Changes are not detected when monitoring the "CurrentControlSet" key in a detection policy

Article:TECH189119  |  Created: 2012-05-18  |  Updated: 2012-05-25  |  Article URL
Article Type
Technical Solution


Registry watch cannot detect changes [Create, Delete, or Modify] when monitoring: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet


Creating registry watch from Windows_Tempalte_Policy to monitor the "CurrentControlSet" does not detect registry changes.


Windows 2008 R2 Server


Current workaround:
Create registry watch to monitor changes under the tree: \HKEY_LOCAL_MACHINE\System\ControlSet*\*
NOTE: The “CurrentControlSet” is considered a link in the registry rather than a key. It points to one of the ControlSetnnn keys depending on which is being used by the system.  The majority of systems may point to ControlSet001, however, it could point to 002, 003, etc.  So by using “ControlSet*” instead of “CurrentControlSet”, you get all the possible places CurrentControlSet could be pointing at.   

Article URL

Terms of use for this information are found in Legal Notices