jaclaz wrote:
That will tell you which user was logged in at the time the key was changed, but not necessarily which user changed the key at that time.
Let's say that I set an AT or SCHTASK scheduled task, just as an example. <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
On Windows systems, there is enough detail in data recorded in the Registry such that if someone logged in via the console, or remotely via RDP, and opened RegEdit, modified the key, and closed RegEdit, you would be able to determine which user account was used.
For Vista+ systems, there is enough detail in logging that if someone on created a Scheduled Task, even remotely, you'd still be able to determine the user account used.
Without a video camera or witness to observe the actions, you won't be able to tell who did it, but you can still determine when and which user account was used.
↧