We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:whether we can enforce this using EPM policies or do we need to use group policies for this?Will EPM Policy be able to block users from modifying registry values within their respective endpoints? Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

Can BT EPM for Windows control registry modifications within endpoints?

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:

whether we can enforce this using EPM policies or do we need to use group policies for this?

Will EPM Policy be able to block users from modifying registry values within their respective endpoints?
Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

Page 1 / 1

The EPM client as so can’t prevent user from tampering with the registry settings unless we blocks the apps that allows them to do so. This is of course only valid for HKCU were admin rights are not required.

Then it becomes more complicated as many apps query the registry in the context of a user, so an exception now we have to distinguish between the legit action and non-legit for our rules.

Once we have that information it becomes possible to some extent, but not flawless.

Think of the tools for tampering the registry
Command line tools, Reg.reg regedit.exe etc.
Reg files *.reg

These can all be controlled, but becomes complicated very fast.

Jens

We don’t have to worry about the location that require Admin rights.
Then I see two options, you can audit anything that has a possibility to write, change, alter in the registry.

sample for reg.exe
reg add "HKCU\Software\MyApp" /v "Data" /t REG_BINARY /d "01020304" /f

REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
REG FLAGS /?

Regedit
regedit /s "C:\path\to\your\file.reg"

Or block users from running regedit.exe as they can always load it and make changes that is not visible when altering things directly in the registry.

I suggest using a Audit rule scripts (Powershell, js) for when a Reg file is executed and copy it to share to for analyzing it.

Please note the Quickstart Policy does have some default issues with HostedFile types, that renders you unable to pickup the meta data on a Reg file, it comes with to analytics as reg.exe and the commandline instead.

This can be fixed with a few changes in the policy.

Badge Earners

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded