{"id":69423,"date":"2005-07-11T22:41:00","date_gmt":"2005-07-11T22:41:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/07\/11\/how-can-i-monitor-changes-to-a-registry-key\/"},"modified":"2005-07-11T22:41:00","modified_gmt":"2005-07-11T22:41:00","slug":"how-can-i-monitor-changes-to-a-registry-key","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-monitor-changes-to-a-registry-key\/","title":{"rendered":"How Can I Monitor Changes to a Registry Key?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! Is it possible to use a script to monitor changes to a registry key? I\u2019d like to be notified any time someone makes changes to the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key.

— SB<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, SB. And by the way, thanks for wording the question the way you did: it\u2019s actually pretty easy to receive notification any time someone makes a change to a specific registry key. Had you gone on to ask, \u201cAnd then can you tell me who made the change and what change they made?\u201d well, in that case we\u2019d have a problem on our hands (and we\u2019ll explain why in a moment). But you didn\u2019t ask that, so for now we\u2019ll just forget we even mentioned it.<\/P>\n

Let\u2019s take a look at a script that monitors the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key and then echoes back a message any time that key is changed:<\/P>

strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\default”)<\/p>\n
Set colEvents = objWMIService.ExecNotificationQuery _\n    (“SELECT * FROM RegistryKeyChangeEvent WHERE Hive=’HKEY_LOCAL_MACHINE’ AND ” & _\n        “KeyPath=’SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run'”) <\/p>\n
Do\n    Set objLatestEvent = colEvents.NextEvent\n    Wscript.Echo Now & “: The registry has been modified.”\nLoop\n<\/PRE>\n
We begin by connecting to the WMI service; more specifically, we connect to the root\\default<\/B> namespace, which is where the registry event classes live. We then use the ExecNotificationQuery<\/B> method to issue the following query:<\/P>
(“SELECT * FROM RegistryKeyChangeEvent WHERE Hive=’HKEY_LOCAL_MACHINE’ AND ” & _\n        “KeyPath=’SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run'”)\n<\/PRE>\n
All we\u2019re doing here is requesting notification any time an instance of the RegistryKeyChangeEvent<\/B> class is created; as you might have guessed, an instance of this class is created any time a specified registry key is changed (for example a new value is added or an existing value is modified or deleted). <\/P>\n
Sounds good, but how do we specify the registry key? That\u2019s easy; we just need to configure the following two properties of the RegistryKeyChangeEvent class:<\/P>\n\n\n\n\n
\u2022<\/TD>\n\n
Hive<\/B>. This is the registry hive (location) where the key lives. We want to monitor a key that lives in HKEY_LOCAL_MACHINE, so we set the value of the Hive property to HKEY_LOCAL_MACHINE. If we wanted to monitor a registry key that lives in HKEY_CURRENT_USER, we\u2019d set the value accordingly. Note that we do not have to define and use constants when configuring the Hive property; just type in the actual name of the registry hive.<\/P><\/TD><\/TR>\n
\u2022<\/TD>\n\n
KeyPath<\/B>. This is the path within the hive that leads to our registry key. Because the \\ is a reserved character in WMI, notice that we need to escape each \\ with a second \\. Thus, a key path like Software\\Microsoft\\Windows\\CurrentVersion\\Run must be written out as Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
After issuing the query we set up a Do Loop that will simply run forever, dutifully waiting for the next instance of the RegistryKeyChangeEvent class to appear. To make the script wait for such an appearance we use this line of code:<\/P>
Set objLatestEvent = colEvents.NextEvent\n<\/PRE>\n
This line of code causes the script to \u201cblock,\u201d which means the script will just sit there and wait for the next event to occur (as you well know, the event we are monitoring for is new instances of the RegistryKeyChangeEvent class). When such an event does<\/I> occur, we simply echo the current date and time and the fact that the registry has been modified in some way. We then loop around and wait for the next<\/I> such occurrence. (Press Ctrl+C to get out of the loop and end the script.)<\/P>\n
Why don\u2019t we do something a bit more specific than merely note that the registry has been modified in some way? Well, mainly because we can\u2019t<\/I> do anything more specific: details such as what was changed and who changed it are not captured by the registry event provider. We could determine some of this information by grabbing the initial state of the registry key and then, when an event occurs, comparing the new state to the initial state. We\u2019d then have to set up a procedure that allows us to continue comparing the latest state of the registry key to the most recent previous state. But that\u2019s something we\u2019ll have to let you work out for yourself. (Unless, of course, we hear otherwise. After all, we live to serve!)<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! Is it possible to use a script to monitor changes to a registry key? I\u2019d like to be notified any time someone makes changes to the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key.— SB Hey, SB. And by the way, thanks for wording the question the way you did: it\u2019s actually pretty easy to receive notification any […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,26,3,4,5],"class_list":["post-69423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-registry","tag-scripting-guy","tag-scripting-techniques","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! Is it possible to use a script to monitor changes to a registry key? I\u2019d like to be notified any time someone makes changes to the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key.— SB Hey, SB. And by the way, thanks for wording the question the way you did: it\u2019s actually pretty easy to receive notification any […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69423"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69423\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}