Detect and monitor changes to Startup items in Windows Registry via GPO

It is a good idea to setup detection and monitor who and what made changes to Startup items in Windows Registry . Suspicious changes in startup registry keys may be a sign of malware activity and bad things can happen.

Here is how to set it up this Group Policy on Windows Server 2012 R2:

  1. Run gpedit.msc → Create a new GPO → Edit it: Go to “Computer Configuration” → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
  • Audit object access → Define → “Success” and “Failures”

2. Go to Event Log → Define:

  • Maximum security log size to 4gb
  • Retention method for security log to “Overwrite events as needed”.

3. Link the new GPO to OU with Windows servers: Go to “Group Policy Management” → Right-click the defined OU → Choose “Link an Existing GPO” → Choose the GPO that you’ve created.

4. Force the group policy update: In “Group Policy Management” right-click on the defined OU → Click “Group Policy Update”.

5. Run “regedit” → Navigate to “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” → Right-click “Run” key and select “permissions” → Click “Advanced” → Select “Auditing” tab → Click “Add” button:

  • Select Principal: “Everyone”
  • Select Type: “All”
  • Select Applies to: “This keys and subkeys”
  • Select Advanced Permissions: “Create Subkey”, “Set Value”, “Create Link”, “Write DAC”, and “Delete”.

6. Take the same steps with the following registry keys:

  • “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\
  • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components”
  • “HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components”.

7. Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).

In the General tab you should see all the details who has made the change and what has been change. Now you have something on hand to investigate.