Suspicious Windows Registry Changes
Hello, I am stumbled on the topic of detecting, and identifying suspicious registry changes in Windows operating systems. How do I know when a registry change is a "suspicious" or a "critical" one, how do I know that it was made through a malware or an individual who normally has no access to the system? What is a recommended approach to conducting Windows Registry Analysis and Detection? Any help would be appreciated...
February 25th, 2015 9:39pm

Hi,

You may use registry auditing or Process Monitor to monitor registry changes and determine which principals have made those changes.

However, to determine whether a registry change is suspicious/critical or not depends on the knowledge regarding the registry key.

Here are some references below for you:

Monitoring when registry keys are modified

http://blogs.msdn.com/b/cobold/archive/2011/11/29/monitoring-when-registry-keys-are-modified.aspx

How Can I Monitor Changes to a Registry Key?

http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/11/how-can-i-monitor-changes-to-a-registry-key.aspx

Audit activity on a registry key

https://technet.microsoft.com/en-us/library/cc757250%28WS.10%29.aspx?f=255&MSPPError=-2147217396

How to use Group Policy to audit registry keys in Windows Server 2003

http://support.microsoft.com/kb/324739

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 4:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics