ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event ID 4657 registry audit logs on multiple screens in a SOC environment
Event ID 4657InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4657 – Microsoft-Windows-Security-Auditing: Registry Value Modified

Event ID 4657 logs when a registry value is modified on Windows systems with object access auditing enabled. Critical for security monitoring and compliance tracking.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4657Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4657 is generated by the Windows Security Auditing subsystem when a registry value is successfully modified. This event requires the 'Audit Object Access' policy to be enabled and specific registry keys to have auditing configured through their Security Access Control Lists (SACLs).

The event captures comprehensive details including the security identifier (SID) of the user or process making the change, the full registry path, the value name, the old and new values (when applicable), and the process information. This granular logging makes it invaluable for security investigations and compliance reporting.

In Windows 2025 and later versions, Microsoft enhanced this event with additional context fields including parent process information and improved value change tracking. The event integrates with Windows Defender Advanced Threat Protection (ATP) and Microsoft Sentinel for advanced security analytics.

Registry auditing can generate significant log volume in busy environments, so careful planning of which registry keys to audit is essential. Critical system areas like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and security-related keys are commonly monitored to detect persistence mechanisms and configuration tampering.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User or administrator manually editing registry values through Registry Editor (regedit.exe)
  • Software installation or uninstallation processes modifying registry entries
  • Group Policy changes updating registry-based configuration settings
  • System services or Windows components updating their configuration values
  • Malware or unauthorized software creating persistence mechanisms
  • PowerShell scripts or batch files executing registry modification commands
  • Third-party management tools performing system configuration changes
  • Windows Update processes modifying system registry entries
  • Application startup or shutdown routines updating registry state
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4657 entry to understand what registry modification occurred.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4657 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4657 in the Event IDs field and click OK
  5. Double-click on a 4657 event to view detailed information including:
    • Subject: User account that made the change
    • Object: Registry key and value name
    • Process Information: Executable that performed the modification
    • Change Information: Old and new values
  6. Note the Process Name and Process ID to correlate with other security events
  7. Check the timestamp to establish a timeline of registry modifications
Pro tip: Use the Details tab in XML view to see all available fields, including some not displayed in the General tab.
02

Query Registry Audit Events with PowerShell

Use PowerShell to efficiently query and analyze registry modification events across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent registry modification events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='ProcessName';Expression={$_.Properties[11].Value}}, @{Name='ObjectName';Expression={$_.Properties[6].Value}}
  3. Filter for specific registry keys of interest:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -like '*CurrentVersion\Run*'} | Format-Table TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='KeyPath';Expression={$_.Properties[6].Value}} -AutoSize
  4. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} -MaxEvents 1000 | Export-Csv -Path "C:\Temp\RegistryAudit.csv" -NoTypeInformation
  5. Query specific time ranges:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657; StartTime=$StartTime; EndTime=$EndTime}
Warning: Large environments may generate thousands of 4657 events. Use time filters and specific key patterns to avoid overwhelming results.
03

Configure Registry Auditing Policies

Ensure proper audit policy configuration to capture registry modifications for security monitoring.

  1. Open Local Security Policy by running secpol.msc
  2. Navigate to Local PoliciesAudit Policy
  3. Double-click Audit object access and enable both Success and Failure
  4. Configure advanced audit policy via command line:
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable
  5. Set up auditing on specific registry keys using PowerShell:
    $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$Acl = Get-Acl $RegPath
$AccessRule = New-Object System.Security.AccessControl.RegistryAuditRule("Everyone", "SetValue,CreateSubKey,Delete", "None", "None", "Success,Failure")
$Acl.SetAuditRule($AccessRule)
Set-Acl -Path $RegPath -AclObject $Acl
  6. Verify auditing is configured:
    Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Select-Object -ExpandProperty Audit
  7. Test the configuration by making a registry change and checking for Event ID 4657
Pro tip: Focus auditing on critical registry locations like Run keys, service configurations, and security settings to reduce log noise while maintaining security coverage.
04

Investigate Suspicious Registry Modifications

Analyze Event ID 4657 entries to identify potentially malicious registry changes and security incidents.

  1. Identify high-risk registry modifications by querying persistence locations:
    $SuspiciousKeys = @(
    '*\Run*',
    '*\RunOnce*',
    '*\Winlogon*',
    '*\Services*',
    '*\AppInit_DLLs*'
)

foreach ($Key in $SuspiciousKeys) {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -like $Key} | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Process';Expression={$_.Properties[11].Value}}
}
  2. Cross-reference with process creation events (Event ID 4688):
    $ProcessId = "1234"  # From Event 4657
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Properties[4].Value -eq $ProcessId}
  3. Check for unsigned or suspicious executables making registry changes:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | ForEach-Object {
    $ProcessPath = $_.Properties[11].Value
    if (Test-Path $ProcessPath) {
        $Signature = Get-AuthenticodeSignature $ProcessPath
        if ($Signature.Status -ne "Valid") {
            Write-Output "Unsigned process: $ProcessPath modified registry at $($_.TimeCreated)"
        }
    }
}
  4. Generate timeline analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} -MaxEvents 500 | Group-Object @{Expression={$_.Properties[11].Value}} | Sort-Object Count -Descending | Select-Object Name, Count
  5. Export detailed forensic report:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='ProcessName';Expression={$_.Properties[11].Value}}, @{Name='RegistryKey';Expression={$_.Properties[6].Value}}, @{Name='ValueName';Expression={$_.Properties[7].Value}} | Export-Csv "C:\Forensics\RegistryChanges.csv" -NoTypeInformation
05

Advanced Monitoring with Windows Event Forwarding

Implement centralized registry audit monitoring across multiple systems using Windows Event Forwarding (WEF).

