1
I've read here, here and elsewhere that Windows can use a transaction log when writing to the Windows Registry, and this can be used for forensics.
I'm aware of RegNotifyChangeKeyValue
and WMI, but I'm curious if the transaction log could also provide an alternative means for real-time monitoring of Registry changes.
My question, is the transaction log always used? The articles I've found tend to say thing like it "can" use it, but not if it has to.