Getting Data In

What does Splunk-perfmon.exe need to write to registry keys?

joroberts_splun
Splunk Employee
Splunk Employee

Have an antivirus reporting some writing attempts from process splunk-perfmon.exe to the following registry keys:

\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDSVx86\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SepMasterService\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNAC\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SyDvCtrl\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFASI\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMNETS\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2\Performance

I have made research in regards performance monitoring, however, indicates it should have read access to the registry and I assume executable for opening the subdirectories but nothing about deleting/modifying(write) data into these:

https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowsperformance

I was able to find that some Splunk requirements for antiviruses is to exclude the splunk-perfmon.exe from from the scanning list, which I am fine with, however, I still need to know what does Splunk need to write into Registry Keys:

https://docs.splunk.com/Documentation/Splunk/7.3.3/ReleaseNotes/RunningSplunkalongsideWindowsantivir...

Thanks,

0 Karma