Ultimately everything is a file regardless of your platform or operating system. So, it naturally follows that monitoring file system changes is crucial to multiple defense scenarios and security requirements. In terms of compliance, PCI-DSS (which I find the most prescriptive in terms of specific security techniques) specifically calls out file integrity monitoring but all the frameworks call for detecting unauthorized changes and no one disputes FIM is an integral part of that.
Don’t think of FIM as just a tool for catching configuration drift or trojan file replacement. As important as those are, monitoring file system changes is so valuable for monitoring things that are arcane to your particular environment and business.
Here are 2 examples from our own operations. We have file auditing set up on the static file folders of our website and are instantly notified whenever files are added, deleted or modified. In our case we chose to get the notification whether it was a planned change or not because the innocuous notifications provide some positive confirmation that our monitoring and notification pipeline is working end-to-end. Another side of our company maintains a commercial software product. Monitoring changes to the source code repo and other key folders on the build server is part of a comprehensive defense-in-depth strategy to prevent us being the medium for a supply-chain compromise against our customers. So look for locations and systems specific to your environment where high value files are subject to well-defined modification patterns – these are great candidates for FIM above and beyond the generic OS.
In Windows, file auditing is covered by aptly named “File System” category. In this real training for free webinar, I’ll explain the 2-level file system audit policy in Windows where it’s necessary to turn it on at the system level and then on specific folders. I’ll show you how folder audit policy is based on the use of specified permissions. We’ll look at some of the more complex issues in Windows file auditing such as detecting file creations, duplicate events, and the limits of file auditing in terms of detecting what changed about a given file. In particular we will cover Event IDs:
- 4656 - A handle to an object was requested
- 4658 - The handle to an object was closed
- 4659 - A handle to an object was requested with intent to delete
- 4660 - An object was deleted
- 4663 - An attempt was made to access an object
- 4670 - Permissions on an object were changed
In Windows though, you also need to audit the registry because so much of the operating system security and application configuration is stored there. Ultimately the registry is a few monolithic “hive” files, but file auditing isn’t effective for the registry since each hive file holds thousands of settings. Thankfully there’s another audit category, “Registry”, which allows us to monitor registry keys and the values within them – even including the before and after data value. Registry auditing uses the same events as above except for 4657 which explicitly reports registry value changes. I’ll demonstrate how Registry auditing works in this session as well.
Windows auditing is a powerful tool that I rely on in our security efforts, but I have to acknowledge that along with that raw power comes some challenges. My sponsor for this real training for free session is Netwrix and Dirk Schrader, VP of Security Research at Netwrix, will briefly show you how Netwrix Change Tracker solves those challenges and will briefly show you how Netwrix Change Tracker solves those challenges and brings true integrity monitoring discipline to Windows environments. Netwrix Change Tracker continuously records all changes to files, folders, and registry keys — planned or unplanned — and correlates each change with its originating user, process, and configuration state. It eliminates the noise and ambiguity of raw event logs by providing clear, authoritative change intelligence: what changed, when, by whom, whether it was authorized, and whether it introduced risk.
Change Tracker also baselines system and application configurations, highlights drift from your approved golden state and automatically reconciles planned changes so your teams can focus on real unauthorized activity instead of combing through duplicate or low-value audit events. Its ability to track and validate change trails across Windows servers, workstations, and hybrid infrastructure makes it an ideal complement to native file and registry auditing — giving you full PCI-aligned file integrity monitoring, simplified compliance reporting, and immediate insight into any unexpected modifications across your environment.
Please join us for this real training for free session.
CAN'T MAKE THE LIVE EVENT? REGISTER ANYWAY TO GET THE RECORDED VERSION.
Title: File and Registry Integrity Monitoring with the Windows Security Log
Date: Thursday, December 11, 2025 12:00 - 1:30 PM ET
This is real training.
Space is limited.
Reserve your Webinar seat now at:
https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3785
Need CPE credit for this live webinar or any other live webinar you've attended in the past? Just visit www.UltimateWindowsSecurity.com, click on the Webinars section, and then the link for CPE credit transcript. If your email address has changed due to a job change or any other reason, click here to update it.
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
9450 SW Gemini Drive #53822, Beaverton, OR 97008
Note: We do our best to provide quality information and expert commentary but use all information at your own risk.