Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Registry Auditing page

Previous Next

Registry Auditing page

The Registry Auditing page is displayed when Registry is selected from the Auditing task list in the navigation pane of the Administration Tasks page. From this page you can launch the Registry Auditing wizard to specify a registry key to be audited. You can also edit existing templates, disable/enable templates and remove templates that are no longer being used.

The Registry Auditing page contains an expandable view of all the Registry Auditing templates that have been previously defined. To add a new template to the list, use the Add tool bar button. Once added, the following information is provided for the template:

Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Registry Keys

This field is used for filtering data.

Click the expansion box to the left of the Template name to expand this view and display additional details about an auditing template.

Registry Key

Displays the name of the file path for the registry key in the HKEY_LOCAL_MACHINE hive which was selected for auditing on the Key page of the wizard.

Status

Indicates whether auditing of the registry key is enabled or disabled. To enable/disable the auditing of the registry key, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Scope

Displays the scope selected for this template on the Key page of the wizard:
This object only
This object and child objects only
This object and all child objects
Value

If applicable, this column displays the specific value selected for auditing (only applies to This object and child objects only scope).

Operations

Displays the events selected for auditing on the Events page of the wizard. Hover your mouse over this cell to view all of the events included in the template.

Exclude

Displays the names of the sub keys to be excluded from auditing as specified on the Exclusions tab of the wizard.

Registry Auditing templates

Previous Next

Registry Auditing templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the Change Auditor client, see Filter data.

To enable custom registry auditing you must create a Registry Auditing template which specifies the registry keys and events to audit. You can then assign this template to an agent configuration, which then needs to be assigned to the appropriate agents.

To create a Registry Auditing template:
1
Open the Administration Tasks tab and click Auditing.
2
Select Registry (under the Server heading in the Auditing task list) to open the Registry Auditing page.
3
Click Add to start the Registry Auditing wizard which will step you through the process of creating a Registry Auditing template.
4
Enter a name for the template.
5
Enter or use one of the Browse options to locate and select the registry key in the HKEY_LOCAL_MACHINE hive to be audited.
Selecting the Browse | Local Registry option displays the Select registry key dialog allowing you to select a registry key from the local server.
Selecting the Browse | Remote Registry option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the Browse or Search pages to locate and select the server. On the Select registry key dialog select the registry key to be audited.

Once you have selected the registry key to be audited, click Add to add it to the selection list.

Repeat this step to add additional registry keys to the template.

6
For each registry key listed, select the key in the list and perform steps 8 - 11 to specify the scope, events, values and optionally any sub keys that are to be excluded.
7
In the Scope cell, use the drop-down menu to select the scope of coverage:
This object only
This object and child objects only
This object and all child objects (default)
8
On the Events tab select the key and value events that are to be included in the audit.
* 
NOTE: Selecting the Key Events or Value Events check box at the top of the events list on the Events tab will select all of the events listed under the heading. Similarly, clearing the check boxes will clear all of the selected events.
9
If you selected the This object and child objects only option in the Scope cell, you can also specify a specific value for the selected key. To audit a specific value, open the Value tab and enter the value in the text box provided.
10
(Optional) On the Exclusions tab, add the names of any sub keys to be excluded from auditing. Use one of the Browse options to locate and select a sub key under the selected registry key to be excluded from auditing:
Selecting Browse | Local Registry displays the Select registry key dialog allowing you to select a sub key from the local server.
Selecting Browse | Remote Registry displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server. From the Select registry key dialog, select the sub key to be excluded.
* 
NOTE: If you select a sub key that does not belong to the selected registry key, the wizard will not allow you to continue. A red flashing icon is displayed indicating that you have selected a sub key outside of the selected registry key.

You can also enter the name of the sub key to be excluded or use a file mask to select a group of sub keys. A file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters allowed in sub key names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.

Once you have specified a sub key for exclusion, click Add to add it to the Exclusions list at the bottom of the page.

Repeat this step to add additional sub keys to the Exclusions list.

11
To create the template without assigning it to an agent configuration, click Finish.

Clicking Finish creates the template, closes the wizard and returns to the Registry Auditing page, where the newly created template will now be listed.

12
To create the template and assign it to an agent configuration, expand Finish and click Finish and Assign to Agent Configuration.

This will display the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.

* 
NOTE: On the Auditing page, you can also use the Assign tool bar button to assign the selected template to an agent configuration. Clicking this button will display the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.
13
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents use the latest configuration.
To modify a Registry Auditing template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
On the Registry Auditing page, select the registry key whose properties are to be modified, and click Edit.
2
This displays the Registry Auditing wizard, where you can modify the following properties:
Registry key
Scope
Events (Events tab)
Value (Value tab)
Excluded sub keys (Exclusions tab)
3
Once you have made your modifications, click Finish or expand Finish and click Finish and Assign to Agent Configuration.
To disable a Registry Auditing template:

Disabling allows you to temporarily stop auditing the specified registry key without having to remove the auditing template or individual registry key from an active template.

