Magic Quadrant™ for Privileged Access Management 2025: Netwrix Recognized for the Fourth Year in a Row. Download the report.

Contact usSupportCommunity
English Español Italiano Français Deutsch Português
Platform
Solutions

Data Security Posture Management

Discover and classify data in hybrid environments. Assess, prioritize, and mitigate risks to sensitive data.

Directory Management

Simplify and secure directory operations by cutting down on complexity, risk, and manual effort.

Endpoint Management

Secure endpoints and prevent data loss while keeping teams productive — no matter where they work.

Identity Management

Secure every identity, streamline every process, and stay ahead of compliance — without adding complexity.

Identity Threat Detection & Response

Stay ahead of identity-based threats — proactively remediate risks, block attacks, and ensure rapid recovery.

Privileged Access Management

Shrink your attack surface by killing standing privileges, locking down credentials, and monitoring privileged sessions.
Featured Products See all products
Netwrix AuditorNetwrix Access AnalyzerNetwrix PingCastleNetwrix Endpoint Protector

The Netwrix 1Secure™ Platform

Explore
Netwrix AI Environments we protect Integrations MSPs Cybersecurity Glossary Compliance Pricing
Resource Center See All
BlogAttack CatalogComplianceCustomer StoriesCybersecurity FrameworksCybersecurity GlossaryEventsFreewareGuidesIdeas PortalNewsPodcastsPublicationsProduct AnnouncementsResearchWebinars
Asset not found

Featured Customer Story

DXC Technology Enables Customers to Achieve PCI DSS Compliance and Focus on Strategic Initiatives
Partners
Partner ProgramBecome a PartnerMSPsPartner LocatorWebinars
Asset not found

Featured Customer Story

AppRiver Enhances Control over Active Directory While Significantly Reducing Auditing Time
Asset not found

Featured Customer Story

MSP Helps Client Recover from Ransomware in 6 Hours
Why Netwrix
About UsLeadershipNetwrix AICustomer StoriesRecognitionNewsCareers
Asset not found

Featured Customer Story

Horizon Leisure Centres Accelerates Data Classification to Comply with GDPR and Saves £80,000 Annually
Asset not found

Featured Customer Story

Samsung R&D Institute Secures Data with Cross-Platform Use and Fast macOS Deployment Using Netwrix Endpoint Protector
Resource centerHow-to-Guide
How to Detect Modifications to Startup Items in the Windows Registry

How to Detect Modifications to Startup Items in the Windows Registry

Native Auditing

  1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit object access → Define → "Success" and "Failures".
  2. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  3. Link the new GPO to OU with Windows servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
  5. Run "regedit" → Navigate to "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" → Right-click "Run" key and select "permissions" → Click "Advanced" → Select "Auditing" tab → Click "Add" button:
    • Select Principal: "Everyone"
    • Select Type: "All"
    • Select Applies to: "This keys and subkeys"
    • Select Advanced Permissions: "Create Subkey", "Set Value", "Create Link", "Write DAC", and "Delete".
  6. Take the same steps with the following registry keys:
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run"
    • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components".
  7. Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).
Image

Netwrix Auditor for Windows Server

  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "When"
      Operator = "Equals"
      Value = "Today"
    • Filter = "Object type"
      Operator = "Equals"
      Value = "Registry Key"
    • Filter = "What"
      Operator = "Contains"
      Value = "Run"
    • Filter = "What"
      Operator = "Contains"
      Value = "Installed"
  2. Click the "Search" button and review what registry keys were modified and who did that.
Image

In order to create an alert triggered each time whenever a registry key is modified:

  1. From the search results, navigate to "Tools" → Click "Create alert" → Specify the new alert’s name.
  2. Switch to the "Recipients" tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click "Add" to save the alert.

Share on

Related Resources

Dig deeper with our related resources

Resource Center
Guide

Download the SANS 2025 Attack Surface Management (ASM) Survey

Data Security Posture Management
eBook

Netwrix Recognized for the 4th Consecutive Year in the Gartner® Magic Quadrant™ for Privileged Access Management

Privileged Access Management