none
Monitoring Registry Keys. RRS feed

  • Question

  • I planning to setup monitoring for Registry key creation / updates / deletion. Does anyone know which keys needed to monitored ? Is there any best practice guide to follow, please let me know. 

    VT


    • Edited by mywindows Tuesday, September 17, 2019 8:24 PM
    Tuesday, September 17, 2019 8:24 PM

All replies

  • Hi mywindows,

    Let’s say you want to see where a certain setting from Word Options is saved in the Registry.

    The easiest method is using Process Monitor but this is best for short term usage. You would simply add a filter on Process Name and Operation, start Word and that’s that:



    If we uncheck “Allow background saves” from Word Options – Advanced – Save, this is what appears in Process Monitor:


    The problem with Process Monitor is that we can’t leave it running for a long time because the page file will become too large and it will not be able to continue the capture. There are other methods to monitoring registry changes that are better suited for long term monitoring of the registry.

    A long term solution would be Registry Auditing.
     
    What we need to do is:
    1. Run the following command from Command Prompt:
    auditpol /set /subcategory:"Registry" /success:enable
    2. Open Registry Editor and navigate to the key which we want to audit (For example: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
    3. Right-click on the key and choose “Permissions…”
    4. Click “Advanced” and switch to the Auditing tab
    5. Add a user or group and select Access: Set Value
    6. Apply settings
     
    Now the registry changes are visible in the Event Viewer under Windows Logs\Security:

    Hopefully this helps,

    Dillon Sykes


    Dillon Sykes

    Blog: https://www.dillonsykes.com
    Twitter: @DillonSykesNZ
    LinkedIn: https://www.linkedin.com/in/dillonsykes/

    Tuesday, September 17, 2019 8:52 PM
  • Hi,

    Thanks for posting in our forum.

     

    As DillonSykes mentioned above, we can use Process Monitor or audit policy to monitor registry changes.


    >>
    Does anyone know which keys needed to monitored ?

    For which keys need be monitored, it depends on your requirement, and as far as I know, Microsoft doesn't provided any guidance about it.

     

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 18, 2019 7:41 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 25, 2019 6:43 AM
  • Hi,

     

    Was your issue resolved?

     

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 10:06 AM