9.12. Monitoring Registry Activity
You want to monitor registry accesses. This could involve anything from watching what processes are using the registry to monitoring what a specific user is doing with the registry.
There are two ways to monitor registry activity. You can view
real-time access to the registry with the Sysinternals Registry Monitor (regmon.exe) tool. With it you can view the
process name, the PID, and the operation performed (e.g.,
SetValue, etc.) for all the processes that
have a key or value open. Figure 9-1 shows this
Figure 9-1. Sysinternals Registry Monitor
If you want to monitor registry activity over a long period of time or cannot keep a copy of Registry Monitor open at all times, another option is to enable registry auditing. With registry auditing enabled, you can get detailed information in the Security event log about the successful or failed attempts a particular user or group of users make to the registry. Here is how you set that up:
Open the Registry Editor (regedit.exe).
In the left pane, browse to the key you want to audit. (You can't audit individual registry values.)
Right-click on the key and select Permissions.
Click the Advanced button.
Click the Auditing tab.
Click the Add button.
Use the Object Picker to find the user or group for whom you want to audit access.
In the Auditing Entry box, select the types ...