HKLM\SYSTEM\CurrentControlSet Monitoring

hayduk · ‎11-29-2018

Hi,

I try to monitor the Registry Hive HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters. Unfortunately, it didn’t get any Event from this registry hive.

I have setup the Monitoring the following way:

[WinRegMon://hklm_dnsserver]
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*
proc = .*
type = set|create|delete|rename
index = windows

If already tried a lot of different path defintions like

hive = \\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*

or

hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\.*

or

hive = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\DNS\\Parameters\\.*

other registry keys, for example, under HKLM\SOFTWARE are working without Problems.

Did anyone managed to get a working registry Monitoring for HKLM\CurrentControlSet?

Kind regards
Stefan

nathanhfraenkel · ‎06-20-2019

There is already another post and answer to this question:

This is a known issue - SPL-58682 - with Splunk monitoring the Current Control Set for this section. The work around is to use the following setting for hive:
1. hive = HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET\ENUM\USBSTOR?.*

nathanhfraenkel · ‎06-20-2019

I have the same problem. If I enable ControlSet001 and 002 works fine. As soon as I enable CurrentControlSet all three stop working.

HKLM\SYSTEM\CurrentControlSet Monitoring

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

HKLM\SYSTEM\CurrentControlSet Monitoring

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...