Auditor Help: Reporting Custom Registry Keys

To report custom registry keys:

Helpful Hint Tips: Version 3.6 introduces XML format capability for greater control over registry key reporting (see example below).
Text files from previous versions will continue to function.

  1. Run the Ecora software.
  2. Proceed with creating a report.
  3. When you get to the Data Collection Additional Parameters dialog box, click the checkbox to Report Custom Registry Keys.
  4. Specify or Browse... to an existing file containing the registry key list.
    -OR-
    Click Edit... to create a new file or edit an existing one.
    • Click Add... to export registry keys from the Registry Browser (or Import... to add information from a specified .XML or .REG file for reporting).
    • Locate a key you wish to report click OK.
    • Repeat for each key to report.
  5. For each line / key, you can set the subkey mask, the value mask, and/or the directory levels to be reported. Double-click in any of the fields or click Edit...to access the Edit Record dialog box
    • Verify, enter, or Browse... to the registry key.
    • Enter a new Subkey Mask or select one from the drop-down list and click Add.
    • Select an existing Subkey Mask and click Edit... to change the value.
    • Enter a new Value Mask or select one from the drop-down list and click Add.
    • Select an existing Value Mask and click Edit... to change the value.
    • Use the Remove or Remove All buttons to clear a selected mask or all specified masks.
    • Choose Limited (and specify the directory levels) or Unlimited directory depth for reporting.
    • Click OK.

  6. If you wish, click the Duplicates... button to see (highlighted) any duplicate keys in your list.
  7. If you wish, click the Remove button to delete the selected key or Remove to delete all of the keys in the current list.
  8. Click in the Collect HKEY_CURRENT_User for all users checkbox to collect all subkeys / values of the HKCU hive for all users (except those with "_class" suffix).
  9. Click OK and continue with system discovery.

Helpful Hint Tip: The Custom Registry Keys information can be accessed via the Fact-Finding Reports.

Note Notes: Selecting and exporting in the Registry tree automatically selects all subordinate / child settings for export. If you wish to include all settings, you need only select the top-level for that branch. You may, however, continue to expand the tree ("drill-down") for more granularity - selecting on the precise keys you want to report and track.
Keys must be exported using regedit.exe (vs. regedt32.exe) to be read correctly by Ecora software.