How to enable the audit for the Windows registry value change?
- Set the Security log size to a big size on issue machine, such as 81920:
- Edit local Policy, scroll down to Computer Configuration > Policies > Windows Settings > Security Settings > Local policies > Audit Policies > Audit Object Access and process tracking, set the following policies to Success and Failure
- Run gpupdate /force on issue machine to update policy. Then run command auditpol /get /category:* to check whether the audit policy applied.
- Right click on the registry (which have value change issue) and choose Properties.
- On Security tab, choose Advanced.
- On Auditing tab, choose Continue, then choose Add
- Choose Select a principal and type everyone, choose Check and choose OK
- Choose Type: All and choose value change related option as below, then click OK
- If something is changed in the audit registry, it will get registry-related logs in the security logs as below: