History : My C drive disappeared from "Computer" on my Win7. After fixing it a couple of days ago by changing a registry key, I notice today that my C drive has disappeared AGAIN. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrivres)
I am suspecting a 0-day exploit or group policy as my AV and malwarebyte did not find anything. I am looking for a way to monitor WHAT is modifying this specific registry key, is it possible ? How ?
Cheers, Florian
The Microsoft site sysinternals.com has a utility call regmon (apparently now combined with processmonitor) utility program that will track changes to the registry in real time. A warning, there is a LOT of things that change the registry so be prepared for the output to be very lengthy.
However, after the fact, there is nothing that will provide this information to you.
Through the Security event logs, you can identify who tried to access a specific registry key if you have enabled auditing. Read more about it here.
