Auditing the Registry


Auditing the Registry

As I mentioned earlier, comparing snapshots of the registry is just one method of finding a setting; monitoring is another. The first method of monitoring the registry that I'm going to show you is built into Windows: auditing. Use auditing only if you don't have other comparison tools available to you, however, because its disadvantages far outweigh its advantages for the purpose of tracing settings. The first drawback is that auditing the registry for changes requires that you know in advance the general vicinity where a setting is located because auditing the entire registry isn't practical. Second, deciphering the results of an audit is rather cumbersome. It relies on viewing security events in Event Viewer, and the output isn't intuitive.

Auditing the registry for changes is a three-step process. First you must enable Audit Policy. You do this by editing Local Security Policy. After that, you audit branches in the registry where you think the setting is located. You can't just audit the entire registry because doing so would bring even the fastest computer running Windows to a grinding halt. On average, the operating system and the applications access the registry thousands of times during a session, so recording the details of every one of these hits just isn't practical. Last, after changing the setting or performing the action that you're tracking, look at the log files in Event Viewer to see which values changed. The following sections describe each step.

Setting Audit Policy

The first step in auditing the registry is to enable Audit Policy:

  1. From the Administrative Tools folder, launch Local Security Policy.

  2. In the left pane, under Local Policy, click Audit Policy.

  3. In the right pane, double-click Audit Object Access, and then select both the Success and Failure check boxes.

Auditing Registry Keys

After enabling Audit Policy, audit the specific keys in which you think you're going to find the setting:

  1. In Regedit, click the key that you want to audit.

  2. On the Edit menu, point to Permission, and then click Advanced.

  3. On the Auditing tab of the Advanced Security Settings dialog box, shown in Figure 10-4, click Add.

    figure 10-4 auditing the registry helps you track down settings in the registry.

    Figure 10-4 Auditing the registry helps you track down settings in the registry.

  4. In the Select Users, Computers, Or Group dialog box, click Locations. Then click the computer, domain, or organizational unit in which you want to look for the user or the group that you want to audit.

  5. In the Enter The Object Name To Select box, type the name of the user or the group that you want to add to the key's audit list, and then click OK.

  6. In the Auditing Entry dialog box, in the Access list, select the Successful and Failed check boxes next to the activities that you want to audit. The following list of permissions corresponds to the permissions that you learned about in Chapter 8, “Configuring Windows Security.”

    • Full Control

    • Query Value

    • Set Value

    • Create Subkey

    • Enumerate Subkeys

    • Notify

    • Create Link

    • Delete

    • Write DAC

    • Write Owner

    • Read Control

TIP
Audit carefully to avoid too much of a performance penalty. For example, if you're trying to find the location where an application saves a setting, audit for Set Value, change the value in the user interface, and then check your results.

Analyzing the Results

The final step after enabling Audit Policy and auditing specific keys is checking the results using Event Viewer. To open Event Viewer, click Start, Control Panel, Performance And Maintenance, Administrative Tools, and Event Viewer. In Event Viewer's left pane, click Security. You see each hit in the right pane, and the most recent hits are at the top of the list. Double-click any entry to see more details. The Event Properties dialog box tells you the type of access that Windows detected, the object type, and the process that accessed the key or the value.



Microsoft Windows Registry Guide
Microsoft Windows Registry Guide, Second Edition
ISBN: 0735622183
EAN: 2147483647
Year: 2003
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net