Creating and configuring a registry access monitoring rule

Registry access monitoring rules are applied in the order in which they are listed in the Registry access monitoring rules block.

To create and configure a registry access monitoring rule using the Administration Plug-in:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. Do one of the following:
   • If you are creating a registry access monitoring rule in a policy, in the System inspection section, in the Registry Access Monitor block, click the Settings button.

     The Registry Access Monitor opens on the Registry Access Monitor settings tab.

   • If you are creating a registry access monitoring rule for a local task, in the Properties: Registry Access Monitor window, go to the Settings section.
5. In the Registry access monitoring rules block, click the Add button.

   The Registry Access Monitoring rule window appears.

6. In the Set rule triggering criteria for the specified scope field, enter the path using a supported mask.

   You can use ? and * as a mask when entering a path.

   If you enter the path to a root registry key, make sure to specify full path without a mask, such as HKEY_USERS. Following is a list of valid root registry keys:

   • HKEY_LOCAL_MACHINE
   • HKLM
   • HKEY_CURRENT_USER
   • HKCU
   • HKEY_USERS
   • HKUS
   • HKU
   • HKEY_CURRENT_CONFIG
   • HKEY_CLASSES_ROOT
   • HKCR

   Avoid using supported masks for the root keys when creating the rules.
   If you specify only a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, a vast number of notifications about addressing the specified child keys is generated, which results in the system performance issues. If you specify a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, and select the Block operations according to the rules mode, the system is not able to read or change the keys required for OS functioning and fails to respond.

7. On the Add tab, configure the list of actions as needed.
8. Specify the registry values that the rule will monitor:
   1. On the Registry Values tab, click the Add button.

      The Registry value rule window opens.

   2. In the corresponding field, enter a registry value mask.
   3. In the Controlled operations block, select which actions taken on the registry value will be monitored by the rule.
   4. Click the OK button to save the changes.
9. If necessary, specify trusted users:
   1. On the Trusted users tab, in the context menu of the Add button, select the method for adding trusted users.

      The User or user group selection window opens.

   2. Select a user or user group that is allowed to perform the selected actions.
   3. Click the OK button to save the changes.

   By default, Kaspersky Embedded Systems Security for Windows treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.

10. In the Registry Access Monitoring rule window, click the OK button.

The configured registry access monitoring rule is displayed in the Registry Access Monitor / Properties: Registry Access Monitor window in the Registry access monitoring rules block.