Recipe 9.11. Monitoring Registry Activity


Problem

You want to monitor Registry accesses. This could involve anything from watching what processes are using the Registry to monitoring what a specific user is doing with the Registry.

Solution

There are two ways to monitor Registry activity. You can view real-time access to the Registry with the Sysinternals Registry Monitor (regmon.exe) tool. With it you can view the process name, the PID, and the operation performed (e.g., QueryKey, EnumerateValue, SetValue, etc.) for all the processes that have a key or value open. Figure 9-1 shows this tool.

Figure 9-1. Sysinternals Registry Monitor


If you want to monitor Registry activity over a long period of time or cannot keep a copy of Registry Monitor open at all times, another option is to enable Registry auditing. With Registry auditing enabled, you can get detailed information in the Security event log about the successful or failed attempts a particular user or group of users make to the Registry. Here is how you set that up:

  1. Open the Registry Editor (regedit.exe).

  2. In the left pane, browse to the key you want to audit. (You can't audit individual Registry values.)

  3. Right-click on the key and select Permissions.

  4. Click the Advanced button.

  5. Click the Auditing tab.

  6. Click the Add button.

  7. Use the Object Picker to find the user or group for whom you want to audit access.

  8. In the Auditing Entry box, select the types of things you want to audit. Success is audited separately from Failure, so be sure to check all the types you want to audit.

  9. Click OK until all windows are closed.

  10. Open the Local Security Policy snap-in (available from Administrative Tools).

  11. In the left pane, expand Local Policies and click on Audit Policy.

  12. In the right pane, double-click on Audit object access.

  13. Check the box beside Success to audit successful actions.

  14. Check the box beside Failure to audit failed actions.

  15. Click OK.

Discussion

To enable auditing in the Registry, you have to complete two steps. The first consists of configuring what you want to audit in the Registry, which you can do with the Registry Editor. See Table 9-4 for the complete list of audit options. After you've completed this, auditing isn't turned on yet. To do that, you have to go to the Local Policies snap-in (or Group Policy Object Editor in a domain environment) and enable auditing as described above. At this point, any Registry access to the keys you configured should be logged to the Security event log.

Table 9-4. Registry audit options

Audit name

Description

Create Link

Any attempt to create a symbolic link in a particular key.

Create Subkey

Any attempt to create subkeys on a selected Registry key.

Delete

Any attempt to delete a key.

Enumerate Subkeys

Any attempt to list the subkeys of a key.

Notify

Any notification events from a key in the Registry.

Query Value

Any attempt to read a value from a key.

Read Control

Any attempt to open the discretionary access control list on a key.

Set Value

Any attempt to set a value in a key.

Write DAC

Any attempt to write a discretionary access control list on a key.

Write Owner

Any attempt to change the owner of a key.


It is always a good idea to monitor your event logs closely after you enable auditing. You don't want fill up your Security log unnecessarily because you are auditing too much.


See Also

MS KB 315416, "HOW TO: Use Group Policy to Audit Registry Keys in Windows 2000"



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net