3

Hi i want tools or audit policy that can help me to track all changes made to windows server registry (include who done the change - what is the old value -what is new value -change type {delete -create - modify)

Your support is highly appreciated

Khaledios
  • 29
  • 1
  • 2
  • I Just found few articles regarding monitore registry through WMI http://stackoverflow.com/questions/144468/tracking-changes-in-windows-registry http://code.msdn.microsoft.com/windowsdesktop/CSMonitorRegistryChange-d297cdf0 http://social.msdn.microsoft.com/Forums/en-US/65dc039e-3645-4a01-a8fa-7cb373aac36b/using-wmi-to-monitor-registry – Khaledios May 28 '14 at 22:16

1 Answers1

0

Windows Security Log Event ID 4657 will tell you when someone edits a registry key, so you can look for that in your Event Viewer. The only caveat to this is that you have to turn on auditing first. See this to turn on auditing for both domain and workgroup environments.

This is also a link from Microsoft supporting the method from techtarget.com.

Brad Bouchard
  • 2,527
  • 2
  • 13
  • 22
  • i tried this one but the issue that it will create bulk of events and most of them was for querying key only i need something more specified like editing keys, removing, creating – Khaledios May 28 '14 at 21:44
  • You may have to look at a third party tool then, although in my mind I wouldn't want to do that. The more native tools/functions I can use the better in my mind. – Brad Bouchard May 28 '14 at 22:02