Creating and configuring a registry access monitoring rule

Registry access monitoring rules are applied in the order in which they are listed in the Registry access monitoring rules block.

To create and configure a registry access monitoring rule using the Application Console:

  1. In the Application Console tree, expand the System Inspection node.
  2. Select the Registry Access Monitor child node.
  3. Click the Registry Access Monitor link in the results pane of the Registry Access Monitoring Rules node.

    The Registry Access Monitoring window appears.

  4. In the Add system registry key to monitor field, enter the path to the registry key using a supported mask.

    Avoid using supported masks for the root keys, when creating the rules.
    If you specify only a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, a vast number of notifications about addressing the specified child keys is generated, which results in the system performance issues.
    If you specify a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, and select the Block operations according to the rules mode, the system is not able to read or change the keys required for OS functioning and fails to respond.

  5. Click the Add button.
  6. On the Actions tab for the selected monitoring scope, configure the list of actions as needed.
  7. Specify the registry values that the rule will monitor:
    1. On the Controlled values tab, click the Add button.

      The Registry value rule window opens.

    2. In the corresponding field, enter the registry value or registry value mask.
    3. In the Controlled operations block, select which actions taken on the registry value will be monitored by the rule.
    4. Click the OK button to save the changes.
  8. If necessary, specify trusted users:
    1. On the Trusted users tab, click the Add button.
    2. In the Select Users or Groups window, select the users or groups of users authorized to perform the selected actions.
    3. Click the OK button to save the changes.

    By default, Kaspersky Embedded Systems Security for Windows treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.

  9. In the Registry Access Monitoring window, click the Save button.

The configured registry access monitoring rule is displayed in the Registry Access Monitoring block of the Registry access monitoring rules window.

See also

Export and import of registry access monitoring rules
Page top