ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing registry audit events and system logs
Event ID 5138InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5138 – Microsoft-Windows-Security-Auditing: Registry Value Deleted

Event ID 5138 records when a registry value is deleted on Windows systems with audit policies enabled. This security audit event helps track registry modifications for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 5138Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 5138 represents a security audit event generated by the Windows Security Reference Monitor when registry values are deleted from the system registry. This event is part of the Object Access audit category and requires explicit configuration through audit policies to function properly.

The registry serves as Windows' central configuration database, storing critical system settings, application configurations, and user preferences. When applications, services, or administrative tools delete registry values, Windows can track these modifications through the auditing subsystem. Event ID 5138 specifically captures value deletions, providing a complete audit trail of what was removed from the registry.

Each Event ID 5138 entry contains comprehensive information including the registry key path, the specific value name that was deleted, the security identifier (SID) of the account performing the action, the process name and ID responsible for the deletion, and precise timestamps. This detailed logging enables administrators to track configuration changes, investigate security incidents, and maintain compliance with regulatory requirements.

The event fires regardless of whether the deletion was performed through Registry Editor, PowerShell commands, Group Policy changes, application installations or uninstallations, or programmatic registry modifications. This comprehensive coverage ensures that all registry value deletions are captured when auditing is properly configured.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Application uninstallation removing registry entries during cleanup
  • Administrative tools like Registry Editor deleting values manually
  • PowerShell scripts or batch files removing registry configurations
  • Group Policy changes that result in registry value removal
  • System maintenance tools cleaning obsolete registry entries
  • Malware or unauthorized software modifying system configurations
  • Windows Update processes removing deprecated registry values
  • Service installations overwriting existing registry configurations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 5138 entries to understand what registry values were deleted and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 5138 in the Event IDs field and click OK
  5. Double-click on Event ID 5138 entries to view detailed information
  6. Review the General tab for registry key path, value name, and account information
  7. Check the Details tab for additional XML data including process information

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5138} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Enable Registry Auditing if Events Are Missing

If Event ID 5138 entries are not appearing despite registry changes, verify and configure registry auditing policies.

  1. Open Local Group Policy Editor by running gpedit.msc
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesObject Access
  3. Double-click Audit Registry
  4. Check Configure the following audit events
  5. Enable both Success and Failure checkboxes
  6. Click OK and close Group Policy Editor
  7. Run gpupdate /force to apply changes immediately

Verify the audit policy is active:

auditpol /get /subcategory:"Registry" /r
Pro tip: Use auditpol /set /subcategory:"Registry" /success:enable /failure:enable to configure auditing via command line.
03

Analyze Registry Deletion Patterns with PowerShell

Use PowerShell to analyze Event ID 5138 patterns and identify suspicious or unexpected registry deletions.

  1. Query events from the last 24 hours:
$StartTime = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5138; StartTime=$StartTime}
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        ProcessName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
        ObjectName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        ObjectValueName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectValueName'} | Select-Object -ExpandProperty '#text'
    }
} | Sort-Object TimeCreated -Descending
  1. Group deletions by user account to identify patterns:
$Events | Group-Object User | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize
  1. Export results for further analysis:
$Events | Export-Csv -Path "C:\Temp\RegistryDeletions.csv" -NoTypeInformation
04

Configure Advanced Registry Monitoring with SACL

Set up System Access Control Lists (SACL) on specific registry keys for granular monitoring of critical registry locations.

  1. Open Registry Editor as Administrator
  2. Navigate to the registry key you want to monitor (e.g., HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  3. Right-click the key and select Permissions
  4. Click Advanced button
  5. Select the Auditing tab
  6. Click Add to create a new audit entry
  7. Click Select a principal and choose Everyone
  8. Under Type, select All
  9. Check Delete subkeys and values and Set value
  10. Click OK to apply the SACL

Verify SACL configuration using PowerShell:

Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Audit | Select-Object -ExpandProperty Audit
Warning: Excessive registry auditing can impact system performance. Monitor only critical keys in production environments.
05

Implement Centralized Registry Monitoring with Windows Event Forwarding

Configure Windows Event Forwarding (WEF) to centralize Event ID 5138 collection across multiple systems for enterprise monitoring.

