Audit activity on a registry key

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To audit activity on a registry key

  1. Open Registry Editor.

  2. Click the key you want to audit.

  3. On the Edit menu, click Permissions.

  4. Click Advanced, and then click the Auditing tab.

  5. Double-click the name of a group or user.

  6. Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:

    Select 

    To audit

    Query Value 

    Any attempts to read a entry from a registry key

    Set Value 

    Any attempts to set entries in a registry key

    Create Subkey 

    Any attempts to create subkeys on a selected registry key

    Enumerate Subkeys 

    Any attempts to identify the subkeys of a registry key

    Notify 

    Any notification events from a key in the registry

    CreateLink 

    Any attempts to create a symbolic link in a particular key

    Delete 

    Any attempts to delete a registry object

    Write DAC 

    Any attempts to write a discretionary access control list on the key

    Write Owner 

    Any attempts to change the owner of the selected key

    Read Control 

    Any attempts to open the discretionary access control list on a key

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

Notes

  • To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • If your computer is connected to a network, network policy settings might prevent you from completing this procedure.

  • You must first add users and groups before specifying the events to audit.

  • Auditing activity can slow the computer down significantly. Consider auditing only failures, and not successes.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Add users or groups to the Audit list
Remove a user or group from the Audit list