Monitoring specific RegKey

  • Thread starter Thread starter Marko Kirschner
  • Start date Start date
M

Marko Kirschner

Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
ARM/ART also just take snapshots.
I also tried regprot from diamondcs, but there I can't
configure which keys should be monitored.
Does anybody has a hint?
Thanks very much
Marko
 
In said:
Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
Click to expand...

But you know the Key? RegMon can be set to filter out all but the
fully qualified registry path and further restrict itself to just
WRITES for example.

But try Marin's Auditing technique first perhaps.
 
In said:
Hi there,

I'am looking for a tool, which monitors a specific
Registry key over a periode of 4-5 weeks. My problem is,
that something changes a Registrykey and I need to find
out which application/process this is.
RegMon is not a good choice, because I need to monitor
just one key and I dont know which process it changes.
Click to expand...

But you know the Key? RegMon can be set to filter out all but the
fully qualified registry path and further restrict itself to just
WRITES for example.

But try Marin's Auditing technique first perhaps.
 
<snip>
Hi Marko,
I'd give a shot at the built-in auditing, specifically "Audit object
access" (Success) and configure auditing for this specific key. You'll
need Regedt32.exe to do this:
1) Browse to the key, and on the Security menu click "Permissions".
2) Select "Advanced"->Auditing->Add... and add the group Everyone.
3) Check the boxes under "Success" for "Set value", "Create subkey".
These should be enough.
4) Test by manually editing the key and see if events are generated in
the Security log. The "Image file name" should specify the process that
modified the key/value

You can turn auditing on from Administrative tools\Local Security policy
\Local Policies\Audit policy.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
<snip>
Hi Marko,
I'd give a shot at the built-in auditing, specifically "Audit object
access" (Success) and configure auditing for this specific key. You'll
need Regedt32.exe to do this:
1) Browse to the key, and on the Security menu click "Permissions".
2) Select "Advanced"->Auditing->Add... and add the group Everyone.
3) Check the boxes under "Success" for "Set value", "Create subkey".
These should be enough.
4) Test by manually editing the key and see if events are generated in
the Security log. The "Image file name" should specify the process that
modified the key/value

You can turn auditing on from Administrative tools\Local Security policy
\Local Policies\Audit policy.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
Back
Top