Looking to use Splunk to monitor new programs being added to "Startup" on Desktops and Servers.
Here are my stanzas:
[WinRegMon://Startup1]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*\\?.*
index = winregistry
proc = C:\\.*
type = rename|query|open|set|close|delete|create
[WinRegMon://Startup2]
baseline = 1
disabled = 0
hive = HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*\\?.*
index = winregistry
proc = C:\\.*
type = rename|query|open|set|close|delete|create
[WinRegMon://Startup3]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*\\?.*
index = winregistry
proc = C:\\.*
type = rename|query|open|set|close|delete|create
[WinRegMon://Startup4]
baseline = 1
disabled = 0
hive = HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*\\?.*
index = winregistry
type = rename|query|open|set|close|delete|create
I'm expecting to get results back of what programs are already in Startup. Unfortunately all I'm getting are
11/07/2016 16:17:32.918
event_status="(0)The operation completed successfully."
pid=1484
process_image="c:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
registry_type="QueryKey"
key_path="HKU\s-1-5-21-1757981266-1390067357-682003330-65129\software\microsoft\windows\currentversion\runonce"
data_type="REG_NONE"
data=""
11/07/2016 16:17:32.898
event_status="(0)The operation completed successfully."
pid=1484
process_image="c:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
registry_type="QueryKey"
key_path="HKLM\software\microsoft\windows\currentversion\run"
data_type="REG_NONE"
data=""
So how do I get the stanza right so I get the subkeys of Run and RunOnce?
NOTE: I've also tried adjusting the stanza to end with:
\Run\\
\Run\\\\?.*
\Run\\*\\?.*
and get the same results each time.
↧