Windows Registry transaction log - is it always used?

1

I've read here, here and elsewhere that Windows can use a transaction log when writing to the Windows Registry, and this can be used for forensics.

I'm aware of RegNotifyChangeKeyValue and WMI, but I'm curious if the transaction log could also provide an alternative means for real-time monitoring of Registry changes.

My question, is the transaction log always used? The articles I've found tend to say thing like it "can" use it, but not if it has to.

Cocowalla

Posted 2019-11-23T13:08:22.433

Reputation: 300

Answers

2

The transaction log is not always used, a conclusion based on the following data.

On my computer, these are the *.dat.log* files in C:\Windows:

enter image description here

You can see that the only file that was updated today was migration.dat (which doesn't seem like being a registry hive).

Given that some registry hives are updated continuously, it seems that there is no systematic logging being done on my computer. Hence my above conclusion.

harrymc

Posted 2019-11-23T13:08:22.433

Reputation: 306 093

Asked: 2019-11-23T13:08:22.433

Viewed: 39 times

Active: 2019-11-23T20:20:42.983