To start my capture with a clean slate, I stopped the current capture, Ctrl+E, then cleared the display, Ctrl+X. Given that I was only interested in finding registry values, I filtered the view to the registry by de-selecting the icons for file activity, network activity, process and thread activity, and finally profiling events. I opened the application running it as Administrator with elevated privileges. Then because I had downloaded from the Internet, I opened the file properties and unblocked the file so I could run it. First, I downloaded the newest version of the utility from. To configure the task sequence, I needed to know the registry keys values that were set were when disabling options in Windows 10 Settings. We did not want to use GPO settings because the users needed the ability to change the values. I was working on a new Windows 10 deployment where specific settings needed to be disabled. However, it was not until this week I opened the book and used the Promon tool. I even purchased the book “Troubleshooting with the Windows Sysinternals Tools”. At Ignite 2017 I attended the Sysinternals sessions and thought that is great, these tools could help me.
This is because I have never taken the time to use and understand the tool. When in doubt prefix the registry path with an asterisk, for example * \Software\Microsoft\Windows\CurrentVersion\RunĬonfigure whether registry activity from all processes should be processed ("Any process"), whether certain processes should be excluded ("Exclude Processes listed below") or whether only specific processes should be monitored ("Monitor only processes listed below").I am ashamed to say I have always found the Procmon tool by Sysinternals intimidating to use. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry path filters need to match the format used in event 4657 and generally start with \REGISTRY\, for example:
Logon ID of the session that made the changeĮvent number of the event describing the changeĭetermines which registry activity will be picked up.Ĭonfigure whether all registry changes that are audited by the Operating System are processed by EventSentry (Monitor everything), whether certain paths should be excluded ("Exclude paths listed below") or whether only select paths should be monitored ("Monitor only paths listed below"). Proesses that initiated the change, ignore for changes that were initiated removely Name of the registry value that was added, removed or modified Path of the value that was added, removed or modified, always starts with \REGISTRY\
0 kommentar(er)
