Monitoring the Registry
Microsoft® Windows® 2000 Scripting Guide
The registry contains a great deal of sensitive data, so it is worth the effort to ensure that it is secure. You secure the registry by setting appropriate access rights on the various subkeys and entries in much the same way that you secure files and folders.
You cannot, however, completely lock down the registry. After all, users and programs must be allowed access to certain areas. Because you must allow at least limited access to the registry, it is sometimes useful to be able to monitor what users are doing when they exercise this access. In certain situations, this might enable you to immediately spot potential problems.
This is especially true in light of the fact that settings in the registry can directly affect the security of your computers. WSH, for example, uses the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy in deciding whether to verify that a script is digitally signed before running it. Clearly, the value of this key needs to be secured from unauthorized modification. On certain servers, you might not want anyone, including administrators, to have the ability to run remote WSH scripts.
Because of this, you might want to periodically run a script that checks the value of the entry. If you find that the value of the entry is being changed, you can write a script that monitors the subkey and, upon detecting activity, logs information that might be useful in identifying who made the unauthorized change.
Monitoring the registry is also useful when troubleshooting computer problems. For example, a user might complain that the settings of an application are not being saved. If you know those settings are supposed to be saved in the registry, you can troubleshoot the problem by writing a script that monitors the appropriate subkey. Such a script can help you determine whether the registry is actually being changed any time the user reconfigures the application.