Configure Windows Registry Audit Settings

Windows Registry audit permissions must be configured on each Windows server you want to audit so that the “Who” and “When” values are reported correctly for each change. For test environment, PoC or evaluation you can use automatic audit configuration. If you want to configure Windows Registry manually, follow the instructions below.

The following audit permissions must be set to "Successful" for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SYSTEM and HKEY_USERS\.DEFAULT keys:

  • Set Value
  • Create Subkey
  • Delete
  • Write DAC
  • Write Owner

Perform one of the following procedures depending on the OS version:

NOTE: Using Group Policy for configuring registry audit is not recommended, as registry DACL settings may be lost.