  1. On the collector server, configure the Windows Event Collector service:
wecutil qc /q
Set-Service -Name Wecsvc -StartupType Automatic
Start-Service -Name Wecsvc
  1. Create a subscription configuration file:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>RegistryDeletions</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Registry Value Deletions</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
            <QueryList>
                <Query Id="0">
                    <Select Path="Security">*[System[EventID=5138]]</Select>
                </Query>
            </QueryList>
        ]]>
    </Query>
</Subscription>
  1. Import the subscription:
wecutil cs C:\Path\To\RegistryDeletions.xml
  1. On source computers, configure the Windows Remote Management service and add the collector to the Event Log Readers group

Overview

Event ID 5138 fires whenever a registry value gets deleted on a Windows system that has registry auditing enabled through Group Policy or local security settings. This event belongs to the Object Access audit category and provides detailed information about what registry value was removed, who performed the action, and when it occurred.

The event appears in the Security log and requires specific audit policies to be configured before it will generate entries. Without proper auditing configuration, registry deletions occur silently without creating Event ID 5138 entries. This makes it crucial for environments requiring compliance tracking or security monitoring to enable registry auditing.

Windows generates this event through the Security Reference Monitor (SRM) component when applications, services, or users delete registry values. The event captures the full registry path, the deleted value name, and security context information including the user account and process responsible for the deletion. This granular tracking capability makes Event ID 5138 valuable for forensic analysis and change management in enterprise environments.

Frequently Asked Questions

What does Event ID 5138 mean and when does it appear?+
Event ID 5138 indicates that a registry value has been deleted from the Windows registry. This security audit event appears in the Security log when registry auditing is enabled and captures detailed information about what value was removed, who performed the deletion, and which process was responsible. The event requires the 'Audit Registry' policy to be configured under Object Access auditing to generate entries.
Why am I not seeing Event ID 5138 even though registry changes are occurring?+
Event ID 5138 only appears when registry auditing is explicitly enabled through Group Policy or local security settings. By default, Windows does not audit registry changes to avoid performance impact and log volume issues. You must configure the 'Audit Registry' policy under Advanced Audit Policy Configuration → Object Access to enable this event. Additionally, specific registry keys may need System Access Control Lists (SACL) configured for granular monitoring.
Can Event ID 5138 help detect malware or unauthorized registry modifications?+
Yes, Event ID 5138 is valuable for detecting suspicious registry activity when properly configured. Malware often deletes security-related registry values, removes startup entries, or clears evidence of their presence. By monitoring Event ID 5138 entries for unexpected deletions in critical registry locations like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or security policy keys, administrators can identify potential security incidents. However, this requires baseline knowledge of normal registry activity in your environment.
How can I filter Event ID 5138 to focus on specific registry keys or users?+
Use PowerShell with XML parsing to filter Event ID 5138 entries by specific criteria. You can filter by registry key path using the ObjectName field, by user account using SubjectUserName, or by process using ProcessName. For example: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5138} | Where-Object {$_.Message -like '*HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'} will show only deletions from the startup registry key. Custom PowerShell scripts can parse the XML event data for more granular filtering.
What performance impact does enabling Event ID 5138 auditing have on Windows systems?+
Registry auditing can have significant performance impact if configured too broadly, as the Windows registry is accessed constantly by applications and services. The impact depends on which registry keys are audited and system activity levels. Auditing high-traffic keys like HKLM\SOFTWARE\Classes can generate thousands of events and slow system performance. Best practice is to audit only critical registry locations using SACL configuration on specific keys rather than enabling global registry auditing. Monitor system performance after enabling auditing and adjust scope as needed.
Documentation

References (2)

1
Microsoft Security Auditing DocumentationOfficial Microsoft documentation covering Windows security auditing events and configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
2
Advanced Security Audit Policy SettingsComprehensive guide to configuring advanced audit policies in Windows environmentshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5138#registry-auditing#security-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...