GIM Category: registry
The Registry category represents events related to activity within the Windows Registry, a hierarchical database that stores configuration data for the operating system and installed applications. These events include the creation, modification, deletion, or renaming of registry keys and values. Monitoring registry activity is critical for detecting configuration changes, policy enforcement modifications, and potential persistence or privilege escalation techniques used by attackers. This category provides visibility into both administrative and programmatic interactions with the registry to support detection, investigation, and change auditing.
value_change
The Value Change subcategory represents events where a registry value within a key is created, modified, deleted, or overwritten. These events provide insight into configuration and policy changes made by the operating system, administrators, or software. Monitoring value-level changes helps identify both legitimate activity (such as software installation or updates) and suspicious behavior that may indicate persistence mechanisms, tampering, or security control evasion.
Required Fields
registry_path
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
250000 |
registry |
registry.value_change |
registry value set |
A Windows registry value was set or overwritten. This event occurs when an existing value’s data is updated or replaced, often as part of configuration changes or software updates. |
|
|
250001 |
registry |
registry.value_change |
registry value added |
A new Windows registry value was created within a key. This typically occurs when new configuration data is written by an installer, application, or script. |
|
|
250002 |
registry |
registry.value_change |
registry value deleted |
A Windows registry value was deleted from a key. This can result from normal cleanup processes, software removal, or an attempt to conceal traces of persistence or modification. |
|
|
250003 |
registry |
registry.value_change |
registry value modified |
An existing Windows registry value was modified. This may represent a legitimate configuration change or malicious tampering with system or application settings. |
key_change
The Key Change subcategory represents events where a registry key is created, deleted, or renamed. Keys are the structural components of the Windows Registry that organize configuration data into logical paths. Monitoring key-level changes helps detect administrative operations, software installation activity, or attempts by attackers to establish persistence through new or modified registry locations.
Required Fields
registry_path
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
250500 |
registry |
registry.key_change |
registry key added |
A new Windows registry key was created. This can occur during software installation, system configuration changes, or as part of malicious persistence setup. |
|
|
250501 |
registry |
registry.key_change |
registry key deleted |
A Windows registry key was deleted. This may indicate legitimate cleanup activity, removal of configuration data, or attempts to conceal evidence of persistence or modification. |
|
|
250502 |
registry |
registry.key_change |
registry key renamed |
A Windows registry key was renamed. Renaming keys is uncommon in normal system activity and may indicate attempts to modify configuration paths or evade detection mechanisms. |
object_renamed
The Object Renamed subcategory represents events where a registry object—either a key or a value—has been renamed. These events are relatively uncommon and typically occur when an application reorganizes configuration data or during system updates. From a security perspective, registry renames may also indicate attempts to conceal persistence mechanisms, rename autostart entries, or obfuscate known registry paths used by malware.
Required Fields
registry_path
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
251000 |
registry |
registry.object_renamed |
registry object renamed |
A Windows registry key or value was renamed. Renames are uncommon during normal operation and can occur when configuration data is updated, or when malicious software attempts to hide persistence by renaming known registry paths or entries. |
default
The Default subcategory is used for registry-related events that do not fit within more specific categories such as key changes, value modifications, or object renames. This ensures that all registry activity can be captured and normalized, even when the event details do not clearly specify the nature of the registry operation. These events often originate from vendor-specific or generic audit sources with limited context.
Required Fields
registry_path
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
259999 |
registry |
registry.default |
registry event |
A generic Windows registry event that does not fit within more specific registry subcategories. These events may provide limited detail about the registry operation but are retained to maintain visibility into all registry-related activity. |
