/configtrackingregistry.htm" />

Please enable JavaScript to view this site.

Intercepts Windows audit events pertaining to the Windows Registry and makes them available in the web-based reporting.

 

clip0341

 

 

warning_32

Requirements: This feature works by intercepting Audit Success events with event ID 4657 that are written to the security event log when registry auditing is enabled (either in the local security policy or via AD) and at least one registry key is configured for auditing. See requirements for details.

 

Collected Data

The following registry information is collected on all supported Windows platforms:

 

Field

Description

Action

Added, Removed or Modified

Registry Path

Path of the value that was added, removed or modified, always starts with \REGISTRY\

Registry Value Name

Name of the registry value that was added, removed or modified

Value Before

Value before the change

Value After

Value after the change

Type Before

Type of the value before the change

Type After

Type of the value after the change

Caller Path / File

Proesses that initiated the change, ignore for changes that were initiated removely

Username

User who initiated the change

Logon ID

Logon ID of the session that made the change

Event #

Event number of the event describing the change

 

Configuration

General Filter

Determines which registry activity will be picked up.

 

Registry Paths

Configure whether all registry changes that are audited by the Operating System are processed by EventSentry (Monitor everything), whether certain paths should be excluded ("Exclude paths listed below") or whether only select paths should be monitored ("Monitor only paths listed below").

 

Registry path filters need to match the format used in event 4657 and generally start with \REGISTRY\, for example:

 

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

\REGISTRY\USER\S-1-5-21-2574282233-618468577-1958264051-1122\Software\Microsoft\Windows\CurrentVersion\Run

 

When in doubt prefix the registry path with an asterisk, for example *\Software\Microsoft\Windows\CurrentVersion\Run

 

Sub folders are automatically monitored.

 

Processes

Configure whether registry activity from all processes should be processed ("Any process"), whether certain processes should be excluded ("Exclude Processes listed below") or whether only specific processes should be monitored ("Monitor only processes listed below").

 

 

Event Log 32 n t

Event IDs

Registry Access

 

Windows Vista, Windows 2008 and later

4657, 4663