Friday, 9 January 2015

How to Track and Audit Registry Changes

Tracking registry changes is one of the important task in Windows Auditing. We can easily track and find who and when the particular registry value was accessed or changed by using built-in Windows Auditing. The registry change auditing is controlled by Object Access Audit Policy of Group Policy and Audit Security (SACL) of the registry key that we want to monitor. Once we configured these two settings, we will get following events.

4656 - A handle to a Registry key or Registry Value was requested.
4657 - A registry value was modified.
4660 - An registry key or value was deleted or removed.
4663 - An attempt was made to access a Registry key or Registry Value


The registry change auditing includes following three steps.

Enable Object Access Audit Policy

This audit security setting determines whether the OS audits user attempts to access registry and other File System. Registry change events are only generated for registry scope that have system access control lists (SACL) specified, so don't forget to configure Registry Access Audit Security (SACL) for the registry scope which you want to track registry access and registry changes.

Note: You should also configure Registry Access Audit Security settings on the registry scope which you want to track registry changes to get the events.

1. Open the Local Security Policy by running the command secpol.msc.

2. Navigate to the node Audit Policy (Security Settings/Local Policies/Audit Policy). In right-hand side, select the setting Audit object access.

How to Track Registry Changes

3. Double-click on Audit object access, and check the Audit options Success and Failure to monitor successful registry accesses and access denied registry accesses.

How to Track Registry Changes

4. Click the button Apply to configure setting.

Enable Registry Access Audit Security (SACL)

System Access Control Lists (SACL) determines registry access events for the particular Registry scope should generated or not. So that, you should enable SACL for the single registry value or the root registry scope which you want monitor or track change events.

1. Open Registry editor by running the command regedit

1. Right-click on the Registry key which you want to configure audit events, and click Permissions.

How to Track Registry Access

2. In Security window, click Advanced button.

How to Track Registry Access

3. Navigate to the tab Auditing, and click Add button.

Find Registry Changes

4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply. 

Track and Find Registry Changes

Registry Change Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the registry change events, follow the below steps.

1. Open the Run window, type the command eventvwr.msc, and click OK.

2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.
Track and Find Registry Changes, Registry Delete, Registry Modification

3. Now, you can see lot of events in right-hand side window, but to track only registry access and change, we need to check only these event ids, 4656, 4657, 4660 and 4663. To filter only these four events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656, 4657, 4660 and 4663 as comma separated values and click.

Track and Find Registry Changes, Registry Delete, Registry Modification

5. Now, result window lists only registry access events, you can double-click on any event and check what type action made on the particular registry key.

Track and Find Registry Changes, Registry Delete, Registry Modification

4656: This is the first event logged when an user attempts to access registry key, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the event id 4663).

4657 - A registry value was modified.

4660 - An registry key or value was deleted or removed.

4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the registry key or registry value was created, modified, deleted, or it simply accessed,

Sample Event 4657 - Registry Change Event:
Log Name:      Security
Date:          1/9/2015 10:39:27 PM
Event ID:      4657
Task Category: Registry
Keywords:      Audit Success
Computer:      hp-PC
A registry value was modified.

 Security ID:  hp-PC\Administrator
 Account Name:  Administrator
 Account Domain:  hp-PC
 Logon ID:  0x2a81c

 Object Value Name: SampleKey
 Handle ID:  0x134
 Operation Type:  Existing registry value modified

Process Information:
 Process ID:  0x8b0
 Process Name:  C:\Windows\regedit.exe

Change Information:
 Old Value Type:  REG_SZ
 Old Value:  sss
 New Value Type:  REG_SZ
 New Value:  ttt
The above sample event 4657 was generated when I change the value of registry \REGISTRY\MACHINE\SOFTWARE\MorganApp\SampleKey from sss to ttt.


No comments:

Post a Comment