The Grey Chronicles


Anti-Spyware Software: An Analysis

Using SysInternals’ Process Monitor [1], an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity by combining the features of two legacy Sysinternals utilities, Filemon and Regmon, an analysis of anti-spyware software was conducted.

Objective: The purpose of this study was to verify which Registry entries are processed by the various anti-spyware software in the market.

Methodology: Using Microsoft Windows XP as the operating system, specifically version 5.1 (Build 2600.xpsp.08413-211: Service Pack 3), with Registry Editor version 5.1.2600.5512; only the Process Monitor and one particular anti-spyware software were running. All other software, start-ups applications and services with the following exceptions[2], were turned-off.

Process Monitor
In the Process Monitor console, only the Registry Activity was monitored; thus the File System Activity and the Process and Thread Activity were turned off. The anti-spyware scan was run for its entire full length, until the anti-spyware software reported that the scan was completed or finished; and a respective report on spywares detected are shown as the next screen. Using the Process Monitor’s Tools>Registry Summary the processed events were saved into a separate comma-separated values [*.csv] file, which detailed the registry paths accessed during a particular anti-spyware scan. Although the scan would sometimes include memory or files scan, the study delimited itself to the registry scan.

Anti-Spyware Tested: The following anti-spyware software were tested:

Results: Most of the anti-spyware tested processed most of the registry entries in the following areas:

  • [HKCR] HKEY_Classes_Root
  • [HKCU] HKEY_Current_User
  • [HKLM] HKEY_Local_Machine
  • [HKU] HKEY_Users

None took the liberty of scanning the last two braches, namely:

  • [HKCC] HKEY_Current_Config
  • [HKCU] HKEY_Dyn_Data

; most probably because current configuration and dynamic data are system configurable.
Moreover, only a few, such as SpyBot, WinDefender, Ad-Aware, and CAYahoo-AntiSpy scanned HKey_Users [HKU].

Caveats: This analysis is provided for users who wanted the real score beneath these anti-softwares. The test can be replicated by users as the method of experiment was clearly discussed above. The experimenter leaves it to the reader to form their own conclusion, based on these results, as to Which is the BEST anti-software.


[1] Copyright © 1996-2007 Mark Russinovich and Bryce Cogswell Sysinternals –

[2] The following Microsoft services were left running in the background: svchost, alg, smss, csrss, winlogon, services, lsass, spoolsv, tcpsvcs, upclean.

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 LicenseDisclaimer: The posts on this site do not necessarily represent any organization’s positions, strategies or opinions; and unless otherwise expressly stated, are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

1 Comment »

  1. As for me,I now use Spyware Doctor Antispyware Software. It is undoubtedly the best antispyware software available today.

    Comment by Eddie — 2009.July.7 @ 04:48 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: