topic Re: HKLM\SYSTEM\CurrentControlSet Monitoring in Alerting

HKLM\SYSTEM\CurrentControlSet Monitoring

hayduk — Thu, 29 Nov 2018 13:58:52 GMT

Hi,

I try to monitor the Registry Hive HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters. Unfortunately, it didn’t get any Event from this registry hive.

I have setup the Monitoring the following way:

[WinRegMon://hklm_dnsserver]
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*
proc = .*
type = set|create|delete|rename
index = windows

If already tried a lot of different path defintions like

hive = \\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*

hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\.*

hive = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\DNS\\Parameters\\.*

other registry keys, for example, under HKLM\SOFTWARE are working without Problems.

Did anyone managed to get a working registry Monitoring for HKLM\CurrentControlSet?

Kind regards
Stefan

Re: HKLM\SYSTEM\CurrentControlSet Monitoring

nathanhfraenkel — Thu, 20 Jun 2019 10:38:20 GMT

I have the same problem. If I enable ControlSet001 and 002 works fine. As soon as I enable CurrentControlSet all three stop working.

Re: HKLM\SYSTEM\CurrentControlSet Monitoring

nathanhfraenkel — Wed, 30 Sep 2020 01:00:56 GMT

There is already another post and answer to this question:

This is a known issue - SPL-58682 - with Splunk monitoring the Current Control Set for this section. The work around is to use the following setting for hive:
1. hive = HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET\ENUM\USBSTOR?.*