Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring specific keys in the registry

heathramos
Path Finder
‎10-30-2017 03:35 PM

I had the default registry monitoring turned on for our desktops for a day but it used way too much of our license so I had to disable it.

I am interested in monitoring a few keys but I am unclear on how to fill out the hive portion within the inputs.conf file.

Example of the keys I might monitor:

  1. REGISTRY: Watch for the creation or modification of new registry keys and values a. 4657 – Accesses: WriteData (or AddFile) i. HKLM, HKCU & HKU – Software\Microsoft\Windows\CurrentVersion
  2. Run, RunOnce ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
  3. Watch AppInit_Dlls iii. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
  4. Watch Connection time of USB Devices iv. HKLM\System\CurrentControlSet\Services
  5. Watch for NEW Services v. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
  6. Watch for NEW USB devices
0 Karma
Reply

xavierashe
Contributor
‎11-08-2017 11:27 AM

Here are a few examples that I run. For HKCU, you have to use this format:

[WinRegMon://hkcu_run1]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

For HKLM you use MACHINE:

[WinRegMon://hklm_run1]
disabled = 0
hive = \\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

You don't need to add stanzas for HKU, because your HKCU stanzas will suffice.

Reply

AaronMoorcroft
Communicator
‎06-01-2018 04:18 AM

Hi,

Can you advise how you can monitor multiple Reg Keys in the same stanza ?

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...