How to Track and Audit Registry Changes

Problem:

Trying to find out what changed a registry key.  I needed to use event viewer to sort through the logs.

Solution:

Enable Registry Access Audit Security (SACL)

System Access Control Lists (SACL) determines registry access events for the particular Registry scope should generated or not. So that, you should enable SACL for the single registry value or the root registry scope which you want monitor or track change events.

1. Open Registry editor by running the command regedit

 2. Right-click on the Registry key which you want to configure audit events, and click Permissions.

 3. In Security window, click Advanced button.

 4. Navigate to the tab Auditing, and click Add button.

 5. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply. 

Registry Change Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the registry change events, follow the below steps.

1. Open the Run window, type the command eventvwr.msc, and click OK.

2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.

3. Now, you can see lot of events in right-hand side window, but to track only registry access and change, we need to check only these event ids, 4656, 4657, 4660 and 4663. To filter only these four events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656, 4657, 4660 and 4663 as comma separated values and click.

5. Now, result window lists only registry access events, you can double-click on any event and check what type action made on the particular registry key.

These event ids deal with changes to the registry.  The event I am interested in is 4657 which tells me when a registry key was changed.


4656: This is the first event logged when an user attempts to access registry key, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the event id 4663).

4657 - A registry value was modified.

4660 - An registry key or value was deleted or removed.

4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the registry key or registry value was created, modified, deleted, or it simply accessed,

 

Source:

1.)http://www.morgantechspace.com/2015/01/how-to-track-registry-changes-in-windows.html

Unable to make the session state request to the session state server.

Problem:

This is an expansion of a post from Dec 15.

Solution:

These steps need to be checked to ensure that the state service is running
1.) Ensure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection to 1
2.)Ensure that ASP.Net service is set to start automatically.
3.)Ensure that ASP.Net service is running.
4.)If you reset the registry key then restart the

ASP.net state service after you change the parameter.

5.)Check the web.config for the website locate the following attribute

<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="30" />

6.)Ensure that the port specified in the stateConnectionString, default is 42424 matches the port set in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\Port 42424
7.)Ensure that Firewall is not blocking port 42424.

Source:

1.) http://fetchmytip.blogspot.com/2015/12/iis-85-unable-to-make-session-state.html
2.)http://forums.asp.net/t/1222433.aspx?Unable+to+make+the+session+state+request+to+the+session+state+server+

The Template Persistent Cache initialization failed for Application Pool

Problem:

Log Name: Application
Source: Active Server Pages
Event ID: 5
Level: Error
Description: Error: The Template Persistent Cache initialization failed for Application Pool ‘My Classic ASP App’ because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.

Solution:

Step 1:
%windir%\system32\inetsrv\appcmd list config -section:system.webServer/asp
Step 2:
Go to location ASP Compiled Templates is under C:\inetpub\temp.
Step 3:
Grant network service full control of the folder.

Source:

1. http://www.mcbsys.com/blog/2010/07/template-persistent-cache-error-with-classic-asp-under-iis-7/

DateTime.UtcNow vs DateTime.ToUniversalTime

Problem

I was updating an algorithm on a logging solution.  The time stamps were off due to the server sitting in Arizona and the process being started in Europe.  The issue was how to get the time displayed as true UTC time.

Solution

Initially I was playing with UtcNow in the namespace.  However, this will give you the local time of the server in UTC.  That is not what we were looking for!  We needed to use ToUniversalTime which gives the true time in UTC (Zulu). 

Source

1. https://msdn.microsoft.com/en-us/library/system.datetime.utcnow.aspx
2. http://stackoverflow.com/questions/10884549/datetime-conversion-to-filetimeutc

The Xap version number needs to be higher than previous version

Problem:

I ran into this issue when I tried to publish the latest version of windows phone application.  I had to refer back to my article,  http://fetchmytip.blogspot.com/2015/08/the-publisher-display-name-username.html

Key quote:

"Turns out that Visual Studio can't update two very important files, package.appmanifest.xml and WMAppManifest.xml.  These have to be done by hand."  This keyed me into the fact that the appxmanifest.xml file was not updated to what was set in the project.  The build process set the version to 1.0.0.0 regardless of what you set the WMmanifest too!!

Solution:

The version number for the wmappmanifest.xml was set in the project to correct value 1.0.0.3.  However, each time I built the xap the Appxmanifest.xml file listed the version as 1.0.0.0.  This is what the Store loader kept chocking on.   I had to manual change the version number in the appxmanifest.xml file to 1.0.0.3.  Once this was done I could upload the project to the store.