Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed - Sysmon 5.2 Registry Event Codes
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Sysmon 5.2 Registry Event Codes

 Post Reply Post Reply
mpras View Drop Down

Joined: 15 February 2017
Location: India
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote mpras Quote  Post ReplyReply Direct Link To This Post Topic: Sysmon 5.2 Registry Event Codes
    Posted: 15 February 2017 at 1:51pm

The Windows Security Event Code 4657 does a great job in capturing the changes to the registry keys in a single event old value, new value, key modified etc.., though Sysmon V5 Event Code 13 captures the similar information but the information is captured in multiple events, wondering if Sysmon can capture the reg changes of the same key in a single event in it's future releases? like the way Event Code 4657 does?
Event Code=4657
Change Information:
Object Name:\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SusSer
Object Value Name:ImagePath
Handle ID:0x104
Operation Type:Existing registry value modified
Old Value Type:REG_EXPAND_SZ
Old Value:^%systemroot^%\temp\evil.exe
New Value Type:REG_EXPAND_SZ
New Value:c:\\temp\evil.exe

Sysmon Event Code=13
Image: C:\Windows\system32\reg.exe
EventType: SetValue
TargetObject: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SusSer\ImagePath
Details: ^%systemroot^%\temp\evil.exe

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.