Hello
Thank you for posting in Q&A forum.
Here have two ways can find out which program change the regedit value.
1.Using process monitor tools
Open process monitors as administrator and then wait for regedit value change again, ctrl+E can enable or disable monitor.
After value is change, you can filter by regedit path find out which program change this value.
Process Monitor - Sysinternals | Microsoft Learn
2.Using Audit to monitor
Open group policy >>> find below path
Computer configuration >>> Policies >>> Windows Settings >>> Security Settings >>> Advanced Audit Policy Configuration >>> Object Access >>> Audit Registry
Double click Audit Registry and enable this policy
And then find your regedit path, right click changed value >>> Permissions >>> Advanced >>> Auditing >>> Add >>> Principal (everyone means audit everyone) >>> Type (all means audit no matter success or fail) >>> Applies to (this key and subkeys) >>> Basic permissions (Full Control means audit all action)
Now open event viewer >>> security >> you can find out below event list if anyone change this registry.
- 4663(S): An attempt was made to access an object.
- 4656(S, F): A handle to an object was requested.
- 4658(S): The handle to an object was closed.
- 4660(S): An object was deleted.
- 4657(S): A registry value was modified.
- 5039(-): A registry key was virtualized.
- 4670(S): Permissions on an object were changed.
Audit Registry - Windows 10 | Microsoft Learn
Best regards
Yanhong
=====================================
If the answer is helpful, please click "Accept answer" and upvote it.