GFI
English Deutsch Français Italiano Nederlands Español
Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

How enable only alert for change in the Registry Key Value

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Network Security] >> GFI EventsManager >> How enable only alert for change in the Registry Key Value Page: [1]
Login
Message << Older Topic   Newer Topic >>
How enable only alert for change in the Registry Key Value - 6.Aug.2008 9:24:56 AM   
mobi_khan

 

Posts: 24
Score: 0
Joined: 16.May2008
Status: offline 		Hi,

I wanted to configure the GFI so that I get alert only in case if the user changes the registry value "Start"=4 under the key  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR . I have enabled the auditing and for this registry key and selected the "set value". But I am not getting the alert for this.

OK but When I enabled the followling auditing entries:

1. Notify

2. Write DAC

3. Write Owner

4.Enumerate Subkeys

I am getting the follwoing alert

 
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USBSTOR
Handle ID: 304
Operation ID: {0,1316420437}
Process ID: 768
Image File Name: C:\WINDOWS\regedit.exe
Primary User Name: mubashir.ismail
Primary Domain: SENSYS
Primary Logon ID: (0x0,0x346DE)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Enumerate sub-keys

Privileges: -
Restricted Sid Count: 0
SENSYS\mubashir.ismail SS01-CPU-032 Security 7:18:08 PM Critical SS01-CPU-032 8/6/2008


One thing more that you will see that in the Object name its not the "ControlSet" but its "ControlSet001" why is it so??
 
I just want that if the value of the "Start" changes form 4 to any other value I get the alert. How I can do that please guide me in this regard.
Post #: 1
RE: How enable only alert for change in the Registry Ke... - 8.Aug.2008 9:03:06 AM   
DrewE

 

Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		CurrentControlSet is typically an alias for a ControlSet00x key.  This re-mapping is generally transparent to the user.  When the auditing is set to 'set value' do you see any events in the windows event log?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to mobi_khan)
Post #: 2
Page:   [1]
All Forums >> [Network Security] >> GFI EventsManager >> How enable only alert for change in the Registry Key Value Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


   © 2008. All rights reserved. GFI Software Home Products Download Trials Support Ordering Site Map About Us Contact us
GFI solutions: Exchange anti spam filter - exchange anti virus - isa server - network vulnerability scanner - event log management - USB security software - exchange archiving - fax server software