Registry Filtering
CmRegisterCallbackMonitor registry key and value operations in real-time.
Event Types
| Event | Description |
|---|---|
| CreateKey | New registry key created |
| OpenKey | Registry key opened |
| SetValue | Registry value set/modified |
| DeleteKey | Registry key deleted |
| DeleteValue | Registry value deleted |
| RenameKey | Registry key renamed |
| QueryValue | Registry value queried |
Captured Information
- • Process — PID and name of the process
- • Key path — Full registry key path
- • Value name — Name of the value (if applicable)
- • Operation — Type of registry operation
- • Status — Success or failure
Autorun Keys Monitored
DioIPS includes default rules for common persistence locations:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKLM\SYSTEM\CurrentControlSet\Services
UI Features
- • Registry tab — View all registry events
- • Filter by key — Focus on specific registry paths
- • Filter by operation — Show only SetValue, DeleteKey, etc.
- • Process filter — See registry activity by process
IPS Rule Examples
Registry: *\Run\* | Operation: SetValue | Action: Alert
Registry: *\Services\* | Operation: CreateKey | Action: Log