Here is the steps to audit a windows registry value:
https://4sysops.com/archives/audit-changes-in-the-windows-registry/
- Activate registry auditing
- Open Regedit (Start > Run > Type Regedit and press Enter).
- Select the registry key that you want to enable auditing on.
- Right-click on the key and select Permissions.
- From the dialog box opened above, click on the Advanced button.
- Go to the Auditing tab and click on the Add button.
- Enter the users/groups you want to configure auditing for and click OK. To enable auditing for all the users, you can select the “Everyone” Group.
- Select the kind of access you want to audit and click OK.
- Repeat steps 2 to 7 to add other users/groups.
- Setting permissions for registry keys
- Configuring SACL via GPO
- Evaluating the event log
Enabling auditing for a registry key in PowerShell:
https://giuoco.org/security/configure-file-and-registry-auditing-with-powershell/
https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.registryauditrule
Example of powershell script:
$path = ‘HKCU:\Control Panel\Personalization\Desktop’
$user = ‘Authenticated Users’
$auditRules = ‘SetValue,Delete’
$inheritType = ‘None’
$propagationFlags = ‘None’
$auditType = ‘Success’
$rule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$auditRules,$inheritType,$propagationFlags,$auditType)
$acl = Get-Acl $path -Audit
$acl.AddAuditRule($rule)
Set-Acl -AclObject $acl -Path $path