Hi everyone,
In an effort to monitor the unauthorized installation of software and to see if it can monitor spyware as well, I am trying to find a way if I can use AHM to monitor changes or additions to the registry. Only a few reg keys would be involved...
HKLM\System\CurrentControlSet\Services
and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and perhaps....
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
The test would check to see if any changes are made. When a change is made, AHM would alert me. This test would run against all our desktops so I don't know if the "compare" test would work.
If anyone has any ideas, it would be greatly appreciated.
Michael
Monitor registry changes for security
Okay, after researching this in the AHM help files, I came across the "RegRead.vbs" example script that reads the registry to see if anyone modified the Homepage key and signals AHM of a "bad" test if someone has done so.
In my thinking, I wanted to try to just take the key string that they use in the example and put in my own that would check to see if anyone added any new files. Basically, I replaced...
const IEkey = "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"
with...
const IEkey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" but I am now getting the error...
Error in script:
Error number :-2147024894
Source :WshShell.RegRead
Description :Unable to open registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" for reading.
Text :
Line :21
Column :4
I am at a lost. Anyone have any ideas? The account imbedded into AHM is my domain account which is a member of the domain admins and such.
Thanks in advanced if anyone has any thoughts.
Michael
In my thinking, I wanted to try to just take the key string that they use in the example and put in my own that would check to see if anyone added any new files. Basically, I replaced...
const IEkey = "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"
with...
const IEkey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" but I am now getting the error...
Error in script:
Error number :-2147024894
Source :WshShell.RegRead
Description :Unable to open registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" for reading.
Text :
Line :21
Column :4
I am at a lost. Anyone have any ideas? The account imbedded into AHM is my domain account which is a member of the domain admins and such.
Thanks in advanced if anyone has any thoughts.
Michael