4.30 RegistryChange

Use this Knowledge Script to monitor changes in the registry information on 32-bit and 64-bit Windows systems. This script raises an event if a key or value is added, deleted, or changed in the registry. In addition, this script generates datastreams for registry changes.

From a specified path, this script searches the registry for changes to registry keys and sub-keys. This information can be valuable in helping you understand the behavior and configuration of the computers you are monitoring, but it can also be expensive in terms of processing time. Because each registry level can contain many sub-keys to check, this script can require a significant period of time to run if you check two or three levels deep in the registry tree.

On 64-bit Windows systems, this script can be configured to monitor registry information for 32-bit or 64-bit programs. For example, to monitor changes to:

The key that specifies what programs should be run at startup, set the value of the Monitor 32-bit program registry keys on a 64-bit system? parameter to n, and specify the following registry key:
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
```
Keys associated with a 32-bit application such as AppManager, set the value of the Monitor 32-bit program registry keys on a 64-bit system? parameter to y, and specify the registry exactly as it would be specified on a 32-bit system. For example:
```
HKEY_LOCAL_MACHINE\Software\NetIQ\AppManager\4.0
```

4.30.1 Resource Objects

Windows 2003 Server or later

4.30.2 Default Schedule

The default schedule for this script is Every 30 minutes.

If you set this script to check sub-key levels, adjust the schedule. For example, if you are checking two or three sub-levels deep, set this script to run once a day during off-peak hours.

4.30.3 Setting Parameter Values

Set the following parameters as needed:

Description	How to Set It
General Settings
Job Failure Notification
Event severity when job fails	Set the event severity level, from 1 to 40, to indicate the importance of an event in which a job fails. The default is 5 (red event indicator).
Event Notification
Raise event when a registry key or value is added, deleted, or changed?	Select Yes to raise an event when a registry key or value is added, deleted, or changed. The default is selected.
Event severity level for registry changes	Set the event severity level, from 1 to 40, to indicate the importance of an event in which a change in the registry occurs. The default is 8 (red event indicator).
Registry Monitoring
Registry Location
Registry Root	Type the registry root. Valid root options are: HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_USERS The default is HKEY_LOCAL_MACHINE.
Registry Path	Specify the path to the registry keys to monitor. The default path is SYSTEM\CurrentControlSet\Services. To specify the path to registry information for a 32-bit or 64-bit program, specify a path under HKEY_LOCAL_MACHINE\Software. Although the registry keys for 32-bit programs on a 64-bit system are stored under the HKEY_LOCAL_MACHINE\Software\Wow6432Node key, do not specify the Wow6432Node component of the path. Instead, specify the path without the Wow6432Node component, and set the value of the Monitor 32-bit program registry keys on a 64-bit system? parameter to y. NOTE:Use a specific path to the key you want to monitor. Any key can have many sub-levels, and the level specified by this path is always considered level 1.
Search Options
Number of registry subtrees to search	Specify the number of registry subtrees to monitor, from 1 to 5, counting the path itself as level 1. The maximum number of key sub-levels you can monitor is 5. The default is 2.
Registry keys to exclude from monitoring (comma-separated, without spaces)	Specify the registry keys or values to exclude from monitoring. If you enter multiple registry paths, separate them by commas and do not include spaces. This allows for using a higher level registry path in the Registry Path parameter and directs the Knowledge Script to ignore certain sub-keys or values under this path. The registry keys or values to exclude should use the full registry path off of the root, for example: SYSTEM\CurrentControlSet\Services\netiqmc\ErrorControl In this example, the ErrorControl registry value is excluded from monitoring under the netiqmc service registry key.
Monitor 32-bit program registry hive on a 64-bit system?	On a 64-bit Windows system, select Yes to monitor registry information for 32-bit programs. The default is Yes. Tip To monitor registry information for 32-bit programs and 64-bit programs, configure separate Knowledge Script jobs.
Maintain initial key registry information across agent restarts?	Select Yes to indicate to the job to retain the information stored from the last job iteration for the monitored registry keys, subkeys, and values after a restart of the job. During the first job iteration that the job ever runs, a baseline of current registry key and value information is stored and updated during each job iteration. If at any point the job is restarted, either manually or automatically from an agent restart or agent computer restart, this option continues to use the last job iteration's information stored, thus avoiding a loss of comparison opportunity after the restart. To reset the baseline registry information stored using the same job instance of NT_RegistryChange, deselect this value, at which time the next iteration will take a new snapshot of the monitored registry keys, subkeys, and values and begin using the new snapshot in comparisons going forward.
Data Collection
Collect data for changes in monitored registry keys and values?	Select Yes to collect data for charts and reports. If enabled, data collection returns the number of changes to the registry since the last time the job ran. The detail message includes specific information about each change. The default is unselected.

4.30.4 Example of How this Script Is Used

This script traverses the registry to check for changes to registry keys and sub-keys. This information can be extremely valuable in understanding the behavior and configuration of the computers you are monitoring but it can also be expensive in terms of processing time. To understand the impact of running this script, consider the following registry example.

If you set the Path name parameter to SYSTEM\CurrentControlSet\Services, the key becomes the first level of monitoring (sub-level 1) and all the keys at that level are checked for changes. If you set the Sub-level parameter to 3 for this job, the script then monitors all the values for all the sub-keys under the SYSTEM\CurrentControlSet\Services key and all the values for the sub-keys under the SYSTEM\CurrentControlSet\Services sub‑key folders. With these settings, you can monitor a large number of key values but might put undue strain on your system.

As you can see in the following example, each sub-key level you monitor can contain many sub‑keys and sub‑key values:

One way to control the number of key values you monitor is by choosing the base path carefully. For example, you can set the Path name to a specific sub‑key such as SYSTEM\CurrentControlSet\Services\EventLog. Depending on the number of sub-keys under the base path, however, you might also need to consider how best to set the sub-level parameter.

For example, if you set the Path name to SYSTEM\CurrentControlSet\Services\EventLog and the Sub‑level parameter to 3, the EventLog key becomes sub-level 1 and is checked for changes to values. The EventLog key contains the Application, Security, and System sub-keys, which as sub-level 2, are checked for new keys and values. Each of these sub-level 2 keys branches further, yielding dozens more keys at sub-level 3, each with values to check.

Because the number of monitored values can expand quickly, it is important to consider either narrowing the key path and sub-levels to check or lengthening the monitoring interval for this script to run effectively.