Archive

Regmon filters not working

Communicator

I'm trying to monitor the registry and filter on a few critical keys. When I look at the events, I'm seeing events from outside the keys specified in my filters. Not sure what the problem is...

Here is my sysmon.conf:

[RegistryMonitor]
filter_file_name = regmon-filters
event_types = set.<em>|create.</em>|delete.<em>|rename.</em>
inclusive = 0
disabled = 0

Here is my regmon-filters.conf:

[Run]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Run\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[RunOnce]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnce\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[RunOnceEx]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnceEx\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[User-Shell-Folders]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\User Shell Folders\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[Shell-Folders]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\Shell Folders\Startup\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[ShellExecuteHooks]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\ShellExecuteHooks\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[SharedTaskScheduler]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[ShellServicewObjectDelayLoad]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[arpcache]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\app management\arpcache\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[shellopencommand]
proc = .*
\REGISTRY\MACHINE\Software\CLASSES\.<em>\shell\open\command\.</em>
type = set|create|delete|rename
baseline = 0
disabled = 0

[ExplorerRun]
proc = .*
\REGISTRY\MACHINE\SOFTWAREMICROSOFT\Windows\CurrentVersion\policies\Explorer\Run\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

Thanks for any help!

Craig

Tags (1)

Communicator

If you haven't tried Splunk 4.2.2 they have updated splunk_regmon.exe and able to monitor the keys I wanted.

travis.

0 Karma

Communicator

Had the same problem when trying to setup regmon filters like yours. Found that I had to add the following to the &SPLUNK_HOME\etc\apps\search\local\regmon-filters.conf ( or wherever you have your regmon-filters.conf located with the above info).

[User keys]
disable = 1
proc = \\Device\\.*
hive = \\REGISTRY\\USER\\.*
type = set|create|delete|rename

[Machine keys]
disable = 1
proc = \\Device\\.*
hive = \\REGISTRY\\USER\\.*
type = set|create|delete|rename

This kept those 2 filters from running, but my problem now is that I only get my first filter to work. For example your [Run] filter that is defined would be the only results I would see. Whats even worse I labeled my filters all that same [Machine keys] it would give me events for the last one.

I am still working on it to see if i am doing something wrong, but my regmon-filters.conf looks very similair to yours and I am trying this with Splunk 4.1.6 on a Vista 32bit machine for testing.

Travis.

0 Karma

Communicator

After some more work I found that in sysmon.conf you can set active_filter = "Run", "RunOnce", "rest of your filters" and you will not need the User & Machine key entries in regmon-filters.conf like I had above. With this setup I am able to get a baseline, but it will not see any changes that I make to the registry. Still looking into it.

0 Karma

Communicator

Ok I take that back on which filter gets used. From Splunk Web - manager - data inputs - registry monitoring the first one listed seems to be the one that gets used.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!