The Registry Integrity Monitor (RIM) provides independent, realtime auditing of modifications to Windows registries. When RIM detects a change, the System Monitor Agent generates a log and sends it to the Data Processor where it can manage it like any other log. The logs can be forwarded to LogMart and to the Platform Manager so alarms can be generated and included in reports.
To configure RIM for a Windows Agent, four steps must be completed:
- Create a Registry Integrity Monitor Policy.
- Configure Registry Integrity Monitor Policy Items.
- Associate Registry Integrity Monitor Policy Items to a Policy.
- Associate a Registry Integrity Monitor Policy to a Windows System Monitor Agent.
Note the following considerations regarding RIM:
- RIM is available for both Pro and Lite Desktop Windows Agents but only available on Pro Windows Server Agents. RIM is supported on Windows Vista/2008 and above.
- RIM requires the installation of the Realtime File Integrity Monitor driver. For more information, see System Monitor Agent Installation.
- Due to a known Windows limitation, the following may be observed with RENAME event handling:When a RENAME event is reported by RIM (for example, a key is renamed), it is reported properly with the old name and new name populated with the correct values. Subsequent operations on the renamed key, however, may be reported with the old name.
- RIM events are not reported as HKEY_CURRENT_USER. They are always reported as HKEY_USERS\<User_SID>\. HKEY_CURRENT_USER is a symbolic link to the current user’s branch in the \Registry\User hive. For this reason, events reported from \Registry\User\<User_SID\ will be translated to HKEY_USERS\<User_SID>\.
Recurse Subkeys and Registry Integrity Monitor: If you have not enabled the Recurse Subkeys option on a RIM Policy item, the key value is reported but no events are reported on parent keys. To avoid this issue, ensure that Recurse Subkeys is enabled when adding a RIM Policy item.