Jaa


Monitoring when registry keys are modified

Let’s say you want to see where a certain setting from Word Options is saved in Registry.
  
 
The easiest method is using Process Monitor.
 
Add a filter on Process Name and Operation, start Word and that’s that:


 
If we uncheck “Allow background saves” from Word Options – Advanced – Save, this is what appears in Process Monitor:


 
 The problem with Process Monitor is that we can’t leave it running for a long time because the page file will become too large and it will not be able to continue the capture.
 
So the alternative is Registry Auditing.
 
What we need to do is:
 

1.       Run the following command from Command Prompt:

auditpol /set /subcategory:"Registry" /success:enable
 

Note: if the OS has a different language pack, the name “Registry” might differ. For instance, on a German Windows, the name is “Registrierung”. To see what the name of the subcategory is you can run:
 
auditpol /list /subcategory:*
 

2.       Open Registry Editor and navigate to the key which we want to audit (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
3.       Right-click on the key and choose “Permissions…”
4.       Click “Advanced” and switch to the Auditing tab
5.       Add a user or group and select Access: Set Value
6.       Apply settings
 
Now the registry changes are visible in the Event Viewer under Windows Logs\Security:

 

More detailed information on this topic:

- https://support.microsoft.com/kb/921469 How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.

- https://technet.microsoft.com/en-us/library/cc755264(WS.10).aspx Auditpol set

- https://support.microsoft.com/kb/324739 How to use Group Policy to audit registry keys in Windows Server 2003