deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update audit-registry.md

Browse Source
This commit is contained in:
sravanigannavarapu
2021-12-08 14:25:58 -08:00
committed by GitHub
parent 58a9eb3c3e
commit 5b6c9a109a
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -49,4 +49,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun
> [!NOTE]
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
Calls to Registry APIs which involve accessing the key to perform any operations like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.
Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.