Monitor registry changes for security

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
Post Reply
mikepiet
Posts: 19
Joined: Tue Nov 30, 2004 10:32 pm

Monitor registry changes for security

Post by mikepiet »

Hi everyone,

In an effort to monitor the unauthorized installation of software and to see if it can monitor spyware as well, I am trying to find a way if I can use AHM to monitor changes or additions to the registry. Only a few reg keys would be involved...

HKLM\System\CurrentControlSet\Services

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and perhaps....

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components


The test would check to see if any changes are made. When a change is made, AHM would alert me. This test would run against all our desktops so I don't know if the "compare" test would work.

If anyone has any ideas, it would be greatly appreciated.

Michael
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Sorry, HostMonitor cannot perform such test by itself. You need some script or external application that can be launched by "Shell Script" "Active Script" or "External" test methods...

Regards
Alex
mikepiet
Posts: 19
Joined: Tue Nov 30, 2004 10:32 pm

Post by mikepiet »

Okay, after researching this in the AHM help files, I came across the "RegRead.vbs" example script that reads the registry to see if anyone modified the Homepage key and signals AHM of a "bad" test if someone has done so.

In my thinking, I wanted to try to just take the key string that they use in the example and put in my own that would check to see if anyone added any new files. Basically, I replaced...

const IEkey = "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"

with...

const IEkey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" but I am now getting the error...

Error in script:
Error number :-2147024894
Source :WshShell.RegRead
Description :Unable to open registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" for reading.
Text :
Line :21
Column :4


I am at a lost. Anyone have any ideas? The account imbedded into AHM is my domain account which is a member of the domain admins and such.

Thanks in advanced if anyone has any thoughts.

Michael
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is container (folder) that may contain many keys. If you specify the key, it will work.
But ptoblem is you want to read all keys from this folder, right? IMHO WScript.Shell does not provide method for such purpose.

Regards
Alex
Post Reply