deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update windows/security/threat-protection/auditing/audit-registry.md

Browse Source 
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
This commit is contained in:
Denise Vangel-MSFT 2021-12-06 09:37:12 -08:00 committed by GitHub
parent 7c3ce18588
commit c023916f72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -46,6 +46,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun
- [4670](event-4670.md)(S): Permissions on an object were changed. - [4670](event-4670.md)(S): Permissions on an object were changed.
**Remarks:** > [!NOTE]
On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. We see this event only when "Audit Object Access" is enabled under Local Policies > Audit Policy in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as, using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys we see additional 4663 event because we perform NtEnumerateKeys on the newly created subkey. We can additionally see a 4663 event on the newly created key, if we try to rename the subkey. While using reg.exe for creating subkeys we see additional 4663 event because we perform NtSetValueKey on the newly created subkey. It is advised not to rely on 4663 events for subkey creation as they are dependent on type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe. > On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys you will see an additional 4663 event because you perform NtEnumerateKeys on the newly created subkey. You might additionally see a 4663 event on the newly created key if you try to rename the subkey. While using reg.exe for creating subkeys you'll see an additional 4663 event because you perform NtSetValueKey on the newly created subkey. We recommend not relying on 4663 events for subkey creation as they are dependent on the type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe.