Auditing the Registry

As I mentioned, comparing snapshots of the registry is just one method of finding a setting; monitoring is another. The first method of monitoring the registry I'm going to show you is built into Windows XP: auditing. Use auditing only if you don't have other monitoring tools available to you, however, because its disadvantages far outweigh its advantages for the purpose of tracing settings. The first drawback is that auditing the registry for changes requires that you know in advance the general vicinity where a setting is located because auditing the entire registry isn't practical. Second, deciphering the results of an audit is rather cumbersome. It relies on viewing security events in Event Viewer, and the output isn't friendly.

Auditing the registry for changes is a three-step process. First you must enable Audit Policy. You do this by editing Local Security Policy. After that, you audit branches in the registry where you think the setting is located. You can't just audit the entire registry because doing so would bring even the fastest computer running Windows XP to a grinding halt. On average, the operating system and the applications access the registry thousands of times during a session, so recording the details of every one of these hits just isn't practical. Last, after changing the setting or performing the action you're tracking, look in Event Viewer to see which values changed. The following sections describe each step.

Setting Audit Policy

The first step in auditing the registry is to enable Audit Policy:

  1. Click Start, Control Panel, Performance And Maintenance, Administrative Tools, and Local Security Policy.

  2. In the left pane, under Local Policy, click Audit Policy.

  3. In the right pane, double-click Audit Object Access, and then select both the Success and Failure check boxes.

Auditing Registry Keys

After enabling Audit Policy, audit the specific keys in which you think you're going to find the setting:

  1. In Regedit, click the key you want to audit.

  2. On the Edit menu, point to Permission, and then click Advanced.

  3. On the Auditing tab of the Advanced Security Settings dialog box, shown in Figure 8-4, click Add.

    click to expand
    Figure 8-4: Auditing the registry helps you track down settings in the registry.

  4. In the Select Users, Computers, Or Groups dialog box, click Locations. Then click the computer, domain, or organizational unit in which you want to look for the user or group you want to audit.

  5. In the Enter The Object Names To Select box, type the name of the user or group you want to add to the key's audit list, and then click OK.

  6. In the Access list, select the Successful and Failed check boxes next to the activities you want to audit. The following list of permissions corresponds to the permissions you learned about in Chapter 7, "Managing Registry Security."

    • Full Control

    • Query Value

    • Set Value

    • Create Subkey

    • Enumerate Subkeys

    • Notify

    • Create Link

    • Delete

    • Write DAC

    • Write Owner

    • Read Control

    Tip 

    Audit carefully to avoid too much of a performance penalty. For example, if you're trying to find the location where an application saves a setting, audit for Set Value, change the value in the user interface, and then check your results.

Analyzing the Results

The final step after enabling Audit Policy and auditing specific keys is checking the results using Event Viewer. To open Event Viewer, click Start, Control Panel, Performance And Maintenance, Administrative Tools, and Event Viewer. In Event Viewer's left pane, click Security. You see each hit in the right pane, and the most recent hits are at the top of the list. Double-click any entry to see more details. The Event Properties dialog box tells you what type of access Windows XP detected, the object type, and the process that accessed the key or value.



Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net