it – but its not on this list, probably because there wasn’t one to DL in the last few days
D:\Portable\Internet\uTorrent\App\uTorrent\updates\3.4.1_30740.exe
I think I’ll keep running it for a few weeks and report back on all the portable stuff :)
Note: I use several USB sticks several times a day – and every single one is “locked” by ExeWatch (i.e, safely remove hardware fails). Personally, I know nothing else is using the stick, so I just yank it. But with my big externals/archives, this becomes a PITA. Would be nice if it had an option to only check local and/or network/mapped drives
I’ve used the program before. Panic mode basically renames all newly created .exe files and removes the .exe extension.
Now that is interesting, thanks for letting us know.
It only warns, doesn’t block? Just install Online Armor and be done with it.
Thanks, Martin!
I wonder if this would have done me some good a while back when torrenting a rar file that upon extracting it installed a handful of programs, browser add-ons and the like. Given I have a bad habit of reformatting and distro-hopping I took the risk. Ha-ha.
Anyway, the internet would not be the same without Ghacks. Thank you.
Excuse my ignorance, but how can simply unpacking an archive execute code? Was it a self-extracting rar?
something like EXE Radar Pro from NoVirusThanks is a better option there but its heavier on the system.
Well it would have warned you about the new files but not blocked them from landing on your system. For these cases, it is better to have antivirus software running in the background all the time.
You’ve been posting info about a lot of programs that monitor this and that on our computers. While I appreciate the help in keeping my computer secure, I’d like some insight on the burden this imposes on computer resources and speed. Also, how much do such programs duplicate a good HIPS program?
It depends. This program uses about 2 Megabyte of memory when running which is not a lot. About the HIPS programs, it depends as well on the programs that you compare. Considering that this one is just 2 MB of memory, it is not really something that is getting in the way I guess.
Does it tell you if an EXE has been replaced by a newer version, or just if a new EXE that didn’t exist before shows up?
I think it only catches new executable files.