Monitor “WHO” altered registry key

Posted on

QUESTION :

I need to monitor a specific registry key in HKCU for changes. Most importantly I need to know when it changed, who changed it (the process) and what it changed too.

I know this can be done via Proc Mon, however the complications of the situation means I can’t go installing new external software onto a machine I need to monitor.
Also the command line use of this program isn’t suitable for my needs.

I can however implement a VBS or small c# / VB application, so long as it runs silently.

Is there a simple way to monitoring a key and if it changes record the change? Again, most important thing here is which process changed it.

Any thoughts on how this can be done appreciated.

ANSWER :

You can use MS Windows built in auditing to monitor changes via the Security event logs.

Enable “Audit Object Access” via either the group or local security policy. Security Settings/Local Policy/Audit Policy/Audit object access (Success, Failure).

Open the Registry and adjust the Permissions on HKCU (or the specific subkey). Permissions/Advanced/Auditing. Add the Everyone user and select the Access types you want to monitor.

All registry add, remove, edit, etc will be logged in the Security event log. Filter as needed.

Leave a Reply

Your email address will not be published.