Monitoring Windows Registry Changes

by Eustaquio (Novice)
on Aug 03, 2001 at 17:18 UTC
Eustaquio has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks: I'm in charge in Security Project that needs monitoring Windows Registry changes. How can I do it in perl? Thanks in Advance. Eustaquio -

Re: Monitoring Windows Registry Changes
by joefission (Monk) on Aug 03, 2001 at 17:39 UTC
    Depends on what depth you need to monitor. Do you need to know if there was a change? Do you need to know what the change was?

    I'd play with Win32::TieRegistry, especially the

    $key->RegNotifyChangeKeyValue( $bWatchSubtree, $iNotifyFilter, $hEvent, $bAsync );


    You could also turn Auditing on the registry and montitor the Event Logs, hopefully leveraging any existing Event Log Security monitoring you may have (using Win32::EventLog, of course :)

    c-era has good suggestions. The only thing I can add is you could run the monitor via mstask (scheduler).

Re: Monitoring Windows Registry Changes
by c-era (Curate) on Aug 03, 2001 at 17:21 UTC
    I would create a windows service that on boot would make a copy of the registy (keys and values). Then every hour (or what ever resolution you need), I would have it scan the registry and look for differences, and have the script e-mail a report. Take a look at the Win32::Registry and Win32::Daemon from Roth Consulting (which appears to be down right now).
Re: Monitoring Windows Registry Changes
by tachyon (Chancellor) on Aug 03, 2001 at 18:01 UTC

    Hi this is not a perl solution but a program called Regmon works very well. You can find the site here Sorry they do charge but the do have a free demo and, well you know.

    Why reinvent this wheel, then again why not :-)




      Yep, it's good software. The free version is available at Sysinternals. Lots of other good software there too, and a lot of it comes with source code. included.

        Top link $code or die nice explanation of the behind the scenes workings of this program.




