Skip to main content

Monitor Changes to Windows Registry

The Windows registry is a database that stores configurations for the Windows operating system and applications installed on Windows. Threat actors could modify the Windows registry to automatically execute applications when Windows starts, a user logs in, or an application is launched. The Lacework Windows agent monitors such registry changes on hosts and reports them in the Lacework Console so that you can quickly act on malicious registry changes.

Lacework monitors a set of default registry paths that could be modified to automatically execute applications. You cannot override these default registry paths.

note

The list of default registry paths has been omitted for security reasons. Contact Lacework Support for the list of default registry paths.

Enable or Disable Registry Monitoring

By default, registry monitoring is enabled.

To disable registry monitoring, do the following:

  1. Add the following to the config.json file:
    "registry": {
        "enabled": "false",
    }
  2. Restart the Windows agent to enable the config.json file changes. For instructions, see Restart Windows Agent.

To enable registry monitoring is disabled, do the following to enable it:

  1. Do one of the following:
    • Modify the registry property in the config.json file as shown below:
      "registry": {
          "enabled": "true",
      }
    • Remove the following in the config.json file:
      "registry": {
         "enabled": "false",
      }
  2. Restart the Windows agent to enable the config.json file changes. For instructions, see Restart Windows Agent.

View Registry Monitoring Alerts

To view the registry monitoring alerts:

  1. In the Lacework Console, go to Workloads > Hosts > Files.
  2. Navigate to the New Registry Autoruns table.
Last updated on