What does Splunk-perfmon.exe need to write to regi...

joroberts_splun · ‎01-24-2020

Have an antivirus reporting some writing attempts from process splunk-perfmon.exe to the following registry keys:

\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDSVx86\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SepMasterService\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNAC\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SyDvCtrl\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFASI\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMNETS\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant\Performance
\REGISTRY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2\Performance

I have made research in regards performance monitoring, however, indicates it should have read access to the registry and I assume executable for opening the subdirectories but nothing about deleting/modifying(write) data into these:

https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowsperformance

I was able to find that some Splunk requirements for antiviruses is to exclude the splunk-perfmon.exe from from the scanning list, which I am fine with, however, I still need to know what does Splunk need to write into Registry Keys:

https://docs.splunk.com/Documentation/Splunk/7.3.3/ReleaseNotes/RunningSplunkalongsideWindowsantivir...

Thanks,

What does Splunk-perfmon.exe need to write to registry keys?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!