1
On the Auditing page, place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of a registry key in an auditing template:
1
On the Registry Auditing page, place your cursor in the Status cell for the registry key to be disabled, click the arrow control and select Disabled from the drop-down menu

The entry in the Status column for the registry key will change to ‘Disabled’.

2
To re-enable the auditing of a registry key, use the Enable option in either the Status cell or right-click menu.
To delete a Registry Auditing template:
1
On the Auditing page, select the template to delete and click Delete | Delete Template.
2
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
To delete a registry key from an auditing template:
1
On the Registry Auditing page, select the registry key to delete and click Delete | Delete Registry Key
2
A dialog will be displayed confirming that you want to delete the registry key from the template. Click Yes.
* 
NOTE: If the registry key is the last one in the template, deleting this registry key will also delete the template.

Registry Auditing wizard

Previous Next

Registry Auditing wizard

The Registry Auditing wizard displays when you click Add on the Registry Auditing page. From this wizard, select the registry key to be audited as well as the events to be audited.

The following table provides a description of the fields and controls in the Registry Auditing wizard.

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.
 

Table 1. Registry Auditing wizard

Create or modify a Registry Auditing Template page

Use the first page of the wizard to enter a name for the template and select the registry keys to audit.

Template Name

Enter a descriptive name for the Registry Auditing template being created.

Registry key in the HKEY_LOCAL_MACHINE hive

Enter or use one of the browse options to select the registry key in the HKEY_LOCAL_MACHINE hive to be audited.

Expand the browse button to browse for and select a registry key:
Local Registry - select this option to browse and select a registry key from the local computer
Remote Registry - select this option to browse and select a registry key from a remote server. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.
NOTE: Make sure that the selected remote computer is on the network, has remote administration enabled and that both computers are running the remote registry service. If the remote computer does not allow remote admin access, a message will be displayed explaining that you need to select a different server.

Registry Keys list

The list box located across the middle of the page displays the registry keys to be included in the Registry Auditing template. Use the Add and Remove buttons to control the contents of this list:
Add - Use this to add the specified registry key to the template.
Remove - Select a registry key from the list and click the Remove button to remove the selected registry key from the template.

Use the drop-down box in the Scope cell of the list box to specify the scope of coverage:
This object only - select this option to audit only this key, not its values or sub keys.
This object and child objects only - select this option to audit this key, its values and direct sub keys only. This is not recursive.
This object and all child objects - select this option to audit this key, all sub keys and all values. (Default)

Select a key in this list to enable the corresponding Events, Value and Exclusions tabs at the bottom of this page.

Events tab

Use the Events tab to select the type of events (e.g., registry key added, registry key deleted) that are to be audited for the selected registry key. The contents of this tab is based on the entry selected above in the Registry Keys list.

Key Events

Select the Key events to audit. Select the Key Events check box to select all of the Key events listed or select individual events from the list.

Value Events

Select the Value events to audit. Select the Value Events check box to select all of the Value events listed or select individual events from the list.

Value tab

If you selected the This object and child objects only option in the Scope cell, this additional tab will be displayed allowing you to enter a specific value to be audited for the selected key.

Audit a specific value

Enter the value to be audited for the selected key.

Exclusions tab (Optional)

Use the Exclusions tab to exclude sub keys in the selected registry key from being audited.

Add the sub keys to exclude from auditing

To exclude a sub key in the selected registry key from being audited, expand the browse button and select one of the browse options to browse either the local or remote server for the sub key.

You can also enter the name of the sub key to be excluded from auditing. Use a file mask to select a group of sub keys. A file mask can contain any combination of the following:

Fixed characters such as letters, numbers and other characters allowed in the name of sub keys.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.

Once you have specified a sub key for exclusion, click the Add button to add it to the Excluded Keys list at the bottom of the page.

Expand the browse button and select one of the following options:
Local Registry - select this option to select a sub key from the local server.
Remote Registry - select this option to select a sub key from a remote registry. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.
NOTE: Make sure that the selected remote computer is on the network, has remote administration enabled and that both computers are running the remote registry service. If the remote computer does not allow remote admin access, a message will be displayed explaining that you need to select a different server.

Excluded Keys list

The list across the bottom of this page contains the sub keys that are to be excluded from auditing. Use the Add and Remove buttons to add and remove entries.
Add - Use the Add button to add the specified sub key to the Excluded Keys list.
Remove - Select an entry in the Excluded Keys list and click the Remove button to remove it.

Service Auditing

Previous Next

Service Auditing
Introduction
Services Auditing page
Service Auditing templates
Service Auditing wizard
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating