In certain environments you may want to track changes to the registry by users without explicitly forbidding them. One way to do this is through Windows' own built-in registry auditing function, which logs any registry changes (or accesses) made by a user to the system log.

Auditing of Windows registry keys is disabled by default, and needs to be turned on through the use of group policy. This can be done on a domain or a standalone computer. Once enabled, changes to Windows registry keys by users are written to the system log.

On a domain, open the Active Directory Users and Computers console, in Group Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit object access. Select both Success and Failure to audit all actions against the registry.

On a standalone computer, you can enable registry auditing through the group policy console. In Start | Run, type gpedit.msc and press Enter. Under Computer Configuration, look in Windows Settings | Security Settings | Local Policies | Audit Policy, and enable Audit object access on both Success and Failure.

Once this is done, auditing can be done by opening regedit (or regedt32 on Windows 2000), then right-clicking on a particular key to audit and selecting Permissions | Advanced | Auditing. There are nine types of access that can be audited:

Query Value

Requires Free Membership to View

: Attempts to read a key's values.
Set Value: Attempts to change or create a new key value.
Create Subkey: Attempts to create a new subkey under the current key.
Enumerate Subkeys: Attempts to query the key for a list of its subkeys.
Notify: Notification events generated by the key (if any).
Create Link: Attempts to create a symbolic link to the key.
Delete: Attempts to delete the key, one of its subkeys, or one of its values.
Write DAC: Attempts to change the security permissions to the key or its subkeys or values.
Read Control: Attempts to read security permissions for the key.

Note that when auditing is enabled, the security log (where the events are written) can fill up very quickly, especially if a great many changes or accesses to the registry are made. For this reason, auditing should only be done on select keys.

Note also that when you turn on security auditing for the registry, this enables security auditing for the file system as well. There is no way to activate them independently of each other (short of simply not enabling auditing on individual file system objects).


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!


This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.