Changes are not detected when monitoring the "CurrentControlSet" key in a detection policy

Article:TECH189119  |  Created: 2012-05-18  |  Updated: 2012-05-25  |  Article URL http://www.symantec.com/docs/TECH189119
Article Type
Technical Solution


Issue



Registry watch cannot detect changes [Create, Delete, or Modify] when monitoring: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet


Error



Creating registry watch from Windows_Tempalte_Policy to monitor the "CurrentControlSet" does not detect registry changes.


Environment



Windows 2008 R2 Server


Solution



Current workaround:
 
Create registry watch to monitor changes under the tree: \HKEY_LOCAL_MACHINE\System\ControlSet*\*
 
NOTE: The “CurrentControlSet” is considered a link in the registry rather than a key. It points to one of the ControlSetnnn keys depending on which is being used by the system.  The majority of systems may point to ControlSet001, however, it could point to 002, 003, etc.  So by using “ControlSet*” instead of “CurrentControlSet”, you get all the possible places CurrentControlSet could be pointing at.   



Article URL http://www.symantec.com/docs/TECH189119


Terms of use for this information are found in Legal Notices