Monitoring specific RegKey

M

Marko Kirschner

Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
ARM/ART also just take snapshots.
I also tried regprot from diamondcs, but there I can't
configure which keys should be monitored.
Does anybody has a hint?
Thanks very much
Marko
 
M

Mark V

In said:
Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
Click to expand...

But you know the Key? RegMon can be set to filter out all but the
fully qualified registry path and further restrict itself to just
WRITES for example.

But try Marin's Auditing technique first perhaps.
 
M

Mark V

In said:
Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
Click to expand...

But you know the Key? RegMon can be set to filter out all but the
fully qualified registry path and further restrict itself to just
WRITES for example.

But try Marin's Auditing technique first perhaps.
 
M

Marin Marinov

<snip>
Hi Marko,
I'd give a shot at the built-in auditing, specifically "Audit object
access" (Success) and configure auditing for this specific key. You'll
need Regedt32.exe to do this:
1) Browse to the key, and on the Security menu click "Permissions".
2) Select "Advanced"->Auditing->Add... and add the group Everyone.
3) Check the boxes under "Success" for "Set value", "Create subkey".
These should be enough.
4) Test by manually editing the key and see if events are generated in
the Security log. The "Image file name" should specify the process that
modified the key/value

You can turn auditing on from Administrative tools\Local Security policy
\Local Policies\Audit policy.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
M

Marin Marinov

<snip>
Hi Marko,
I'd give a shot at the built-in auditing, specifically "Audit object
access" (Success) and configure auditing for this specific key. You'll
need Regedt32.exe to do this:
1) Browse to the key, and on the Security menu click "Permissions".
2) Select "Advanced"->Auditing->Add... and add the group Everyone.
3) Check the boxes under "Success" for "Set value", "Create subkey".
These should be enough.
4) Test by manually editing the key and see if events are generated in
the Security log. The "Image file name" should specify the process that
modified the key/value

You can turn auditing on from Administrative tools\Local Security policy
\Local Policies\Audit policy.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

any way to prevent registry monitoring programs from detecting changes? 1
Best Practice: Windows service monitoring 1
Stopping nags 2
/cleanprofile Details Request 5
Local computer account and associated Registry Key 2
System Restore Monitoring Off on Specific Drives Using Registry 2
Parsing, mid, left, trim or right to find specific word in string 6
FBWF Monitored keys in case off power loss 6

Top