Registry Change Tracking

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Compliance Tracking >

Registry Change Tracking

Intercepts audit events generated by Windows and makes them available in the web-based reporting.






Requirements: This feature works by intercepting Audit Success events with event ID 4657 that are written to the security event log when registry auditing is enabled (either in the local security policy or via AD) and at least one registry key is configured for auditing. See requirements for details.


Collected Data

EventSentry will collect the following process information on all supported Windows platforms:





Added, Removed or Modified

Registry Path

Path of the value that was added, removed or modified

Registry Value Name

Name of the registry value that was added, removed or modified

Value Before

Value before the change

Value After

Value after the change

Type Before

Type of the value before the change

Type After

Type of the value after the change

Caller Path / File

Proesses that initiated the change, ignore for changes that were initiated removely


User who initiated the change

Logon ID

Logon ID of the session that made the change

Event #

Event number of the event describing the change



General Filter

Determines which registry activity will be picked up by EventSentry.


Registry Paths

Configure whether all registry changes that are audited by the Operating System are processed (Monitor everything), whether certain paths should be excluded ("Exclude paths listed below") or whether only select paths should be monitored ("Monitor only paths listed below").



Configure whether registry activity from all processes should be processed ("Any process"), whether certain processes should be excluded ("Exclude Processes listed below") or whether only specific processes should be monitored ("Monitor only processes listed below").