circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Configure Windows Registry Scanner

Configure AgentX to monitor Windows registry keys for changes.

hashtag
Prerequisites

  • Template created or selected for editing (Operating System must be Windows)

  • Understanding of which registry keys require monitoring

  • Knowledge of Windows registry structure and critical keys

hashtag
Procedure

  1. In the template configuration, locate Windows Registry Scanner.

  2. Select Add New to add a registry monitoring configuration.

  3. Enter a Name for the monitored registry key.

  4. In Include Reg Value, select the registry root key from the dropdown and enter the registry path.

  5. Select + to add additional registry paths to include. You can specify multiple paths for monitoring.

  6. In Exclude Reg Value, select the registry root key and enter registry paths to exclude from monitoring (optional). Select + to add multiple exclusions.

  7. In Schedule, enter the scan frequency in seconds. This determines how often AgentX checks for registry changes.

  8. In Recursion, select the depth level for registry scanning:

    • 1 - Monitor only the specified key (no subkeys)

    • 2 - Monitor the key and one level of subkeys

    • Higher values enable deeper recursion but increase resource usage

  9. To monitor registries on 32-bit Windows systems, select 32-Bit System.

  10. Select Save to save the template configuration.

To add multiple registry monitoring configurations, select Add New and repeat the procedure.

To remove a configuration, select Delete next to the configuration.

hashtag
Expected outcome

AgentX Client monitors the specified registry keys according to the scan schedule. When changes are detected, AgentX generates registry integrity events and forwards them to Logpoint.

hashtag
Verification

After assigning the template to a device:

  1. Make a change to a monitored registry key (create a value, modify data, or change permissions).

  2. Wait for the next scheduled scan to complete.

  3. Go to the Logpoint search interface.

  4. Run the following query:

Replace <hostname> with your endpoint hostname.

Verify that registry integrity events appear showing the detected changes.

hashtag
Configuration guidelines

Use multiple specific paths instead of broad scanning Rather than monitoring entire registry hives with high recursion, specify targeted registry paths relevant to security. This reduces resource usage and alert noise.

Limit recursion depth Keep recursion to 1 or 2 levels to maintain performance. Broad registry scans with high recursion can significantly impact endpoint performance.

Balance scan frequency with change rate Set the schedule based on how frequently the monitored keys change. For keys that rarely change, 15-30 minute scans are sufficient.

Exclude volatile registry areas Use Exclude Reg Value to skip registry locations that change frequently due to normal system operations (performance counters, recently used lists, etc.).

Registry root keys:

  • HKEY_LOCAL_MACHINE (HKLM) - System-wide settings

  • HKEY_CURRENT_USER (HKCU) - Current user settings

  • HKEY_USERS (HKU) - All user profiles

  • HKEY_CLASSES_ROOT (HKCR) - File associations and COM objects

  • HKEY_CURRENT_CONFIG (HKCC) - Current hardware profile

Critical registry paths to monitor:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run (system startup programs)

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run (user startup programs)

  • HKLM\System\CurrentControlSet\Services (system services)

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon (logon settings)

  • HKLM\System\CurrentControlSet\Control\Lsa (security settings)

hashtag
Example configurations

Monitor system startup registry keys:

  • Name: System Startup

  • Include Reg Value:

    • HKLM: \Software\Microsoft\Windows\CurrentVersion\Run

    • HKLM: \Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Exclude Reg Value: (empty)

  • Schedule: 900 (15 minutes)

  • Recursion: 1

  • 32-Bit System: Not selected

Monitor user startup programs:

  • Name: User Startup

  • Include Reg Value:

    • HKCU: \Software\Microsoft\Windows\CurrentVersion\Run

  • Exclude Reg Value: (empty)

  • Schedule: 1200 (20 minutes)

  • Recursion: 1

  • 32-Bit System: Not selected

Monitor Windows services:

  • Name: System Services

  • Include Reg Value:

    • HKLM: \System\CurrentControlSet\Services

  • Exclude Reg Value:

    • HKLM: \System\CurrentControlSet\Services\EventLog (high change rate)

  • Schedule: 1800 (30 minutes)

  • Recursion: 1

  • 32-Bit System: Not selected

hashtag
Next steps

Last updated

Was this helpful?