From 7c3ce18588fb1ae7314390c48283b70c23157d00 Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Fri, 3 Dec 2021 11:34:50 -0800 Subject: [PATCH] Update audit-registry.md Add remarks about expected events for subkey creation --- .../security/threat-protection/auditing/audit-registry.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 3c6407d9f5..4b2ee345d7 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -44,4 +44,8 @@ If success auditing is enabled, an audit entry is generated each time any accoun - [5039](event-5039.md)(-): A registry key was virtualized. -- [4670](event-4670.md)(S): Permissions on an object were changed. \ No newline at end of file +- [4670](event-4670.md)(S): Permissions on an object were changed. + +**Remarks:** +On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. We see this event only when "Audit Object Access" is enabled under Local Policies > Audit Policy in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as, using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys we see additional 4663 event because we perform NtEnumerateKeys on the newly created subkey. We can additionally see a 4663 event on the newly created key, if we try to rename the subkey. While using reg.exe for creating subkeys we see additional 4663 event because we perform NtSetValueKey on the newly created subkey. It is advised not to rely on 4663 events for subkey creation as they are dependent on type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe. +