Event ID 4657 – A Registry Value Was Modified
|Description||A registry value was successfully modified.|
If a registry key value is modified, then event ID 4657 is logged. A subtle note of importance is that it is triggered only if a key value is modified, not the key itself. Further, this event is logged only if the auditing feature is set for the registry key in its SACL.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Object Name
- Object Value Name
- Handle ID
- Operation Type
- Process ID
- Process Name
- Old Value Type
- Old Value
- New Value Type
- New Value
Why does event ID 4657 need to be monitored?
- To monitor unauthorized and restricted processes which change registry key values
- To ensure that no critical or sensitive registry key is being modified
- To monitor actions of high value accounts
- To detect anomalies and malicious actions
- To ensure non-active, external, and restricted accounts are not used
- To ensure that only white-listed accounts perform certain specific actions
- To enforce conventions and compliances
ADAudit Plus helps audit all Windows File Server and file share events, thus helping you meet your security, operational, and compliance needs with absolute ease.
Event 4657 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding event in Windows 2003 and before: 567.