Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 9.12. Monitoring Registry Activity

Problem

You want to monitor registry accesses. This could involve anything from watching what processes are using the registry to monitoring what a specific user is doing with the registry.

Solution

There are two ways to monitor registry activity. You can view real-time access to the registry with the Sysinternals Registry Monitor (regmon.exe) tool. With it you can view the process name, the PID, and the operation performed (e.g., QueryKey, EnumerateValue, SetValue, etc.) for all the processes that have a key or value open. Figure 9-1 shows this tool.

Figure 9-1. Sysinternals Registry Monitor

If you want to monitor registry activity over a long period of time or cannot keep a copy of Registry Monitor open at all times, another option is to enable registry auditing. With registry auditing enabled, you can get detailed information in the Security event log about the successful or failed attempts a particular user or group of users make to the registry. Here is how you set that up:

  1. Open the Registry Editor (regedit.exe).

  2. In the left pane, browse to the key you want to audit. (You can't audit individual registry values.)

  3. Right-click on the key and select Permissions.

  4. Click the Advanced button.

  5. Click the Auditing tab.

  6. Click the Add button.

  7. Use the Object Picker to find the user or group for whom you want to audit access.

  8. In the Auditing Entry box, select the types of things you want to audit. Success is audited separately from Failure, so be sure to check all the types you want to audit.

  9. Click OK until all windows are closed.

  10. Open the Local Security Policy snap-in (available from Administrative Tools).

  11. In the left pane, expand Local Policies and click on Audit Policy.

  12. In the right pane, double-click on Audit object access.

  13. Check the box beside Success to audit successful actions.

  14. Check the box beside Failure to audit failed actions.

  15. Click OK.

Discussion

To enable auditing in the registry, you have to complete two steps. The first consists of configuring what you want to audit in the registry, which you can do with the Registry Editor. (Table 9-4 lists all audit options.) After you've completed this, auditing isn't turned on yet. To do that, you have to go to the Local Policies snap-in (or Group Policy Object Editor in a domain environment) and enable auditing. At this point, any registry access to the keys you configured should be logged to the Security event log.

Table 9-4. Registry audit options

Name

Description

Create Link

Any attempt to create a symbolic link in a particular key

Create Subkey

Any attempt to create subkeys on a selected registry key

Delete

Any attempt to delete a key

Enumerate Subkeys

Any attempt to list the subkeys of a key

Notify

Any notification events from a key in the registry

Query Value

Any attempt to read a value from a key

Read Control

Any attempt to open the discretionary access control list on a key

Set Value

Any attempt to set a value in a key

Write DAC

Any attempt to write a discretionary access control list on a key

Write Owner

Any attempt to change the owner of a key

It is always a good idea to monitor your event logs closely after you enable auditing. You don't want fill up your Security log unnecessarily because you are auditing too much.

See Also

MS KB 315416 (HOW TO: Use Group Policy to Audit Registry Keys in Windows 2000)

Related

Категории