EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4657Audit SuccessSecurityT1547.001

Windows Event ID 4657Registry Value Modified

Logged on the system where the change occurs when a registry value is created, modified, or deleted on a key that has a System Access Control List (SACL) configured for auditing. Requires the 'Audit Registry' policy to be enabled — without it, no 4657 events appear regardless of the change. 4657 is the primary detection signal for registry-based persistence, defense evasion, and privilege escalation attacks.

MITRE ATT&CK

Technique

T1547.001 · Registry Run Keys / Startup Folder

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

The Windows registry is an attack surface for multiple technique families: persistence via Run keys and services, defense evasion by disabling security tools or altering audit policy, UAC bypass via HKCU class hijacking, and credential access by modifying LSA settings. 4657 gives you the exact value written, who wrote it, and which process wrote it — making it one of the highest-fidelity registry attack indicators available. The key limitation: auditing must be pre-configured on the specific key path you care about. Broad registry auditing generates extreme volume; targeted SACLs on high-value paths (Run keys, Services, LSA, security tool configuration) is the practical approach.

Key Fields

Object NameFull registry path modified — the most important triage field; check against known high-value paths (Run, Services, LSA, Defender)
Object Value NameThe specific value name changed — attackers often use legitimate-looking names (WindowsUpdate, AdobeUpdater) to blend in
New Value / Old ValueWhat was written — New Value shows the payload path or configuration change; Old Value shows what it replaced
Operation Type%%1904 = new value created; %%1905 = existing value modified; %%1906 = value deleted — deletions during cleanup are also relevant
Process NameThe process that wrote the value — reg.exe, powershell.exe, or an unexpected binary writing to Run keys is a strong IOC
Account NameThe account context — SYSTEM writes to HKLM are expected from installers; user-context writes to HKLM Run keys require admin rights and warrant review

Investigation Tips

  1. 1.Priority paths to monitor: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run, \RunOnce, \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run — any write from a non-installer process is suspicious.
  2. 2.Defense evasion paths: \SYSTEM\CurrentControlSet\Services\WinDefend, \SOFTWARE\Policies\Microsoft\Windows Defender — modifications here disable Defender or its components.
  3. 3.UAC bypass path: HKCU\SOFTWARE\Classes\ms-settings or \SOFTWARE\Classes\mscfile — these are the auto-elevate hijack targets used by fodhelper and eventvwr UAC bypasses (Event ID 4657 in the HKCU hive, no admin rights required).
  4. 4.LSA path: \SYSTEM\CurrentControlSet\Control\Lsa — modifications to RunAsPPL or Authentication Packages can disable LSA protection to enable credential dumping.
  5. 5.Compare Process Name to the expected writer: reg.exe, msiexec.exe, or a known software installer is expected; svchost.exe from AppData or an encoded PowerShell process is not.
  6. 6.Correlate with Event 4688 (process creation) using the same Logon ID — identify the process chain that led to the registry write.

Related Event IDs

4688Process creation — identify the process that wrote the registry value
4104PowerShell script block — Set-ItemProperty / New-ItemProperty targeting registry
4907Auditing settings changed — SACL removal to suppress future 4657 events
4670Permissions on object changed — DACL modification to allow unauthorized registry writes
4624Logon event — Run keys fire at logon; correlate to trace execution chain

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4657

See Event ID 4657 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects registry value modified patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →