Event Details
User Activity->Object Access->Registry Object Access->Windows 2008->EventID 4657 - A registry value was modified.
EventID 4657 - A registry value was modified.
 Sample: 
A registry value was modified.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Object:
	Object Name:		%5
	Object Value Name:	%6
	Handle ID:		%7
	Operation Type:		%8

Process Information:
	Process ID:		%13
	Process Name:		%14

Change Information:
	Old Value Type:		%9
	Old Value:		%10
	New Value Type:		%11
	New Value:		%12
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Registry
EventId 4657
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Account Name DCC1$
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Registry Value Modified" Registry Value Modified
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Account Domain LOGISTICS
WhereDomain -
Result Successful or Failed "Successful" Successful
Object Name Object Name
Object Type -
Whom -
Comments
You must be logged in to comment