1

I want to audit registry modifications, or attempts in case of failure. For that purpose, I have set the audit policy as follows:

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

However, even if I modify the registry, or attempt to modify keys where I don't have modification permission, I am not able to see any logs in the Event Viewer, under Security log.

The user I am setting the policy with, and then editing the registry is a Local Administrator user. The computer is not member of a domain.

What am I missing here?

Improve this question
3
  • Your user is an Administrator? Is this user a member of an AD domain? Instead of submitting a comment edit your question
    – Ramhound
    Commented Oct 16, 2020 at 11:09
  • 1
    Similar to superuser.com/questions/896263/… You might be missing the bit on Auditing which is set on the registry key.
    – spikey_richie
    Commented Oct 16, 2020 at 12:07
  • thanks @spikey_richie the answer to the linked post answers my question. However, since the question itself is different, and probably I couldn't find it because of that, I'm leaving this here. If you post the solution here I will mark it as answer.
    – anderZubi
    Commented Oct 19, 2020 at 7:03

1 Answer 1

Reset to default
0

Apparently, apart of setting the audit policy, it is necessary to explicitly set the registry keys we want to audit through their ACL.

In case we want to automate this setting it can be done using PowerShell as follows:

    $key = "HKLM:\System\" # the key we want to audit
    $sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0") # User, in this case "Everyone"
    $RegKey_ACL = Get-Acl $key
    $AccessRule = New-Object System.Security.AccessControl.RegistryAuditRule($sid,"SetValue,CreateSubKey,Delete","ObjectInherit,ContainerInherit","none","Success,Failure")
    $RegKey_ACL.AddAuditRule($AccessRule)
    $RegKey_ACL | Set-Acl $key
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .