4656 – A handle to a Registry key or Registry Value was requested.
4657 – A registry value was modified.
4660 – An registry key or value was deleted or removed.
4663 – An attempt was made to access a Registry key or Registry Value
Summary
- Enable Object Access Audit Policy
- Enable Registry Access Audit Security (SACL)
- Check Registry Change Event IDs
Enable Object Access Audit Policy
This audit security setting determines whether the OS audits user attempts to access registry and other File System. Registry change events are only generated for registry scope that have system access control lists (SACL) specified, so don’t forget to configure Registry Access Audit Security (SACL) for the registry scope which you want to track registry access and registry changes.
Note: You should also configure Registry Access Audit Security settings on the registry scope which you want to track registry changes to get the events.
1. Open the Local Security Policy by running the command secpol.msc.
2. Navigate to the node Audit Policy (Security Settings/Local Policies/Audit Policy). In right-hand side, select the setting Audit object access.
3. Double-click on Audit object access, and check the Audit options Success and Failure to monitor successful registry accesses and access denied registry accesses.
4. Click the button Apply to configure setting.
Enable Registry Access Audit Security (SACL)
System Access Control Lists (SACL) determines registry access events for the particular Registry scope should generated or not. So that, you should enable SACL for the single registry value or the root registry scope which you want monitor or track change events.
1. Open Registry editor by running the command regedit
1. Right-click on the Registry key which you want to configure audit events, and click Permissions.
2. In Security window, click Advanced button.
3. Navigate to the tab Auditing, and click Add button.
4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply.
Registry Change Auditing Event IDs
Once you configured above two settings, now you can see the actual events, to view the registry change events, follow the below steps.
1. Open the Run window, type the command eventvwr.msc, and click OK.
2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.
3. Now, you can see lot of events in right-hand side window, but to track only registry access and change, we need to check only these event ids, 4656, 4657, 4660 and 4663. To filter only these four events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656, 4657, 4660 and 4663 as comma separated values and click.
5. Now, result window lists only registry access events, you can double-click on any event and check what type action made on the particular registry key.
4656: This is the first event logged when an user attempts to access registry key, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the event id 4663).
4657 – A registry value was modified.
4660 – An registry key or value was deleted or removed.
Sample Event 4657 – Registry Change Event:
Log Name: Security Date: 1/9/2015 10:39:27 PM Event ID: 4657 Task Category: Registry Keywords: Audit Success Computer: hp-PC Description: A registry value was modified. Subject: Security ID: hp-PCAdministrator Account Name: Administrator Account Domain: hp-PC Logon ID: 0x2a81c Object: Object Name: REGISTRYMACHINESOFTWAREMorganApp Object Value Name: SampleKey Handle ID: 0x134 Operation Type: Existing registry value modified Process Information: Process ID: 0x8b0 Process Name: C:Windowsregedit.exe Change Information: Old Value Type: REG_SZ Old Value: sss New Value Type: REG_SZ New Value: ttt
The above sample event 4657 was generated when I change the value of registry REGISTRYMACHINESOFTWAREMorganAppSampleKey from sss to ttt.