Problem:
Trying to find out what changed a registry key. I needed to use event viewer to sort through the logs.
Solution:
Enable Registry Access Audit Security (SACL)
System Access Control Lists (SACL) determines registry access events for the particular Registry scope should generated or not. So that, you should enable SACL for the single registry value or the root registry scope which you want monitor or track change events.1. Open Registry editor by running the command regedit
2. Right-click on the Registry key which you want to configure audit events, and click Permissions.
3. In Security window, click Advanced button.
4. Navigate to the tab Auditing, and click Add button.
5. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply.
Registry Change Auditing Event IDs
Once you configured above two settings, now you can see the actual events, to view the registry change events, follow the below steps.
1. Open the Run window, type the command eventvwr.msc, and click OK.
2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.
3. Now, you can see lot of events in right-hand side window, but to track only registry access and change, we need to check only these event ids, 4656, 4657, 4660 and 4663. To filter only these four events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656, 4657, 4660 and 4663 as comma separated values and click.
5. Now, result window lists only registry access events, you can double-click on any event and check what type action made on the particular registry key.
These event ids deal with changes to the registry. The event I am interested in is 4657 which tells me when a registry key was changed.
4656: This is the first event logged when an user attempts to access registry key, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the event id 4663).
4657 - A registry value was modified.
4660 - An registry key or value was deleted or removed.
4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the registry key or registry value was created, modified, deleted, or it simply accessed,
Source:
1.)http://www.morgantechspace.com/2015/01/how-to-track-registry-changes-in-windows.html
No comments:
Post a Comment