Monitoring when registry keys are modified:
What we need to do is:
-
Run the following command from Command Prompt:
auditpol /set /subcategory:"Registry" /success:enable
Note: if the OS has a different language pack, the name Registry
might differ. For instance, on a German Windows, the name is Registrierung
. To see what the name of the subcategory is you can run:
auditpol /list /subcategory:*
-
Open Registry Editor and navigate to the key which we want to audit
- User Variables:
HKEY_CURRENT_USER\Environment
- System Variables (
PATH
is a system variable): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\
-
Right-click on the key and choose `Permissions…`
![enter image description here](https://cdn.statically.io/img/i.sstatic.net/zEHYh.png)
-
Click `Advanced` and switch to the `Auditing` tab
![enter image description here](https://cdn.statically.io/img/i.sstatic.net/azsgI.png)
-
Add a user or group and select Access: Set Value
-
Apply settings
Now the registry changes are visible in the Event Viewer under Windows Logs\Security
:
![enter image description here](https://cdn.statically.io/img/i.sstatic.net/qDDXT.png)