[No000017F]如何监控注册表的修改

时间:2023-03-10 06:11:20
[No000017F]如何监控注册表的修改

[No000017F]如何监控注册表的修改

今天我们将向您展示如何使用我们最喜欢的工具之一Proc Mon,在您更改PC上的组策略设置时查看编辑的注册表项。

使用Proc Mon查看组策略对象修改的注册表设置

您要做的第一件事就是从Sys Internals网站获取Proc Mon的副本。

[No000017F]如何监控注册表的修改

然后,您需要解压缩该文件夹并运行Procmon.exe文件。

[No000017F]如何监控注册表的修改

当Proc Mon打开时,您需要添加如下条件:

进程名称是mmc.exe然后包含

然后单击"添加"按钮。

[No000017F]如何监控注册表的修改

要仅获取更改的注册表项,我们需要添加另一个:

操作是RegSetValue然后包括

然后再次单击"添加"按钮。

[No000017F]如何监控注册表的修改

添加完两个规则后,您可以继续并单击"确定"。

[No000017F]如何监控注册表的修改

现在转到打开要编辑的组策略设置。

[No000017F]如何监控注册表的修改

在实际更改设置之前,请切换回Proc Mon并清除日志。

[No000017F]如何监控注册表的修改

然后转到并更改GPO并单击"应用"。

[No000017F]如何监控注册表的修改

如果切换到Proc Mon,您将看到您有一个注册表项。右键单击它,然后从上下文菜单中选择Jump To ...选项。

[No000017F]如何监控注册表的修改

这将启动Regedit并带您到修改后的确切密钥

[No000017F]如何监控注册表的修改

这就是它们的全部。

How to See Which Registry Settings a Group Policy Object Modifies

[No000017F]如何监控注册表的修改

Today we are going to show you how to use one of our favorite tools, Proc Mon, to see which registry keys are edited when you change a Group Policy setting on your PC.

Using Proc Mon to See Which Registry Settings a Group Policy Object Modifies

The first thing you will want to do is go and get yourself a copy of Proc Mon from the Sys Internals website.

[No000017F]如何监控注册表的修改

Then you will need to extract the folder and run  the Procmon.exe file.

[No000017F]如何监控注册表的修改

When Proc Mon opens, you will need to add a condition as follows:

Process Name is mmc.exe then Include

Then click the add button.

[No000017F]如何监控注册表的修改

To get only the registry keys that are changed, we need add another one:

Operation is RegSetValue then Include

Then again click the add button.

[No000017F]如何监控注册表的修改

Once the two rules have been added, you can go ahead and click ok.

[No000017F]如何监控注册表的修改

Now go and open the Group Policy setting that you wish to edit.

[No000017F]如何监控注册表的修改

Before you actually change the setting, switch back over to Proc Mon and clear the log.

[No000017F]如何监控注册表的修改

Then go and change the GPO and click apply.

[No000017F]如何监控注册表的修改

If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

[No000017F]如何监控注册表的修改

That will fire up Regedit and take you to the exact key which was modified

[No000017F]如何监控注册表的修改

That's all there is to it guys.