Hey Guys,
So I have another request, I can monitor hives without issue so directly below, If I were to add anything into this hive it gets picked up however when it comes to monitoring a specific value of a String or Dword then i'm having trouble, see the 2nd example below
[WinRegMon://Registry1]
proc = .*
hive = \\REGISTRY\\USER\\.*\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\.*
type = create|delete|set|rename
baseline = 1
index = main
[WinRegMon://Registry11]
proc = .*
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\Notification Packages.*
type = create|delete|set|rename
baseline = 1
index = main
also tried with -
\\NotificationPackages.*
\\Notification Packages\\.*
If I remove the "Notification Packages" then the stanza does kinda of work in that the baseline is taken of all items within the Lsa hive, but when adding the Notifications Packages item I get nothing at all. I have read that I can monitor via the key_path and also process_image however I dont want to narrow the changes down to specific processes and again adding a .* doesnt seem to bring back any values.
Can anyone advise of the stanza I would need to only monitor the Notification Packages string within the Lsa hive ?
↧