Getting Data In
Highlighted

How do I monitor only the changes to Windows Registry?

Explorer

How do I monitor only the changes (add, delete, change value) to Windows Registry? I am only interested in seeing changes that I make to the registry. I do not want to see the ripple effects of the changes I made or the dynamic changes that windows makes on its own.

For example, if I make change a setting in a group policy, I only want to see that change in value that I made. I do not want to see the changes of the windows registry that were caused by the change that I made.

Thanks.

0 Karma
Highlighted

Re: How do I monitor only the changes to Windows Registry?

Motivator

hope THIS helps

more specifically:

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

* proc: a regular expression containing the path to the process or processes you want to monitor
* hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
      o \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
      o \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
      o \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
      o \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
      o \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
      o Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as the Splunk Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) will generate events that contain the logged-in user's security identifier (SID).
      o Alternatively, you can specify the user whose registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user. 
* type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
* baseline: whether or not to capture a baseline snapshot for that particular hive path. Set to 0 for no, and 1 for yes.
* baseline interval: how long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds, or 24 hours.
* disabled: whether or not a filter is enabled. Set to 0 to enable the filter, and 1 to disable it. 

.gz

Highlighted

Re: How do I monitor only the changes to Windows Registry?

New Member
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.