deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/auditing/audit-registry.md
martyav c83e650685 items 57 to 87 reviewed
2019-12-20 16:29:18 -05:00

6.3 KiB
Raw Blame History

title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date
title description ms.assetid ms.reviewer manager ms.author ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date
Audit Registry (Windows 10) The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects. 02bcc23b-4823-46ac-b822-67beedf56b32 dansimp dansimp security w10 deploy library none dansimp 04/19/2017

Audit Registry

Applies to

  • Windows 10
  • Windows Server 2016

Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.

If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.

Event volume: Low to Medium, depending on how registry SACLs are configured.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF IF IF IF We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate SACLs for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess SACLs. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific registry objects.
Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF

Events List:

  • 4663(S): An attempt was made to access an object.

  • 4656(S, F): A handle to an object was requested.

  • 4658(S): The handle to an object was closed.

  • 4660(S): An object was deleted.

  • 4657(S): A registry value was modified.

  • 5039(-): A registry key was virtualized.

  • 4670(S): Permissions on an object were changed.