5

I have a (win8) system where, each time it is rebooted, something is modifying the HOME environment variable.

This is causing problems, and I want to track down what is modifying it.

Is there any way to tell what is modifying that environment variable?

Improve this question
1
  • 1
    Not an easy task. If you are in an AD environment, group policy is probably doing it. If not, look at everything that runs at startup. You could also use procmon to monitor registry changes during startup.
    – EBGreen
    Commented Mar 31, 2015 at 14:58

1 Answer 1

Reset to default
11

Monitoring when registry keys are modified:

What we need to do is:

  1.   Run the following command from Command Prompt:

 auditpol /set /subcategory:"Registry" /success:enable

Note: if the OS has a different language pack, the name Registry might differ. For instance, on a German Windows, the name is Registrierung. To see what the name of the subcategory is you can run:

auditpol /list /subcategory:*

  1.   Open Registry Editor and navigate to the key which we want to audit
  • User Variables: HKEY_CURRENT_USER\Environment
  • System Variables (PATH is a system variable): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\
  1.   Right-click on the key and choose `Permissions…`

enter image description here

  1.   Click `Advanced` and switch to the `Auditing` tab

enter image description here

  1.   Add a user or group and select Access: Set Value

  2.   Apply settings

Now the registry changes are visible in the Event Viewer under Windows Logs\Security:

enter image description here

Improve this answer
1
  • 1
    I added a German Language pack to a Server 2016 VM and the category and subcategory list is now completely in English and not dependent on the language pack installed on the system.
    – Pranav Jituri
    Commented Jul 5, 2017 at 10:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .