Whose permissions are being used?

2

Regarding "Permissions" in Windows, is it possible to trace or determine "who" is actually changing something? (i.e., determine what user is modifying something with their respective permissions)

For example, Process Monitor can see that certain registry keys are being accessed and set, but is it also possible to determine who (what user) was doing the accessing/altering?

I'm trying to track down the precise user account that's changing something, rather than willy-nilly locking down the various accounts in the permissions table through trial-and-error.

Coldblackice

Posted 2013-04-28T20:49:27.037

Reputation: 4 774

1what are they changing? – Keltari – 2013-04-28T21:15:05.380

Sound configuration properties of an audio device through the Windows Sound control panel (which alters properties through registry keys). I happened to determine which "user" does the accessing/editing through this method, but I'm still keen to determine if there's a way to determine this other than through trial and error. – Coldblackice – 2013-04-28T21:27:47.197

Answers

3

Using the regedt32.exe utility it is possible to set auditing on certain parts of the registry.

  • Start the registry editor (regedt32.exe)
  • Select the key you wish to audit (e.g. HKEY_LOCAL_MACHINE\Software) From the Security menu select Auditing
  • Check the "Audit Permission on Existing Subkeys" if you want subkeys to also be audited
  • Click the Add button and select the users you want to be audited, click Add and then click OK
  • Once there are names in the "Names" box you can select which events to be audited, whether success or failure.
  • When you have filled in all the information click OK

You will need to make sure that Auditing for File and Object access is enabled (use User Manager - Polices - Audit).

To view the information use Event Viewer and look at the Security information.

There is a Microsoft support article that explains how to set up Auditing. It uses the Local Policy Editor, which is not available on Windows 7 Home.

Keltari

Posted 2013-04-28T20:49:27.037

Reputation: 57 019

Asked: 2013-04-28T20:49:27.037

Viewed: 69 times

Active: 2013-04-28T22:49:44.713