Registry path filters need to match the format used in event 4657 and generally start with \REGISTRY\, for example: Logon ID of the session that made the changeĮvent number of the event describing the changeĭetermines which registry activity will be picked up.Ĭonfigure whether all registry changes that are audited by the Operating System are processed by EventSentry (Monitor everything), whether certain paths should be excluded ("Exclude paths listed below") or whether only select paths should be monitored ("Monitor only paths listed below"). Proesses that initiated the change, ignore for changes that were initiated removely ![]() Name of the registry value that was added, removed or modified ![]() ![]() Path of the value that was added, removed or modified, always starts with \REGISTRY\
0 Comments
Leave a Reply. |