Powershell detect change to the registry RRS feed

  • Question

  • Hi

    I’m looking for a command line method to detect a change to the registry and if detected notify the user

    I’m looking for the script to do this by itself without needing to manually set audit policies using the windows GUI

    The idea I’ve come up with is to watch for event id  4657  to  to occur in the registry

    After researching online i am using

    Auditpol /set /subcategory:@Registry@ /success:enable   # To set the audit policy to  ON  for the registry


    Get-Winevent -Computername $env:ComputerName -FilterHasTable @{logname=’security’id=4657}  # To display the event 4657


    I’ve noticed that no event   4657  has been generated when I manually filter the registry security logs after a few days

    Is there a way using powershell to force this to on ?   Or is there an easy way to detect if any registry key has been changed ?

    I’ve looked at exporting the reg to a file repeating then comparing the reg files but looking for an alternative



    • Moved by Bill_Stewart Thursday, March 14, 2019 8:40 PM This is not "scripts on demand"
    Saturday, November 17, 2018 4:09 PM

All replies