Table of contents

RegistryKeySet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents.

To enable and configure Integrity Monitoring, see Set up integrity monitoring.

The RegistryKeySet tag describes a set keys in the registry. Available on Windows only.

Tag attributes

The following table provides a list and descriptions of the XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
base Sets the base key of the RegistryKeySet. Everything else in the tag is relative to this key. The base must begin with one of the following registry branch names:
  • HKEY_CLASSES_ROOT (or HKCR)
  • HKEY_LOCAL_MACHINE (or HKLM)
  • HKEY_USERS (or HKU)
  • HKEY_CURRENT_CONFIG (or HKCC)
Yes N/A String values resolving to syntactically valid registry key path

The agent runs as a service using the Local System account, so HKEY_CURRENT_USER is meaningless. The HKCU branch of the registry is only valid for an interactive logged-on user, and it is specific to that user. In a Windows terminal server environment or on Windows XP and Vista with fast user switching enabled, several different users could be logged on simultaneously. Because of this, the agent determines that any rule with HKEY_CURRENT_USER is a compile error.

There are several subkeys under HKEY_USERS that are named using the numeric form of the Windows user account ID. When a user logs on, one of those subkeys is mapped to HKCU during the user's logon session.

Rules are allowed to use HKEY_USERS in their base to monitor per-user registry items. However, those rules could match many entries. The ...\Software\Classes branch is very large, especially under HKLM, so try to avoid rules that will need to traverse all of Software\Classes.

Entity set attributes

The following are the attributes of the Entity that can be monitored by Integrity Monitoring Rules:

  • Owner
  • Group
  • Permissions
  • LastModified (LastWriteTime in Windows registry terminology)
  • Class
  • SecurityDescriptorSize

Shorthand attributes

  • STANDARD: Group, Owner, Permissions, LastModified

Meaning of key

Registry keys are stored hierarchically in the registry, much like directories in a file system. For the purpose of this language the key path to a key is considered to look like the path to a directory. For example, the key path to the Deep Security Agent key of the agent would be:

HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\Deep Security Agent

The key value for includes and excludes for the RegistryValueSet is matched against the key path. This is a hierarchical pattern, with sections of the pattern separated by / matched against sections of the key path separated by "".

Subelements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of include for their allowed attributes and subelements.