To audit activity on a registry key

1.

Open Registry Editor

2.

Click the key you want to audit.

3.

On the Edit menu, click Permissions.

4.

Click Advanced, and then click the Auditing tab.

5.

Double-click the name of a group or user.

6.

Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:

Select 

To audit

Query Value 

Any attempts to read a entry from a registry key

Set Value 

Any attempts to set entries in a registry key

Create Subkey 

Any attempts to create subkeys on a selected registry key

Enumerate Subkeys 

Any attempts to identify the subkeys of a registry key

Notify 

Any notification events from a key in the registry

Create Link 

Any attempts to create a symbolic link in a particular key

Delete 

Any attempts to delete a registry object

Write DAC 

Any attempts to write a discretionary access control list on the key

Write Owner 

Any attempts to change the owner of the selected key

Read Control 

Any attempts to open the discretionary access control list on a key

 Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

Note

To open Registry Editor, click Start, click Run, type , and then click OK

You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

You must first add users and groups before specifying the events to audit.

Auditing activity can slow the computer down significantly. Consider auditing only failures, and not successes.

Related Topics

Remove a user or group from the Audit list

Add users or groups to the Audit list



© 2015 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies