4657 A registry value was modified
Written when a registry “value” is modified. Because it keeps the before and after values plus the process, it is effective for tracking persistence and configuration tampering.
Overview
The subcategory is Audit Registry. It is generated when a registry key’s value is modified (not when the key itself is modified). It is recorded only if the target key’s SACL has “Set Value” auditing set. The old value (OldValue), new value (NewValue), and executing process are kept, which helps investigation.
How it is triggered
- When the value of an audited registry key is created, modified, or deleted.
- Whether via
regedit.exe,reg.exe, or various APIs, it is recorded as long as it matches theSACL.
Security review points
- Set SACLs on keys commonly targeted for persistence and defense evasion (the autostart
Runkeys, service definitions,Image File Execution Options, and the LSAAuthentication Packages/Notification Packages), and catch value changes with 4657. - Check whether
NewValuecontains a suspicious executable path or script, and whetherProcess Nameis unexpected.
Notes for log review
- The registry sees a great deal of legitimate updating. Auditing every key is impractical; it only becomes usable once SACLs are narrowed to important keys.
- Since before and after values are recorded, read by the difference (from what to what). Distinguish legitimate configuration changes (patches, GPO application).
Key fields
| Field | Meaning |
|---|---|
Object Name / Object Value Name | The target key and value name |
Old Value / New Value | The values before and after |
Process Name | The process that made the change |
Subject\Account Name | The executing account |