9.12. Monitoring Registry Activity


You want to monitor registry accesses. This could involve anything from watching what processes are using the registry to monitoring what a specific user is doing with the registry.


There are two ways to monitor registry activity. You can view real-time access to the registry with the Sysinternals Registry Monitor (regmon.exe) tool. With it you can view the process name, the PID, and the operation performed (e.g., QueryKey, EnumerateValue, SetValue, etc.) for all the processes that have a key or value open. Figure 9-1 shows this tool.

Sysinternals Registry Monitor

Figure 9-1. Sysinternals Registry Monitor

If you want to monitor registry activity over a long period of time or cannot keep a copy of Registry Monitor open at all times, another option is to enable registry auditing. With registry auditing enabled, you can get detailed information in the Security event log about the successful or failed attempts a particular user or group of users make to the registry. Here is how you set that up:

  1. Open the Registry Editor (regedit.exe).

  2. In the left pane, browse to the key you want to audit. (You can't audit individual registry values.)

  3. Right-click on the key and select Permissions.

  4. Click the Advanced button.

  5. Click the Auditing tab.

  6. Click the Add button.

  7. Use the Object Picker to find the user or group for whom you want to audit access.

  8. In the Auditing Entry box, select the types ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.