Problem solve Get help with specific problems with your technologies, process and projects.

Auditing changes to the registry

How to set up auditing so that changes made to the registry are tracked.

In certain environments you may want to track changes to the registry by users without explicitly forbidding them....

One way to do this is through Windows' own built-in registry auditing function, which logs any registry changes (or accesses) made by a user to the system log.

Auditing of Windows registry keys is disabled by default, and needs to be turned on through the use of group policy. This can be done on a domain or a standalone computer. Once enabled, changes to Windows registry keys by users are written to the system log.

On a domain, open the Active Directory Users and Computers console, in Group Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit object access. Select both Success and Failure to audit all actions against the registry.

On a standalone computer, you can enable registry auditing through the group policy console. In Start | Run, type gpedit.msc and press Enter. Under Computer Configuration, look in Windows Settings | Security Settings | Local Policies | Audit Policy, and enable Audit object access on both Success and Failure.

Once this is done, auditing can be done by opening regedit (or regedt32 on Windows 2000), then right-clicking on a particular key to audit and selecting Permissions | Advanced | Auditing. There are nine types of access that can be audited:

Query Value: Attempts to read a key's values.
Set Value: Attempts to change or create a new key value.
Create Subkey: Attempts to create a new subkey under the current key.
Enumerate Subkeys: Attempts to query the key for a list of its subkeys.
Notify: Notification events generated by the key (if any).
Create Link: Attempts to create a symbolic link to the key.
Delete: Attempts to delete the key, one of its subkeys, or one of its values.
Write DAC: Attempts to change the security permissions to the key or its subkeys or values.
Read Control: Attempts to read security permissions for the key.

Note that when auditing is enabled, the security log (where the events are written) can fill up very quickly, especially if a great many changes or accesses to the registry are made. For this reason, auditing should only be done on select keys.

Note also that when you turn on security auditing for the registry, this enables security auditing for the file system as well. There is no way to activate them independently of each other (short of simply not enabling auditing on individual file system objects).

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

Dig Deeper on Windows client management