How can I use Process Monitor to detect register changes made by GPEdit modifications?

4

3

It is supposed that Process Monitor can capture the registry changes made by any program. This thread explains it fine (thanks you, James T).

But it seems things are not so easy when talking about Group Policies Editor (gpedit.msc), because I am getting more than 738 register events when trying to change just one entry:

User Configuration -> Administrative Templates -> Code signing for drivers

Lots of captured data

How can I isolate the specific registry change for my GPEdit change performed?

New data:

As suggested by Frank Thomas (thanks), there was only one RegSetValue entry, named HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing\BehaviorOnFailedVerify.
This BehaviorOnFailedVerify key was what I was changing, but such key has been changed in multiple places at the register:

  • At HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing as stated.
  • At HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Policies\Microsoft\Windows NT\Driver Signing.

This is: four changes, and only one of them has been detected by Process Monitor.
Is this correct? Why?
If pretending to perform the same change via the reg command (without using gpedit.msc, which one should I change? All the four?

Note: I did not explain, as long as I did not think it was necessary, but my original idea was to be capable to change the key BehaviorOnFailedVerify via remote shell, like SSH or telnet). Note-2: For those wondering what does this change: it disables driver signature verification request so nothing prompts no the screen to the GUI user when installing some unsigned drivers like TAP-driver (network) for OpenVPN unattended installation.

Sopalajo de Arrierez

Posted 2015-07-28T00:11:53.080

Reputation: 5 328

Well, every entry you show except the one you have highlighted, is a RegQueryKey, RegEnumKey, RegOpenKey, or RegCloseKey event, so thats the process reading the registery, whereas your RegSetValue is the event noting that the registery has been written to. you can filter on that event, or if you have the full path of the key, filter on the Path. – Frank Thomas – 2015-07-28T01:42:53.207

Indeed, @FrankThomas . But I am not still sure that the procedure is working. Updated post; please read. – Sopalajo de Arrierez – 2015-07-28T02:23:54.813

1try using a Contains query (rather than an is) on the Path filter, so you are only matching against BehaviorOnFailedVerify or Windows NT\Driver Signing. – Frank Thomas – 2015-07-28T02:28:37.463

Just to point something out on this, despite the age of the question, it is actually only changing in two locations as far as I can tell. HKCU is contained as a sub-key within HKU, so if you change something in HKCU it will, of course, also change in HKU. – Brandon Olson – 2020-02-11T00:30:43.557

Answers

3

Use RegFromApp instead. Attach it to the MMC.exe that runs gpedit, and click on the green arrow to start logging. If you change the entries, the tool generates a .reg file that you can save and use later again.

magicandre1981

Posted 2015-07-28T00:11:53.080

Reputation: 86 560

Thanks you, magicandre1981. This one seems the correct program to monitor registry changes. But it still have the same problem related on the «changed in multiple places at the register» part of the original question: RegFromApp only detects one of the four changes to the register. Maybe there is no exact correspondence between register and GPEdit? – Sopalajo de Arrierez – 2015-07-28T21:15:38.253

what do you mean with "changed in multiple places at the register"? – magicandre1981 – 2015-07-29T04:04:57.793

The four bullet points are an example of the four changes that I discovered (by searching in RegEdit). As stated, only one was detected by Process Monitor and RegFromApp. – Sopalajo de Arrierez – 2015-07-29T08:37:05.427

which key does the tool detect? the value under HKEY_CURRENT_USER\Software\Policies should be enough. – magicandre1981 – 2015-07-29T16:20:43.150

The tool detect only the first of the four values (see the New data part of the question), this is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing . – Sopalajo de Arrierez – 2015-07-30T06:54:09.387

When you say "should be enough", do you mean that changing the value under HKEY_CURRENT_USER\Software\Policies will create some sort of cascade change on the other three? Could you explain why should that happen? – Sopalajo de Arrierez – 2015-07-30T06:55:54.417

no, the others look to be status values, so that gpedit knows what was changed by itself and what by other tools. – magicandre1981 – 2015-07-30T15:58:16.673

Asked: 2015-07-28T00:11:53.080

Viewed: 3 700 times

Active: 2017-04-25T10:30:59.790