Re: Registry Auditing
From: Clark Murray (clarkmurray_at_yahoo.com)
Date: 08/17/04
- Next message: Ken Blake: "Re: SP2 Firewall and NPF2004"
- Previous message: Ken Blake: "Re: List Of SP2 Imposed Deafualt Settings?"
- In reply to: Ramesh [MVP]: "Re: Registry Auditing"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 17 Aug 2004 12:21:38 -0700
Ramesh,
Sorry, should have said XP Home.
Tried start>run, but get 'not found' message for both secpol.msc and
gpedit.msc.
-- Best Regards, Clark Murray "Ramesh [MVP]" <ramesh@nojunkmails.com@mvps.org> wrote in message news:uIfp2iHhEHA.3272@TK2MSFTNGP11.phx.gbl... > Hi Clark, > > XP Professional: > > Phase I: Enable Audit Policy > > 1. Click Start, Run and type Secpol.msc (or via GPEDIT.MSC as well) > 2. In the left pane, under Local Policies, click Audit Policy. > 3. In the right pane, double-click Audit Object Access, and then select the > Success and Failure boxes. > > Phase II: Set the Registry audit: > > 1. Now, use Regedit to audit the registry key. > 2. Open Regedit and click the key you want to audit. > 3. On the Edit menu, click Permission; then click Advanced. > 4. On the Auditing tab, click Add. > 5. Type your username there and add it to the audit list > 6. In the Auditing Entry For Name dialog, in the Access list, select both > the Successful and Failed check boxes next to the activities for which you > want to audit successful and failed attempts. > > Phase III: Inspect the Event Logs for any information on the changed > keys/values: > > 1. Click Start, Run and type Eventvwr.msc > 2. In Event Viewer's left pane, click Security. > 3. In the right-pane, double-click any entry to see more details. > (use the notepad icon to copy the content to clipboard) > > Don't forget to turn off auditing for the key once you gather the required > data, as your Security event log might soon become full. > > -- > Ramesh, Microsoft MVP > Window XP Shell/User > http://www.mvps.org/sramesh2k > > > "Clark Murray" <clarkmurray@yahoo.com> wrote in message > news:uCD%23R6GhEHA.2928@TK2MSFTNGP10.phx.gbl... > I am trying to stamp out some very persistent adware/spyware, so I denied > access to the offending registry key and turned on auditing. The popups > have stopped, but when I look in the Event Viewer I cannot find any audit > records about access to that key. I think I need some basic info about how > to do registry audits for Win XP, but I was not able to find anything in the > Microsoft Knowledge Base. > > -- > Best Regards, > Clark Murray > >
- Next message: Ken Blake: "Re: SP2 Firewall and NPF2004"
- Previous message: Ken Blake: "Re: List Of SP2 Imposed Deafualt Settings?"
- In reply to: Ramesh [MVP]: "Re: Registry Auditing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
