Auditing Registry Access


Auditing Registry Access

Auditing registry access is a great way to track down registry settings, and it's one of the methods that I discuss in Chapter 10, “Finding Registry Settings.” It's also a reasonable way to monitor access to sensitive settings. The problem with auditing the registry is that you must either get very specific about which key you're auditing or pay a severe performance penalty by auditing too much of the registry. It's a fine line between getting the information you need and grinding the computer to a halt.

Auditing a key is a three-step process. First you must enable Audit Policy. You can do that on the network using Group Policy, but that seems silly considering the scope of the performance impact. If you're using auditing as a troubleshooting tool or to track down a setting, turn on Audit Policy locally. In Control Panel, in Classic view, open the Administrative Tools folder, and launch Local Security Policy. You won't find Local Security Policy on a domain controller. In the left pane, under Local Policies, click Audit Policy. In the right pane, double-click Audit Object Access, and then select the Success and Failure check boxes. After you've enabled Audit Policy, use Regedit to audit individual keys, as follows:

  1. In Regedit, click the key that you want to audit.

  2. On the Edit menu, click Permissions; then click Advanced.

  3. On the Auditing tab, shown in Figure 8-3, click Add.

  4. In the Select Users, Computers, Or Groups dialog box, click Locations, and then click the computer, the domain, or the organizational unit in which you want to look for the user or the group that you want to audit.

  5. In the Enter The Object Names To Select box, type the name of the user or the group that you want to add to the key's audit list, and then click OK.

    figure 8-3 audit keys sparingly because doing so can significantly impact performance.

    Figure 8-3 Audit keys sparingly because doing so can significantly impact performance.

  6. In the Auditing Entry For Name dialog box, in the Access list, select both the Successful and Failed check boxes next to the activities for which you want to audit successful and failed attempts. These correspond to the permissions you learned about in the section “Assigning Special Permissions” earlier in this chapter:

    • Full Control

    • Query Value

    • Set Value

    • Create Subkey

    • Enumerate Subkeys

    • Notify

    • Create Link

    • Delete

    • Write DAC

    • Write Owner

    • Read Control

After enabling Audit Policy and auditing specific keys, check the results using Event Viewer. To open Event Viewer, in Control Panel, in Classic view, open the Administrative Tools folder, and launch Event Viewer. In Event Viewer's left pane, click Security. You see each entry in the right pane, and the most recent entries are at the top of the list. Double-click any entry to see more details. The Event Properties dialog box tells you what type of access Windows detected, the object type, and the process that accessed the key or the value. Chapter 10, “Finding Registry Settings,” shows you how to use this information to figure out where Windows or a program stores certain settings in the registry.



Microsoft Windows Registry Guide
Microsoft Windows Registry Guide, Second Edition
ISBN: 0735622183
EAN: 2147483647
Year: 2003
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net