The RegistryKeySet tag describes a set keys in the registry (Windows only).
These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.
|Attribute||Description||Required||Default Value||Allowed Values|
|base||Sets the base key of the RegistryKeySet. Everything else in the tag is relative to this key. The base must begin with one of the following registry branch names:
HKEY_CLASSES_ROOT (or HKCR),
HKEY_LOCAL_MACHINE (or HKLM),
HKEY_USERS (or HKU),
HKEY_CURRENT_CONFIG (or HKCC)
|Yes||N/A||String values resolving to syntactically valid registry key path|
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules.
- LastModified ("LastWriteTime" in Windows registry terminology)
Short Hand Attributes
- STANDARD: Group, Owner, Permissions, LastModified
Meaning of "Key"
Registry Keys are stored hierarchically in the registry, much like directories in a file system. For the purpose of this language the "key path" to a key is considered to look like the path to a directory. For example the "key path" to the "Deep Security Agent" key of the Agent would be:
HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\Deep Security Agent
The "key" value for includes and excludes for the RegistryValueSet is matched against the key path. This is a hierarchical pattern, with sections of the pattern separated by "/" matched against sections of the key path separated by "\".
See About the Integrity Monitoring rules language for a general description of include for their allowed attributes and sub elements.