How can I audit changes to the registry?

A. Using the regedt32.exe utility it is possible to set auditing on certain parts of the registry. I should note that any type of auditing is very sensitive lately and you may want to add some sort of warning letting people know that their changes are being audited.

  1. Start the registry editor (regedt32.exe)
  2. Select the key you wish to audit (e.g. HKEY_LOCAL_MACHINE\Software)
  3. From the Security menu select Auditing
  4. Check the "Audit Permission on Existing Subkeys" if you want subkeys to also be audited
  5. Click the Add button and select the users you want to be audited, click Add and then click OK
  6. Once there are names in the "Names" box you can select which events to be audited, whether success or failure.
  7. When you have filled in all the information click OK

You will need to make sure that Auditing for File and Object access is enabled (use User Manager - Polices - Audit).

To view the information use Event Viewer and look at the Security information.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish