How To Enable The Audit For The Windows Registry Value Change?

How to enable the audit for the Windows registry value change?

  1. Set the Security log size to a big size on issue machine, such as 81920:

  1. Edit local Policy, scroll down to Computer Configuration > Policies > Windows Settings > Security Settings > Local policies > Audit Policies > Audit Object Access and process tracking, set the following policies to Success and Failure

  1. Run gpupdate /force on issue machine to update policy. Then run command auditpol /get /category:* to check whether the audit policy applied.

  1. Right click on the registry (which have value change issue) and choose Properties.

  1. On Security tab, choose Advanced.

  1. On Auditing tab, choose Continue, then choose Add

  1. Choose Select a principal and type everyone, choose Check and choose OK

  1. Choose Type: All and choose value change related option as below, then click OK

  1. If something is changed in the audit registry, it will get registry-related logs in the security logs as below: