A lot of windows applications use registry as a persistent storage for its configurations. Any changes to this settings may cause the software to malfunction and is quite often a target of hackers because changing some value would cause antivirus to go blind or firewalls to stop functioning.
To enable Registry auditing, open an elevated command line (right-click cmd.exe and select "Run as administrator") and enter the command:
auditpol /set /subcategory:”registry” /success:enable /failure:enable
Beware that auditol is case sensitive.
As an example, I will be monitoring the changes to the registry keys I created on my previous post(Windows Registry as Persistent Memory for Python Apps)
Launch REGEDIT, and browse to \HKEY_CURRENT_USER\SOFTWARE\Ziplez\HWID (or any other key you’d like to monitor).
Right-click the key in the left-hand pane, and select Permissions > Advanced.
Click the Auditing tab and select Add.
Click "Select a principal", type "Everyone" in the "Enter the object name" box and click OK.
Choose whether you want auditing to apply to this keys, or subkeys too, then click OK to close all open dialogs.
Now, run the python code on my previous post(Windows Registry as Persistent Memory for Python Apps) to make some changes on the registry keys.
Then modify the python code I created on my previous post (A Simple Event Log Viewer in Python) to include event id 4657(A registry value was modified) and run it.
No comments:
Post a Comment