5

It is supposed that Process Monitor can capture the registry changes made by any program. This thread explains it fine (thanks you, James T).

But it seems things are not so easy when talking about Group Policies Editor (gpedit.msc), because I am getting more than 738 register events when trying to change just one entry:

User Configuration -> Administrative Templates -> Code signing for drivers

Lots of captured data

How can I isolate the specific registry change for my GPEdit change performed?

New data:

As suggested by Frank Thomas (thanks), there was only one RegSetValue entry, named HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing\BehaviorOnFailedVerify.
This BehaviorOnFailedVerify key was what I was changing, but such key has been changed in multiple places at the register:

  • At HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing as stated.
  • At HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Policies\Microsoft\Windows NT\Driver Signing.

This is: four changes, and only one of them has been detected by Process Monitor.
Is this correct? Why?
If pretending to perform the same change via the reg command (without using gpedit.msc, which one should I change? All the four?

Note: I did not explain, as long as I did not think it was necessary, but my original idea was to be capable to change the key BehaviorOnFailedVerify via remote shell, like SSH or telnet). Note-2: For those wondering what does this change: it disables driver signature verification request so nothing prompts no the screen to the GUI user when installing some unsigned drivers like TAP-driver (network) for OpenVPN unattended installation.

Improve this question
4
  • 1
    Well, every entry you show except the one you have highlighted, is a RegQueryKey, RegEnumKey, RegOpenKey, or RegCloseKey event, so thats the process reading the registery, whereas your RegSetValue is the event noting that the registery has been written to. you can filter on that event, or if you have the full path of the key, filter on the Path.
    – Frank Thomas
    Commented Jul 28, 2015 at 1:42
  • Indeed, @FrankThomas . But I am not still sure that the procedure is working. Updated post; please read.
    – Sopalajo de Arrierez
    Commented Jul 28, 2015 at 2:23
  • 1
    try using a Contains query (rather than an is) on the Path filter, so you are only matching against BehaviorOnFailedVerify or Windows NT\Driver Signing.
    – Frank Thomas
    Commented Jul 28, 2015 at 2:28
  • 2
    Just to point something out on this, despite the age of the question, it is actually only changing in two locations as far as I can tell. HKCU is contained as a sub-key within HKU, so if you change something in HKCU it will, of course, also change in HKU.
    – Brandon Olson
    Commented Feb 11, 2020 at 0:30

1 Answer 1

Reset to default
4

Use RegFromApp instead. Attach it to the MMC.exe that runs gpedit, and click on the green arrow to start logging. If you change the entries, the tool generates a .reg file that you can save and use later again.

Improve this answer
7
  • Thanks you, magicandre1981. This one seems the correct program to monitor registry changes. But it still have the same problem related on the «changed in multiple places at the register» part of the original question: RegFromApp only detects one of the four changes to the register. Maybe there is no exact correspondence between register and GPEdit?
    – Sopalajo de Arrierez
    Commented Jul 28, 2015 at 21:15
  • what do you mean with "changed in multiple places at the register"?
    – magicandre1981
    Commented Jul 29, 2015 at 4:04
  • The four bullet points are an example of the four changes that I discovered (by searching in RegEdit). As stated, only one was detected by Process Monitor and RegFromApp.
    – Sopalajo de Arrierez
    Commented Jul 29, 2015 at 8:37
  • which key does the tool detect? the value under HKEY_CURRENT_USER\Software\Policies should be enough.
    – magicandre1981
    Commented Jul 29, 2015 at 16:20
  • The tool detect only the first of the four values (see the New data part of the question), this is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing .
    – Sopalajo de Arrierez
    Commented Jul 30, 2015 at 6:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .