How to Manually Implement Auditing of Exchange Server Registry Keys

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

To manually implement auditing of Exchange Server 2007 registry keys, you must complete the following steps for each registry entry that is listed in the "Exchange Registry Keys for auditing Exchange Server 2007" table. Complete the applicable steps depending on the operating system that is running Exchange Server 2007.

To implement Exchange registry auditing in Windows Server 2003

  1. On the computer that is running Exchange Server, run regedt32.

  2. Note the first registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2007 table.

  3. In Registry Editor, navigate to the noted registry subkey, right-click the subkey and then click Permissions.

  4. Click Advanced, and then on the Auditing tab, click Add.

  5. In the Enter the object name to select box, type everyone, click Check Names, and then click OK.

  6. In the Apply onto list, click This key and subkeys.

  7. In the Access area, click to select the Successful check box and the Failed check box for Set Value, Create Subkey, Delete, Write DAC, and Write Owner.

  8. Click OK three times.

  9. Repeat steps 1 to 8 for each registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2008 table, and then close Registry Editor.

To implement Exchange registry auditing in Windows Server 2008

  1. On the computer that is running Exchange Server, run regedt32.

  2. Note the first registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2008 table.

  3. In Registry Editor, navigate to the noted registry subkey, right-click the key and then click Permissions.

  4. Click Advanced, and then on the Auditing tab, click Add.

  5. In the Enter the object name to select box, type everyone, click Check Names, and then click OK.

  6. In the Apply onto list, click This key and subkeys.

  7. In the Access area, click to select the Successful check box and the Failed check box for Set Value, Create Subkey, Delete, Change Permissions, and Take Ownership.

  8. Click OK three times.

  9. Repeat steps 1 to 8 for each registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2007 table, and then close Registry Editor., and then close Registry Editor.

Exchange Registry Keys for auditing Exchange Server 2007

HKLM\System\CurrentControlSet\Services\MSExchange ActiveSync

HKLM\System\CurrentControlSet\Services\MSExchange AD RMS Prelicensing Agent

HKLM\System\CurrentControlSet\Services\MSExchange ADAccess

HKLM\System\CurrentControlSet\Services\MSExchange Anti-spam Update

HKLM\System\CurrentControlSet\Services\MSExchange Antispam

HKLM\System\CurrentControlSet\Services\MSExchange Assistants

HKLM\System\CurrentControlSet\Services\MSExchange Autodiscover

HKLM\System\CurrentControlSet\Services\MSExchange Availability

HKLM\System\CurrentControlSet\Services\MSExchange Availability Service

HKLM\System\CurrentControlSet\Services\MSExchange Calendar Attendant

HKLM\System\CurrentControlSet\Services\MSExchange Cluster

HKLM\System\CurrentControlSet\Services\MSExchange Common

HKLM\System\CurrentControlSet\Services\MSExchange Connection Filtering Agent

HKLM\System\CurrentControlSet\Services\MSExchange Content Filter Agent

HKLM\System\CurrentControlSet\Services\MSExchange EdgeSync

HKLM\System\CurrentControlSet\Services\MSExchange Extensibility

HKLM\System\CurrentControlSet\Services\MSExchange Extensibility Agents

HKLM\System\CurrentControlSet\Services\MSExchange IMAP4

HKLM\System\CurrentControlSet\Services\MSExchange Journaling Agent

HKLM\System\CurrentControlSet\Services\MSExchange Managed Folder Assistant

HKLM\System\CurrentControlSet\Services\MSExchange Management Application

HKLM\System\CurrentControlSet\Services\MSExchange Messaging Policies

HKLM\System\CurrentControlSet\Services\MSExchange OWA

HKLM\System\CurrentControlSet\Services\MSExchange POP3

HKLM\System\CurrentControlSet\Services\MSExchange Process Manager

HKLM\System\CurrentControlSet\Services\MSExchange Protocol Analysis Agent

HKLM\System\CurrentControlSet\Services\MSExchange Protocol Analysis Background Agent

HKLM\System\CurrentControlSet\Services\MSExchange Recipient Cache

HKLM\System\CurrentControlSet\Services\MSExchange Recipient Filter Agent

HKLM\System\CurrentControlSet\Services\MSExchange Repl

HKLM\System\CurrentControlSet\Services\MSExchange Replica Seeder

HKLM\System\CurrentControlSet\Services\MSExchange Replication

HKLM\System\CurrentControlSet\Services\MSExchange Resource Booking

HKLM\System\CurrentControlSet\Services\MSExchange Search Indexer

HKLM\System\CurrentControlSet\Services\MSExchange Search Indices

HKLM\System\CurrentControlSet\Services\MSExchange Secure Mail Transport

HKLM\System\CurrentControlSet\Services\MSExchange Sender Filter Agent

HKLM\System\CurrentControlSet\Services\MSExchange Sender Id Agent

HKLM\System\CurrentControlSet\Services\MSExchange Store Driver

HKLM\System\CurrentControlSet\Services\MSExchange Store Interface

HKLM\System\CurrentControlSet\Services\MSExchange System Attendant Mailbox

HKLM\System\CurrentControlSet\Services\MSExchange Topology

HKLM\System\CurrentControlSet\Services\MSExchange Transport Rules

HKLM\System\CurrentControlSet\Services\MSExchange TransportService

HKLM\System\CurrentControlSet\Services\MSExchange Unified Messaging

HKLM\System\CurrentControlSet\Services\MSExchange Update Agent

HKLM\System\CurrentControlSet\Services\MSExchange Web Services

HKLM\System\CurrentControlSet\Services\MSExchangeADTopology

HKLM\System\CurrentControlSet\Services\MSExchangeAL

HKLM\System\CurrentControlSet\Services\MSExchangeAntispamUpdate

HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync

HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync Job

HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync Topology

HKLM\System\CurrentControlSet\Services\MSExchangeFBPublish

HKLM\System\CurrentControlSet\Services\MSExchangeFDS

HKLM\System\CurrentControlSet\Services\MSExchangeFDS:OAB

HKLM\System\CurrentControlSet\Services\MSExchangeFDS:UM

HKLM\System\CurrentControlSet\Services\MSExchangeImap4

HKLM\System\CurrentControlSet\Services\MSExchangeIS

HKLM\System\CurrentControlSet\Services\MSExchangeMailboxAssistants

HKLM\System\CurrentControlSet\Services\MSExchangeMailSubmission

HKLM\System\CurrentControlSet\Services\MSExchangeMonitoring

HKLM\System\CurrentControlSet\Services\MSExchangeMU

HKLM\System\CurrentControlSet\Services\MSExchangePop3

HKLM\System\CurrentControlSet\Services\MSExchangeRepl

HKLM\System\CurrentControlSet\Services\MSExchangeSA

HKLM\System\CurrentControlSet\Services\MSExchangeSearch

HKLM\System\CurrentControlSet\Services\MSExchangeServiceHost

HKLM\System\CurrentControlSet\Services\MSExchangeTransport

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Batch Point

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Database

HKLM\System\CurrentControlSet\Services\MSExchangeTransport DSN

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Dumpster

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Pickup

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Queues

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Resolver

HKLM\System\CurrentControlSet\Services\MSExchangeTransport Routing

HKLM\System\CurrentControlSet\Services\MSExchangeTransport SmtpReceive

HKLM\System\CurrentControlSet\Services\MSExchangeTransport SmtpSend

HKLM\System\CurrentControlSet\Services\MSExchangeTransportLogSearch

HKLM\System\CurrentControlSet\Services\MSExchangeUM

HKLM\System\CurrentControlSet\Services\MSExchangeUMAutoAttendant

HKLM\System\CurrentControlSet\Services\MSExchangeUMAvailability

HKLM\System\CurrentControlSet\Services\MSExchangeUMCallAnswer

HKLM\System\CurrentControlSet\Services\MSExchangeUMClientAccess

HKLM\System\CurrentControlSet\Services\MSExchangeUMFax

HKLM\System\CurrentControlSet\Services\MSExchangeUMGeneral

HKLM\System\CurrentControlSet\Services\MSExchangeUMPerformance

HKLM\System\CurrentControlSet\Services\MSExchangeUMSubscriberAccess

HKLM\System\CurrentControlSet\Services\MSExchangeWS

HKLM\SYSTEM\CurrentControlSet\Services\msftesql-Exchange

HKLM\SYSTEM\CurrentControlSet\Services\msftesqlFD-Exchange

HKLM\SYSTEM\CurrentControlSet\Services\msftesqlIDX-Exchange

For more information about auditing Exchange Server 2007, view the following White Paper: White Paper - Auditing Configuration Changes for Exchange 2007 Organizations.