Sysmon's RegistryEvent (Value Set)
Last Updated: 2022-04-18 18:47:40 UTC
by Didier Stevens (Version: 1)
A colleague asked me about Sysmon's event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13.
Sysmon can record changes to the registry by configuring setting RegistryEvent. This is an example of a simple config to record all registry changes (don't use this in production):
<Sysmon schemaversion="4.30"> <EventFiltering> <RegistryEvent onmatch="exclude"> </RegistryEvent> </EventFiltering> </Sysmon>
Changes to a registry value are then recorded with event ID 13.
My colleague wanted to know if it is possible to record the actual changes to binary data. When you look at such an event, you just see "Binary Data", and not the actual data itself.
If you look at the documentation, you would think it's only DWORD and QWORD data that are recorded:
So I did some tests and decompiled Sysmon's driver Sysmondrv.sys (version 13.33).
Here are the results of my research:
For the different registry value types, you can see in column Event Details what is actually recorded in the event log. Italic text depends on the value, non-italic text is literal.
ActualStringValue* means that the actual string value is recorded, except when the string is empty.
So if a string value is "ISC" for example, then the event details will be: "ISC".
If the string is empty, then the event details will be: "(Empty)".
DWORD and QWORD values are recorded in hexadecimal.
Binary data is not recorded, the details are always: "Binary Data". Remark that a multi-string is also considered as binary data.
Here are some screenshots of the decompiled code: