KBI 311195 Argent Registry Auditing Service

Version

Argent Advanced Technology 3.1A-1504-A or above

Date

Thursday, 23 April 2015

Summary

Registry changes can be incredibly dangerous, and Argent, like other software companies, has had its fair share of support issues triggered by unconsulted registry changes made by customers.

Argent’s free registry auditing service improves support from Argent by notifying Argent of ALL Argent-related registry changes.

This feature is enabled by default, and can be disabled via a registry setting.

Technical Background

How Does It Work?

Each Argent AT product keeps a snapshot of the current registry settings for its own registry folder.

For example, Argent Guardian Ultra keeps a snapshot of HKLM\SOFTWARE\Wow6432Node\Argent\ARGENT_GUARDIAN_ULTRA

Whenever a registry key within this folder is manually changed via REGEDIT or other means, an email is sent to Config@Argent.com with the following information:

  • Date/Timestamp
  • Server and Domain where the change occurred
  • Type of Component — Argent Main Engine, Daughter Engine, Trusted Agent, etc.
  • Company name and Contact name extracted from the Argent AT license key
  • List of registry key changes with values (before and after)
  • Registry Dump of the Argent product-specific registry folder

All information is Argent-specific, and purely used as a change log for Argent-specific registry changes only

Note: Fresh installations of products will always trigger emails to Config@Argent.com from each installed product, as the snapshot is initially {empty}

Who Sees This Information?

Config@Argent.com is a mailbox that is only accessible by Argent’s senior technical managers.

Information is only retrieved from the mailbox when Argent support issues are escalated to senior management, and when possible registry changes are suspected as the root cause.

Can I Disable This Feature?

Yes, the following registry change is required on all Argent engines that need disabling:

HKLM\SOFTWARE\Wow6432Node\Argent\COMMON\REPORT_CONFIG_INTERVAL_IN_MINUTES

Change the value from 1 to the hex value FFFFFFFF

Resolution

N/A