To see how this works with our example key, change your IE home page to another site, then restore it. Right-click the key in the left-hand pane, and select Permissions > Advanced.Ĭlick "Select a principal", type "Everyone" in the "Enter the object name" box and click OK.Ĭhoose whether you want auditing to apply to this keys, or subkeys too, then click OK to close all open dialogs. Launch REGEDIT, and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main (or any other key you’d like to monitor). To enable Registry auditing, open an elevated command line (right-click cmd.exe and select "Run as administrator") and enter the command:Īuditpol /set /subcategory:”Registry” /success:enable
Windows auditing is a powerful feature which can track many system events, including changes to Registry keys. If malware (or another user) changes it, you’ll see approximately when that happened, and can investigate further. (Microsoft’s guide to reg.exe syntax tells you more about what you can do.)Ĭopy this into your Startup folder, maybe run it as a scheduled task, and over time you’ll build a record of the home page history. This hides the batch file prompts, adds the current date and time to the end of the "report.txt" file, and then uses the standard reg.exe command to save the current IE home page to the same log.
Reg query "hkcu\Software\Microsoft\Internet Explorer\Main" /v "Start Page" > report.txt If the Registry value changes then you’ll see the new URL when you reboot, or BgInfo runs again, perhaps giving you an early chance to spot unauthorized changes.ĭisplaying Registry values can be useful, but logging them to a file makes it easier to analyze later, and is also a better choice for recording what’s happening on someone else’s PC.īasic logging requires nothing more than a batch file. Select IE Start Page in the "Fields" box, click Add > OK, and you should now see your current Internet Explorer start page displayed on the desktop. Type IE Start Page in the Identifier box.Įnter HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page in the Path box, and click OK > OK. Launch BgInfo, clear all the current values in the editing area, and select Custom > New > Registry Value. It’s very lightweight, no background monitoring processes to worry about, but you’ll still get a warning (eventually) when something changes. Sysinternals’ BgInfo is a tiny tool which can display a vast amount of system information - and whatever Registry values you like - on your desktop wallpaper. This won’t give you a lot of detail, but you’ll at least get an idea of when a setting has changed, and can then investigate in more detail. A good feedback will be returned to you.The simplest form of Registry key monitoring is just to display its value occasionally.