Registry type needed to be REG_SZ, not REG_DWORD

Question

Registry type needed to be REG_SZ, not REG_DWORD

dloughland87 opened this issue 3 years ago · comments

The Retention registry setting in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security", "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application". "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup", and "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" needs to be REG_SZ. The script creates these as REG_DWORD which do configure the setting correctly.

Not sure if there are other examples here, but I only noticed then when Windows alerted me to the fact that the security log was full, however I knew we enforced the retention setting to prevent this.

Travis McDade · Answer 1 · Sat Aug 21 2021 08:46:06 GMT+0800 (China Standard Time)

Where are you seeing that it should be REG_SZ? While it's for Server 2008, this seems to indicate that REG_DWORD is correct

dloughland87 · Answer 2 · Sat Aug 21 2021 08:50:51 GMT+0800 (China Standard Time)

That's for the MaxSize which is correct, however I'm talking about retention.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EventLogs::Channel_Log_Retention_1

Travis McDade · Answer 3 · Sat Aug 21 2021 08:59:46 GMT+0800 (China Standard Time)

That's for the MaxSize which is correct, however I'm talking about retention.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EventLogs::Channel_Log_Retention_1

Ah, okay. I applied finding_list_0x6d69636b_machine.csv and finding_list_0x6d69636b_user.csv recently and just looked through those and only see it referencing MaxSize and no mention of Retention. I checked a few DoD lists in master and didn't see it mentioning Retention either. Where are you seeing it set Retention values?

dloughland87 · Answer 4 · Sat Aug 21 2021 09:05:46 GMT+0800 (China Standard Time)

Really appreciate the prompt responses - legend!

I mainly use the CIS lists. Specifically, I was using this one when I noticed -finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv

ID's:
18.9.26.1.1
18.9.26.2.1
18.9.26.3.1
18.9.26.4.1

Travis McDade · Answer 5 · Sat Aug 21 2021 09:38:11 GMT+0800 (China Standard Time)

Good call - I just applied that list to a fresh VM not joined to a domain and verified that I also see it creating the Retention item as REG_DWORD rather than REG_SZ @0x6d69636b

Michael Schneider · Answer 6 · Sat Aug 21 2021 13:04:40 GMT+0800 (China Standard Time)

@thetechgy: Thank you for helping! :)

@dloughland87: You're right. However, I find it strange that Microsoft requires REG_SZ for a key that can be 0 or 1. Well, I added an exception for retention and in the future the key will be created correctly (Commit 72462bb)

dloughland87 · Answer 7 · Sat Aug 21 2021 14:10:50 GMT+0800 (China Standard Time)

Thank you @0x6d69636b and @thetechgy, the latest works a treat.

Yes, agreed, very odd. I'll add it to my list of mysteries by Microsoft.