| ![[Warning]](stylesheet-images/warning.png) | 32bit vs. 64bit views | 
|---|---|
| On 64bit Windows, the same key name may get mapped to different keys, depending on whether the lookup is done by a 32bit or 64bit application. Currently samhain does not check the alternate view. | 
This option is available with samhain version 2.8.0 and higher, when compiled on Cygwin/Windows. It enables samhain to verify the integrity of individual keys, or complete trees/hierarchies of keys, in the Windows registry.
| ![[Note]](stylesheet-images/note.png) | Be careful what you ask for | 
|---|---|
| The Windows registry is huge, i.e. it may contain a huge amount of keys, for which baseline data will get stored in the samhain baseline database if you desire to monitor all of them. There is the potential to blow up the size of the baseline database in a quite spectacular way. | 
All options for this module go into the section [Registry] .
        RegistryCheckActive=
        boolean switches this
        module on or off (default: off).
        RegistryCheckInterval=
        seconds defines the
        interval (in seconds) between consecutive checks. The
        default is 300 seconds.
        SeverityChange=
        severity defines the
        severity for reports on modifications to the
        registry.
        IgnoreTimestampOnly=
        boolean to ignore
        changes where only the (write) timestamp has changed
        (default: off).
        SingleKey=
        key defines a key to be
        monitored (of course it is possible to use this command
        multiple times). Valid key names must start with one of:
        HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
        or HKEY_USERS. The Windows path separator ('\') must be
        used.
        Hierarchy=
        key defines a key
        hierarchy in the registry, beginning at the specified key,
        to be monitored (of course it is possible to use this
        command multiple times). Valid key names must start with
        one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
        HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path
        separator ('\') must be used.
| ![[Note]](stylesheet-images/note.png) | Escaping the path separator | 
|---|---|
| The following two directives (StopAtKey, IgnoreKey) take a (POSIX) regular expression as argument. This implies that the path separator must be escaped by doubling it, i.e. you need to write '\\' instead of '\', because the '\' is a metacharacter in regular expressions (see example below). | 
        StopAtKey=
        regex means that the
        check of a hierarchy will stop at the specified key, i.e.
        nothing below this key will be checked or monitored (but
        the key itself where the check stops will). 
        It is allowed to use a regular expression for the
        key. Valid key names must start with one of:
        HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
        or HKEY_USERS. The Windows path separator ('\') must be
        used.
        IgnoreKey=
        regex differs from the 
        StopAtKey option only insofar as the
        key where the check stops is 
        not itself checked.
[Registry] # # Switch on the module # RegistryCheckActive = yes # Check every 60 second # RegistryCheckInterval = 1 # Check this and everything below # Hierarchy = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft # Exclude this and anything below # IgnoreKey and StopAtKey have a regex as argument, hence # the path separator '\' must be escaped by doubling it. # IgnoreKey = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion # Check this key # SingleKey = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters