Hi
I’m looking for a command line method to detect a change to the registry and if detected notify the user
I’m looking for the script to do this by itself without needing to manually set audit policies using the windows GUI
The idea I’ve come up with is to watch for event id 4657 to to occur in the registry
After researching online i am using
Auditpol /set /subcategory:@Registry@ /success:enable # To set the audit policy to ON for the registry
Get-Winevent -Computername $env:ComputerName -FilterHasTable @{logname=’security’id=4657} # To display the event 4657
I’ve noticed that no event 4657 has been generated when I manually filter the registry security logs after a few days
Is there a way using powershell to force this to on ? Or is there an easy way to detect if any registry key has been changed ?
I’ve looked at exporting the reg to a file repeating then comparing the reg files but looking for an alternative
Thanks
confuseis
