something change regedit longpathenable value to 0

黎科正 0 Reputation points
2024-09-29T16:50:55.9+00:00

I am learning to use sd webui. This tool needs to enable long path support. I have enabled long paths in both the policy group and the registry, but after a while (maybe restarting 2 to 3 times) I found the value of longpathenable in the registry. has been changed to 0.

here are my conputer OS info below:

Windows11 pro

OS ver 24H2

install at 2024/9/18

Operating system version number 26100.1742

Now I want to know how to find out which program or system function automatically modified the registry value to 0, and how to prevent this from happening again.

Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
980 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,589 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 9,455 Reputation points Microsoft Vendor
    2024-09-30T07:27:06.4433333+00:00

    Hello

    Thank you for posting in Q&A forum.

    Here have two ways can find out which program change the regedit value.

    1.Using process monitor tools

    Open process monitors as administrator and then wait for regedit value change again, ctrl+E can enable or disable monitor.

    After value is change, you can filter by regedit path find out which program change this value.

    Process Monitor - Sysinternals | Microsoft Learn

    2.Using Audit to monitor

    Open group policy >>> find below path

    Computer configuration >>> Policies >>> Windows Settings >>> Security Settings >>> Advanced Audit Policy Configuration >>> Object Access >>> Audit Registry

    Double click Audit Registry and enable this policy

    And then find your regedit path, right click changed value >>> Permissions >>> Advanced >>> Auditing >>> Add >>> Principal (everyone means audit everyone) >>> Type (all means audit no matter success or fail) >>> Applies to (this key and subkeys) >>> Basic permissions (Full Control means audit all action)

    Now open event viewer >>> security >> you can find out below event list if anyone change this registry.

    • 4663(S): An attempt was made to access an object.
    • 4656(S, F): A handle to an object was requested.
    • 4658(S): The handle to an object was closed.
    • 4660(S): An object was deleted.
    • 4657(S): A registry value was modified.
    • 5039(-): A registry key was virtualized.
    • 4670(S): Permissions on an object were changed.

    Audit Registry - Windows 10 | Microsoft Learn

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.