Here is a method to monitor registry changes on WIndows 10 Pro on a host that is remote to Splunk. In this particular case I am interested to get an event when a memory stick is inserter to the host. 1) Install Universal Forwarder on the remote host and configure it to forward events to Splunk 2) Download Splunk Add-on for Microsoft Windows: https://splunkbase.splunk.com/app/742/#/details 3) Unzip and untar its directory. Move Ad-On directory to the Universal Forwarder on the remote host. In my case to the directory: C:\Program Files\SplunkUniversalForwarder\etc\apps 4) From: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default copy app.conf and inputs.conf to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local 5) Clear content of \local copies on app.conf and inputs.conf 6) Add in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf [WinRegMon://hklm_USB] disabled = 0 hive = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\.* proc = .* type = set|create|delete|rename Restart the Universal Forwarder. Insert a USB to your Windows 10. You should get an event on your Splunk. I hope this helps. ... View more

Hello, Look at your Splunk customer profile. You can access it from within your error message screen or at: https://splunkcommunities.force.com/customers/apex/RMEC_InstancePage The reason you are getting the error is most likely that you have already one Sandbox instance running. Hope this helps. ... View more