  1. Configure the collector server by enabling WinRM:
    winrm quickconfig
wecutil qc
  2. Create a custom subscription for Event ID 4657:
    <?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>RegistryAudit</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Registry modification monitoring</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4657]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  3. Deploy the subscription:
    wecutil cs C:\Subscriptions\RegistryAudit.xml
  4. Configure source computers via Group Policy or PowerShell:
    winrm set winrm/config/client @{TrustedHosts="CollectorServer"}
wecutil ss RegistryAudit /cm:Normal
  5. Monitor forwarded events on the collector:
    Get-WinEvent -LogName "ForwardedEvents" | Where-Object {$_.Id -eq 4657} | Select-Object TimeCreated, MachineName, @{Name='RegistryPath';Expression={$_.Properties[6].Value}}
  6. Set up automated alerting for critical registry changes:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4657" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    if ($Event.Message -like '*\Run*') {
        Send-MailMessage -To "admin@company.com" -Subject "Critical Registry Change" -Body $Event.Message -SmtpServer "mail.company.com"
    }
}
Warning: Event forwarding can generate significant network traffic and storage requirements. Implement proper filtering and retention policies.

Overview

Event ID 4657 fires whenever a registry value is modified on a Windows system with object access auditing configured. This security audit event captures detailed information about registry modifications, including the user account, process, and specific registry path affected. The event appears in the Security log and requires proper audit policy configuration to generate.

This event is essential for security monitoring, compliance auditing, and forensic investigations. It helps administrators track unauthorized registry changes, monitor system configuration modifications, and maintain audit trails for regulatory compliance. The event provides granular details about what changed, who made the change, and when it occurred.

Registry modifications can indicate legitimate system administration, software installations, malware activity, or unauthorized configuration changes. Understanding this event helps distinguish between normal operations and potential security incidents. Modern threat detection systems rely heavily on Event ID 4657 for behavioral analysis and anomaly detection in enterprise environments.

Frequently Asked Questions

What does Event ID 4657 mean and why is it important?+
Event ID 4657 indicates that a registry value has been modified on a Windows system with object access auditing enabled. This event is crucial for security monitoring because the Windows registry contains critical system configuration, application settings, and security policies. Malware often modifies registry entries to establish persistence, disable security features, or alter system behavior. By monitoring Event ID 4657, administrators can detect unauthorized changes, track configuration modifications for compliance, and identify potential security incidents. The event provides detailed information including who made the change, what process was responsible, and the specific registry path affected.
How do I enable auditing to generate Event ID 4657?+
To generate Event ID 4657, you must enable both the audit policy and configure specific registry keys for auditing. First, enable the 'Audit Object Access' policy through Local Security Policy (secpol.msc) or use the command 'auditpol /set /subcategory:"Registry" /success:enable /failure:enable'. Then, configure auditing on specific registry keys by modifying their Security Access Control Lists (SACLs). Use PowerShell with Get-Acl and Set-Acl cmdlets to add audit rules for the 'Everyone' group with 'SetValue,CreateSubKey,Delete' permissions. Focus on critical locations like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for maximum security value while minimizing log volume.
Which registry keys should I monitor with Event ID 4657 for security purposes?+
For security monitoring, focus on registry locations commonly used by malware for persistence and system manipulation. Key areas include: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce (startup programs), HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (logon processes), HKLM\SYSTEM\CurrentControlSet\Services (system services), HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (DLL injection), and HKLM\SOFTWARE\Policies (Group Policy settings). Also monitor HKCU equivalents for user-specific persistence. These locations are frequently targeted by malware, unauthorized software, and attackers seeking to maintain access or modify system behavior.
How can I reduce the volume of Event ID 4657 logs while maintaining security coverage?+
To manage Event ID 4657 log volume effectively, implement selective auditing strategies. Configure auditing only on high-value registry keys rather than entire registry hives. Use specific SACL configurations that target 'SetValue' and 'Delete' operations while excluding 'QueryValue' to reduce read-related noise. Implement log filtering at the collection level using Windows Event Forwarding with custom XPath queries that focus on suspicious patterns. Consider using PowerShell scheduled tasks to periodically clean up older audit logs while preserving recent entries. For enterprise environments, leverage SIEM solutions with intelligent filtering rules that correlate registry changes with process behavior and user context to identify truly suspicious activities.
What should I do if I find suspicious Event ID 4657 entries indicating potential malware?+
When suspicious Event ID 4657 entries are detected, immediately begin incident response procedures. First, isolate the affected system from the network to prevent lateral movement. Document all registry modifications including timestamps, user accounts, and process information. Cross-reference the modifying process with Event ID 4688 (process creation) to understand the attack chain. Check if the process executable is digitally signed and scan it with updated antivirus tools. Examine the specific registry values that were modified to understand the malware's intended persistence mechanism. Create forensic images before making any changes. Use PowerShell to export detailed audit logs for analysis. Implement additional monitoring on similar systems and consider threat hunting activities to identify potential compromise across the environment.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4657 and registry monitoring best practices.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Registry Auditing Configuration GuideOfficial Microsoft documentation on configuring registry auditing policies and understanding audit events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4657#registry-auditing#security-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...