Easily audit changes to the registry

You can audit changes made to the registry much the same way you audit changes made to other files on your computer. To enable auditing on the registry, open regedt32. Select the key you want to audit and choose Security | Permissions. In the Permissions dialog box, click Advanced, and select the Auditing tab. On the Auditing property sheet, click Add, and select the users and groups whose actions you want to audit.

After you select the users or groups you want to audit, you’re presented with a list of actions to audit. You may select any or all of these actions, both in the Successful and Failed columns. Keep in mind that the more options you configure, the more events you’re likely to see later in Event Viewer. Also, by default, any auditing options you configure on a key will be inherited by all subkeys unless you select This Key Only in the Apply Onto dropdown list.

After you finish configuring the keys you want to audit, you must configure auditing using either a Group Policy setting configured at the domain or OU level, or you can configure a local computer policy. Make sure you’ve enabled Audit Object Access in the policy you apply to the computer.