Start by examining the specific details of Event ID 5139 to understand what registry value was deleted and by whom.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 5139 by right-clicking the Security log and selecting Filter Current Log
4. Enter 5139 in the Event IDs field and click OK
5. Double-click on a 5139 event to view detailed information including:
   • Subject (user account that performed the deletion)
   • Object Name (full registry path of deleted value)
   • Process Information (executable and process ID)
   • Access Request Information (requested access rights)
6. Note the Logon ID to correlate with logon events (4624/4625) for additional context

Use PowerShell for more efficient filtering:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5139} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Cross-reference Event ID 5139 with related security events to build a complete picture of the deletion activity.

1. Extract the Process ID and Logon ID from the 5139 event details
2. Search for process creation events (4688) with matching Process ID:

$ProcessId = "0x1234"  # Replace with actual Process ID from 5139 event
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*$ProcessId*"} | Select-Object TimeCreated, Message

3. Identify the logon session using the Logon ID:

$LogonId = "0x5678"  # Replace with actual Logon ID from 5139 event
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} | Where-Object {$_.Message -like "*$LogonId*"} | Select-Object TimeCreated, Id, Message

4. Check for related registry events around the same timeframe:

$StartTime = (Get-Date).AddHours(-1)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136,5137,5138,5139,5140,5141; StartTime=$StartTime; EndTime=$EndTime} | Sort-Object TimeCreated

5. Document the timeline and context for further investigation or reporting

Configure comprehensive registry auditing to capture more detailed information about registry modifications.

1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access
3. Configure Audit Registry policy:
   • Enable Success and Failure auditing
   • Apply the policy using gpupdate /force
4. For specific registry key monitoring, configure SACL (System Access Control List) entries:

# Example: Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
$RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$Acl = Get-Acl $RegistryPath
$AccessRule = New-Object System.Security.AccessControl.RegistryAuditRule("Everyone", "Delete,SetValue,CreateSubKey", "None", "None", "Success,Failure")
$Acl.SetAuditRule($AccessRule)
Set-Acl $RegistryPath $Acl

5. Verify auditing is active by checking the audit policy:

auditpol /get /subcategory:"Registry"

6. Test the configuration by deleting a test registry value and confirming Event ID 5139 generation

Set up automated detection and response for suspicious registry value deletions using PowerShell and Windows Task Scheduler.

1. Create a PowerShell monitoring script:

# Save as Monitor-RegistryDeletions.ps1
param(
    [string]$LogName = "Security",
    [int]$EventId = 5139,
    [int]$MaxEvents = 100
)

$Events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventId; StartTime=(Get-Date).AddMinutes(-5)} -ErrorAction SilentlyContinue

foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $SubjectUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "SubjectUserName"} | Select-Object -ExpandProperty "#text"
    $ObjectName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "ObjectName"} | Select-Object -ExpandProperty "#text"
    $ProcessName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "ProcessName"} | Select-Object -ExpandProperty "#text"
    
    # Define suspicious patterns
    $SuspiciousKeys = @(
        "*\\Run*",
        "*\\RunOnce*",
        "*\\Winlogon*",
        "*\\Services*",
        "*\\Policies*"
    )
    
    foreach ($Pattern in $SuspiciousKeys) {
        if ($ObjectName -like $Pattern) {
            $AlertMessage = "ALERT: Suspicious registry deletion detected`nUser: $SubjectUserName`nRegistry: $ObjectName`nProcess: $ProcessName`nTime: $($Event.TimeCreated)"
            Write-EventLog -LogName "Application" -Source "Registry Monitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
            # Send email or trigger additional response actions here
        }
    }
}

2. Register the script as a scheduled task:

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\Monitor-RegistryDeletions.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Registry Deletion Monitor" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

3. Create a custom event source for alerts:

New-EventLog -LogName "Application" -Source "Registry Monitor"

4. Configure Windows Event Forwarding (WEF) for centralized monitoring in enterprise environments
5. Integrate with SIEM solutions using Windows Event Collector or third-party agents

Perform comprehensive forensic analysis when Event ID 5139 indicates potential security incidents or unauthorized modifications.

1. Collect comprehensive event data for analysis:

# Export security events for forensic analysis
$StartDate = (Get-Date).AddDays(-7)
$EndDate = Get-Date
$ExportPath = "C:\Forensics\SecurityEvents_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx"

wevtutil epl Security $ExportPath /q:"*[System[TimeCreated[@SystemTime>='$($StartDate.ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))' and @SystemTime<='$($EndDate.ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))']]]"

2. Analyze registry deletion patterns and correlate with system changes:

# Analyze Event ID 5139 patterns
$RegistryDeletions = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5139; StartTime=$StartDate; EndTime=$EndDate}

$Analysis = $RegistryDeletions | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "SubjectUserName"})."#text"
        RegistryPath = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "ObjectName"})."#text"
        Process = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "ProcessName"})."#text"
        ProcessId = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq "ProcessId"})."#text"
    }
}

$Analysis | Group-Object User, Process | Sort-Object Count -Descending | Format-Table Name, Count

3. Check for registry backup and recovery options:

# Check for System Restore points
Get-ComputerRestorePoint | Sort-Object CreationTime -Descending | Select-Object -First 10

# Examine registry transaction logs
Get-ChildItem "C:\Windows\System32\config\" -Filter "*.LOG*" | Sort-Object LastWriteTime -Descending

4. Document findings and create incident timeline:

# Generate incident report
$ReportPath = "C:\Forensics\RegistryDeletionReport_$(Get-Date -Format 'yyyyMMdd_HHmmss').html"
$Analysis | ConvertTo-Html -Title "Registry Deletion Analysis" -PreContent "
Registry Deletion Incident Analysis
Generated: $(Get-Date)
" | Out-File $ReportPath

5. Implement containment measures if malicious activity is suspected:
   • Isolate affected systems from network
   • Preserve evidence using disk imaging tools
   • Reset compromised user credentials
   • Apply additional monitoring and access controls