Hello Reader,
This week Kevin Pagano grabbed the win with a nice primer on registry monitoring. I m looking forward to testing more registry monitoring tools next week and trying out Maxim Suhanov's suggestion of waiting 30 seconds for transactions to be written.
The Challenge:
Winning answer:
This week Kevin Pagano grabbed the win with a nice primer on registry monitoring. I m looking forward to testing more registry monitoring tools next week and trying out Maxim Suhanov's suggestion of waiting 30 seconds for transactions to be written.
The Challenge:
How would you monitor/record changes to registry keys? What could you do to get more data?
Winning answer:
There are few monitor tools that can record changes in the registry.
Nirsoft specifically has 2 different options that could be helpful:
Regshot and WhatChanged are two other tools that are similar to RegistryChangesView in that it can show changes in two snapshots of the registry at different times.RegistryChangesView - allows you to take snapshots of the registry at different points in time and compares two versions and export the changes as neededRegFromApp - this one monitors the registry for changes made by specific applications
Process Monitor (ProcMon) will give you real time feedback of activities in various locations but also the registry.
Registry Auditing can be turned on as such so changes will show in Event Logs:
1. Run the following command from Command Prompt:
auditpol /set /subcategory:"Registry" /success:enable
Note: if the OS has a different language pack, the name “Registry” might differ. For instance, on a German Windows, the name is “Registrierung”. To see what the name of the subcategory is you can run:
Note: if the OS has a different language pack, the name “Registry” might differ. For instance, on a German Windows, the name is “Registrierung”. To see what the name of the subcategory is you can run:
auditpol /list /subcategory:*
2. Open Registry Editor and navigate to the key which we want to audit (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
2. Open Registry Editor and navigate to the key which we want to audit (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
3. Right-click on the key and choose “Permissions…”
4. Click “Advanced” and switch to the Auditing tab
5. Add a user or group and select Access: Set Value
6. Apply settings
4. Click “Advanced” and switch to the Auditing tab
5. Add a user or group and select Access: Set Value
6. Apply settings
Via Microsoft
RegistryExplorer from Eric Zimmerman can be used to possibly show deleted registry keys and recover them as needed as well as interpret the registry transaction LOG files.
Also Read: Daily Blog #498
Post a Comment