Windows registry subkey creation not generating logs (Windows event ID 4657)

I am experiencing an issue where I am trying to audit a specific registry key via Windows Event ID 4657.

TL; DR: I have tried to setup auditing on a registry key when a new subkey is created under it, but it does not log when this action is performed. After creating the subkey, any changes to the key are then logged. My objective, however, is to log the initial creation of the subkey “\Run” so that I may catch this well know ASEP (Auto-start Extension Point) for signs of malicious activity.

The registry key in question is:

before creation:

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current1Version\Policies\Explorer”

after creation:

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run”

As you can see in the below screen shot, this specific path does not exist (the “run” subkey has yet to be created).

Figure 1 – registry before change

The auditing permissions (Right-click -> Permissions -> Advanced -> Auditing -> Add) set on this registry subkey are as follows:

Principal: Everyone

Type: All

Applies to: This key and subkeys

Advanced permissions: Full Control (Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Create link, Delete, Write DAC, Write Owner, and Read Control)

For “Only these audit settings to objects and/or containers within this container” check box, I have tested with and without it checked. ->OK->Apply->OK

Figure 2 – Auditing Entry for “Explorer” subkey

Not sure if this is entirely necessary but also running “gpupdate /force” via admin privileged cmd.exe

Figure 3 – lack of logs

No logs appear to have been generated as a result of the registry change on the registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run) which has inherited the auditing settings from its parent key “Explorer”.

GPO settings are as follows:

Figure 4 – Active Directory Users and Computers settings showing the host being tested has this GP applied

Figure 5 – Group Policy Management showing Link Enabled

Figure 6 – Group Policy Management Editor showing Audit Registry is set to log Success and Failure

Please note that further modifications appear to be logged as expected; creating additional key values & modifying them (under the \Run subkey):

Figure 7 – further modifications are logged

Figure 8 – Only log is generated after subkey creation

So as shown above, once the key is created and new values are added under the newly created key it logs this, but it does not log when the new key itself is created.

Am I missing something here? Any and all help is greatly appreciated in advance!

Additional info:

  • DC where GPO is managed is a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 and is configured as the Primary Domain Controller. The machine I am testing these registry changes on is also a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 configured as a Member Server.

  • Using Sysmon is not an option for my current situation.

Recreate old aliases in bulk to reduce their file size, keeping their name and creation date

I noticed that in recent versions of macOS, aliases I create are smaller than they used to be. I have a folder full of old aliases whose sizes range from 50 KB to 6 MB, but new aliases seem to be always less than 1 KB.

I want to recreate all my large, old aliases to save disk space. I know I can update an individual alias by finding the file the alias points to, deleting the alias, and option-command-dragging the original to where the alias was. However, this loses the Date Created of the alias, and more steps are needed to preserve the name of the alias if it is different from the original file. Also, this would take too long to do for my hundreds of aliases. How can I shrink my aliases in bulk while preserving the name and Date Created?

There is another, very similar question Recreate an alias with the same name and timestamp programmatically. The difference is that that question requires an answer that doesn’t change the Date Modified of the alias. I am fine with the Date Modified being updated, as long as the Date Created is unchanged.

A new application has errors after the initial creation (I didnt write a single line yet)

I wanted to make a C# Android application in VS, so I downloaded the neccessary parts and just fired a new Android XAML App up. It opened the MainPage.xaml.cs and it has an error on every line already. The errors are just that it didnt find the namespaces that are given like “using System”. Just like if its not declared at all.enter image description here I am just so confused already.

CSOM: How to know if a Web has completed its creation?

I have a service that creates a Sharepoint Online site using CSOM.

context.Web.Webs.Add(webCreationInformation); context.ExecuteQuery(); 

This site is created using a defined Template stored in the solutions of the Site Collection. However, the creation of the site can take its time: from 5 minutes to 20 minutes for the site to be ready (all lists created, all views, etc.) Since my ExecuteQuery always returns at 5 minutes (generally with a 503 error) it is impossible for me to know when the site has finished the creation process.

Is there a way to know when the site is available?

I have tried loading the Web object, and even if its not ready, I can load it without problems:

Web sourceWeb = context.Site.OpenWeb(webRelativeUrl); context.Load(sourceWeb); context.ExecuteQuery();  //this returns the Web even if the site has not finished the creation process 

I would like to have something like:

While(!web.IsReady) {   Thread.Sleep(60000); //60 seconds   context.Load(web, w => w.IsReady);   context.ExecuteQuery(); } 

However, I can’t seem to find any flag or value that can help me for this.

Thank you.

Linux auditd filter only files creation in certain directory

I need to monitor files creation in certain folder using auditd.

Files can be created using syscalls creat or open with flag O_CREAT.

In linux kernel for amd64 O_CREAT is 64, so here are my audit rules:

-a exit,always -F path=/var/www/app/logs -F arch=b64 -S open -F a1&64 -k LOG_CREATE -a exit,always -F path=/var/www/app/logs -F arch=b64 -S creat -k LOG_CREATE 

Unfortunately, the software is using syscall open with flag O_CREAT each time it writes something to log file. So on each log record I get audit events like this:

time->Sun Apr  7 13:30:06 2019 node=host1 type=PROCTITLE msg=audit(1554633006.596:24752801): proctitle=2F7573722F62696E2F706870372E32002F7661722F7777772F6B617373612E636F6D2F72656C65617365732F32303139303430353139303934332F62696E2F636F6E736F6C65007061796F7574733A636865636B3A737461747573002D2D656E763D70726F64002D760031373932383532312C31373932383631312C31373932 node=host1 type=PATH msg=audit(1554633006.596:24752801): item=1 name="/var/www/app/logs/my.log" inode=1194402 dev=103:03 mode=0100660 ouid=33 ogid=33 rdev=00:00 nametype=NORMAL node=host1 type=PATH msg=audit(1554633006.596:24752801): item=0 name="/var/www/app/logs/" inode=1028218 dev=103:03 mode=040770 ouid=33 ogid=33 rdev=00:00 nametype=PARENT node=host1 type=SYSCALL msg=audit(1554633006.596:24752801): arch=c000003e syscall=2 success=yes exit=14 a0=7ffdfcce0360 a1=441 a2=1b6 a3=9ee672c9b6d98932 items=2 ppid=32426 pid=432 auid=33 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=789261 comm="php7.2" exe="/usr/bin/php7.2" key="LOG_CREAT" 

If log file was actually created, not just written, I get audit events like this:

---- time->Sun Apr  7 18:31:00 2019 node=host1 type=PROCTITLE msg=audit(1554651060.749:24895248): proctitle=746F75636800746573742E6C6F67 node=host1 type=PATH msg=audit(1554651060.749:24895248): item=1 name="test.log" inode=1084142 dev=103:03 mode=0100660 ouid=33 ogid=33 rdev=00:00 nametype=CREATE node=host1 type=PATH msg=audit(1554651060.749:24895248): item=0 name="/var/www/app/logs" inode=1043808 dev=103:03 mode=040770 ouid=33 ogid=1006 rdev=00:00 nametype=PARENT node=host1 type=SYSCALL msg=audit(1554651060.749:24895248): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc8d1e28d1 a1=941 a2=1b6 a3=69d items=2 ppid=22881 pid=22882 auid=1010 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=pts6 ses=795129 comm="touch" exe="/bin/touch" key="LOG_CREAT" 

Difference is nametype=CREATE instead of nametype=NORMAL.

Is there any way to filer out events with nametype=CREATE, leaving only nametype=CREATE?

P.S. Using -w /var/www/app/logs -p w doesn’t work either: I also get audit events for each write to logfile.