Hi Clark,
XP Professional:
Phase I: Enable Audit Policy
1. Click Start, Run and type Secpol.msc (or via GPEDIT.MSC as well)
2. In the left pane, under Local Policies, click Audit Policy.
3. In the right pane, double-click Audit Object Access, and then select the
Success and Failure boxes.
Phase II: Set the Registry audit:
1. Now, use Regedit to audit the registry key.
2. Open Regedit and click the key you want to audit.
3. On the Edit menu, click Permission; then click Advanced.
4. On the Auditing tab, click Add.
5. Type your username there and add it to the audit list
6. In the Auditing Entry For Name dialog, in the Access list, select both
the Successful and Failed check boxes next to the activities for which you
want to audit successful and failed attempts.
Phase III: Inspect the Event Logs for any information on the changed
keys/values:
1. Click Start, Run and type Eventvwr.msc
2. In Event Viewer's left pane, click Security.
3. In the right-pane, double-click any entry to see more details.
(use the notepad icon to copy the content to clipboard)
Don't forget to turn off auditing for the key once you gather the required
data, as your Security event log might soon become full.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
I am trying to stamp out some very persistent adware/spyware, so I denied
access to the offending registry key and turned on auditing. The popups
have stopped, but when I look in the Event Viewer I cannot find any audit
records about access to that key. I think I need some basic info about how
to do registry audits for Win XP, but I was not able to find anything in the
Microsoft Knowledge Base.
