Detect changes to the registry & notify via cmd line

Home Forums Scripting PowerShell Detect changes to the registry & notify via cmd line

This topic contains 2 replies, has 2 voices, and was last updated by  wullieb1 3 weeks, 3 days ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts

  • confuseis
    Participant
    #607133

    Hi

    I’m looking for a command line method to detect a change to the registry and if detected notify the user

    I’m looking for the script to do this by itself without needing to manually set audit policies using the windows GUI

    The idea I’ve come up with is to watch for event id  4657  to  to occur in the registry

    After researching online i am using

    Auditpol /set /subcategory:@[email protected] /success:enable   # To set the audit policy to  ON  for the registry

     

    Get-Winevent -Computername $env:ComputerName -FilterHasTable @{logname=’security’id=4657}  # To display the event 4657

     

    I’ve noticed that no event   4657  has been generated when I manually filter the registry security logs after a few days

    Is there a way using powershell to force this to on ?   Or is there an easy way to detect if any registry key has been changed ?

    I’ve looked at exporting the reg to a file repeating then comparing the reg files but looking for an alternative

    Thanks

     

     

     


    wullieb1
    Moderator
    #607239

    Hopefully this isn’t a feature of the boards but your command is incorrect

    <span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”>Auditpol /set /subcategory:@</span><span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”>[email protected]</span><span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”> /success:enable</span>

    Should be

    <span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”>Auditpol /set /subcategory:”</span><span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”>Registry”</span><span style=”color: #4d4d4d; font-family: ‘open sans’, helvetica, arial, sans-serif; font-size: 14px; background-color: #e6e6e6;”> /success:enable</span>

    See here for some further assistance

    Monitoring when registry keys are modified

    I also think your command might be wrong, use Get-Help Get-WinEvent -Examples and look at Example 15 (As it is on mine anyway :)) The highlighted section is the command

    ————————– EXAMPLE 15 ————————–

     

    PS C:\>$date = (Get-Date).AddDays(-2)

    PS C:\>$events = Get-WinEvent -FilterHashTable @{ LogName =

        “Microsoft-Windows-Diagnostics-Performance/Operational”; StartTime = $date; ID = 100 }

     

    This example uses a filter hash table to get events from the performance log.

     

    The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the

    current date. It saves the date in the $date variable.

     

    The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table

    define a filter that selects events from the performance log that occurred within the last two days and that have

    event ID 100.

     

    The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event

    ID.


    wullieb1
    Moderator
    #607240

    damn it this board copies the HTML content as well.

    This is the command for the first part

    Yours

    auditpol /set /subcategory:@[email protected] /success:enable

    Should be

    auditpol /set /subcategory:”Registry” /success:enable

     

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.