Solved: Trying to monitor HKLM\\SYSTEM\\CurrentControlSet...

bosburn_splunk · ‎01-24-2013

The following set up was used in regmon-filters.conf:

[WinRegistry]
proc = C:\\.*
baseline = 0
disabled = 0
hive = HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\?.*
index = default
type = rename|close|set|delete|open|create|query

When adding a USB drive, I see nothing being reported on. What is going on?

bosburn_splunk · ‎01-24-2013

This is a known issue - SPL-58682 - with Splunk monitoring the Current Control Set for this section. The work around is to use the following setting for hive:

hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*CONTROLSET*\\ENUM\\USBSTOR?.*

This will monitor all control sets for changes for that path.

Brian

View solution in original post

bosburn_splunk · ‎01-24-2013

This is a known issue - SPL-58682 - with Splunk monitoring the Current Control Set for this section. The work around is to use the following setting for hive:

hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*CONTROLSET*\\ENUM\\USBSTOR?.*

This will monitor all control sets for changes for that path.

Brian

Trying to monitor HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR but nothing is happening

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Trying to monitor HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR but nothing is happening

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!