5039 A registry key was virtualized
Written when a registry key is virtualized. It indicates that, via the UAC compatibility feature, a write to a protected area was redirected to the user’s area.
Overview
The subcategory is Audit Registry. It is generated when registry virtualization (a compatibility feature where UAC transparently redirects writes to areas like HKLM that require administrator rights into a per-user area) takes effect. It is a mechanism to run old apps without administrator rights.
How it is triggered
- When an old app that assumes administrator rights tries to write to a protected registry area and is virtualized (redirected).
Security review points
- It is mostly normal behavior for compatibility, with low security priority. It is usable only to understand which app tried to write to a protected area.
- Bearing in mind that being virtualized means the protected area was not actually changed, do not confuse it with registry-change auditing (4657).
Notes for log review
- It occurs in environments using old apps. Its priority as a monitoring target is normally low.
- It is often enough to be aware of the virtualized apps and keys.
Key fields
| Field | Meaning |
|---|---|
Object Name | The virtualized registry key |
Process Name | The process that attempted the write |
Glossary
- Registry virtualization — a UAC feature that, for old-app compatibility, transparently redirects writes to protected registry areas into the user area.