How to Detect Modifications to Startup Items in the Windows Registry

Native Auditing vs. Netwrix Auditor for Windows Server

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows Server
  1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit object access → Define → "Success" and "Failures".
  2. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  3. Link the new GPO to OU with Windows servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
  5. Run "regedit" → Navigate to "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" → Right-click "Run" key and select "permissions" → Click "Advanced" → Select "Auditing" tab → Click "Add" button:
    • Select Principal: "Everyone"
    • Select Type: "All"
    • Select Applies to: "This keys and subkeys"
    • Select Advanced Permissions: "Create Subkey", "Set Value", "Create Link", "Write DAC", and "Delete".
  6. Take the same steps with the following registry keys:
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run"
    • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components".
  7. Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).

  1. Run Netwrix Auditor → Navigate to "Search".
  2. Click "When" and choose timeframe "Today".
  3. Click "Advanced" and specify the following criteria:
    Filter – "Object Type";
    Operator – "=(Equals)";
    Value – "Registry Key"
    Filter – "What";
    Operator – "Contains";
    Value – "Run"
    Filter – "What";
    Operator – "Contains";
    Value – "Installed".
  4. Click "Modify" → Click "Search".
  5. After that, you will see what registry keys were modified and who did that.

Spot and Investigate Unauthorized Changes to Startup Items in the Registry

Suspicious changes in startup registry keys may be a sign of malware activity. For example, if a keylogger creates a registry key, this program will be launched by default every time the system starts. If it stays unnoticed and appropriate measures are not taken, there is a chance that users’ passwords will be stolen.

Join the discussion