How to Detect Modifications to Startup Items in the Windows Registry

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows Server
Native Auditing
Netwrix Auditor for Windows Server
  1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit object access → Define → "Success" and "Failures".
  2. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  3. Link the new GPO to OU with Windows servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
  5. Run "regedit" → Navigate to "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" → Right-click "Run" key and select "permissions" → Click "Advanced" → Select "Auditing" tab → Click "Add" button:
    • Select Principal: "Everyone"
    • Select Type: "All"
    • Select Applies to: "This keys and subkeys"
    • Select Advanced Permissions: "Create Subkey", "Set Value", "Create Link", "Write DAC", and "Delete".
  6. Take the same steps with the following registry keys:
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run"
    • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components".
  7. Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).
Microsoft Windows security event 4657: a registry value was modified
  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "When"
      Operator = "Equals"
      Value = "Today"
    • Filter = "Object type"
      Operator = "Equals"
      Value = "Registry Key"
    • Filter = "What"
      Operator = "Contains"
      Value = "Run"
    • Filter = "What"
      Operator = "Contains"
      Value = "Installed"
  2. Click the "Search" button and review what registry keys were modified and who did that.
Netwrix Auditor Search: detect modifications to startup items in the Windows Registry


In order to create an alert triggered each time whenever a registry key is modified:

  1. From the search results, navigate to "Tools" → Click "Create alert" → Specify the new alert’s name.
  2. Switch to the "Recipients" tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click "Add" to save the alert.

Spot and Investigate Unauthorized Changes to Startup Items in the Registry

Suspicious changes in startup registry keys may be a sign of malware activity. For example, if a keylogger creates a registry key, this program will be launched by default every time the system starts. If it stays unnoticed and appropriate measures are not taken, there is a chance that users’ passwords will be stolen.

Related How-tos