This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 25%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
In procmon, if you filter to a registry path like so:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
Then change a value in this path, such as the "start" value, this change is not captured in Procmon. However, if you filter to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Start
Then change the start value, this is captured. Is this expected behavior? Our first assumption is the first filter would show changes to all values in that path.
It depends on the conditions that you selected. If you selected "is" then it might not be picked up. If you selected "begins with" or "contains", then I would expect it to be captured.