boatcas.blogg.se - Process monitor registry changes

This field can help you correlate this event with other events that might contain the same Handle ID, for example, “ 4656: A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”. Handle ID : hexadecimal value of a handle to Object Name. Object Value Name : the name of modified registry key value. HKEY_CURRENT_CONFIG = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes HKEY_CURRENT_USER = \REGISTRY\USER\, where is the SID of current user. The format is: \REGISTRY\HIVE\PATH where: Object Name : full path and name of the registry key which value was modified. Logon ID : hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “ 4624: An account was successfully logged on.” Uppercase full domain name: CONTOSO.LOCALįor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.įor local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. Lowercase full domain name: contoso.local For more information about SIDs, see Security identifiers.Īccount Name : the name of the account that requested the “modify registry value” operation.Īccount Domain : subject’s domain or computer name. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.

The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). If the SID cannot be resolved, you will see the source data in the event. Event Viewer automatically tries to resolve SIDs and show the account name.

Security ID : SID of account that requested the “modify registry value” operation.

Minimum OS Version: Windows Server 2008, Windows Vista. Note For recommendations, see Security Monitoring Recommendations for this event. This event generates only if “Set Value" auditing is set in registry key’s SACL. It doesn’t generate when a registry key was modified.

This event generates when a registry key value was modified.