I want to monitor registry modifications from a given key and its subkeys and values by setting the relevant SACLs and consuming the audit event.
I've set the SACL in place on the registry key and configured it to monitor all modification attempts from Everyone:
However, I've noticed that when a new value is created through the command line reg command, an auditing event will be generated:
reg add hklm\SYSTEM\CurrentControlSet\Services\TestService /v DeleteFlag /t REG_NONE /d 1
Although no event is being generated when the new key is created using C# code. For example:
Microsoft.Win32.RegistryKey key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey(@"SYSTEM\CurrentControlSet\Services\TestService\");
key.SetValue("DeleteFlag", "1", RegistryValueKind.DWord);
key.Close();
There is also no event when the event is not created directly by me. For example running "sc create" which writes to the registry:
sc create haithamtest2 binpath="c:\temp\123.exe"
Why is this happening? Any way to get these events?
