Agent Foskett Academy • Lesson 36 • Investigating DeviceRegistryEvents
Investigating DeviceRegistryEvents in Microsoft Defender XDR
DeviceRegistryEvents records Windows registry activity from devices protected by Microsoft Defender for Endpoint.
This table helps defenders investigate registry keys, value names, value data, persistence attempts, startup locations and suspicious endpoint configuration changes.
In this lesson, you will learn how to use DeviceRegistryEvents to follow registry evidence, review value changes and support Microsoft Defender XDR investigations.
Lesson overview
Learn how DeviceRegistryEvents helps defenders investigate registry keys, value changes and persistence activity.
Review registry changes
Analyse value data
Find persistence locations
Why DeviceRegistryEvents matters
Many endpoint investigations eventually ask a different question: what changed on the device?
Attackers may modify registry keys to establish persistence, weaken protections, change startup behaviour or hide activity inside normal Windows configuration areas.
DeviceRegistryEvents helps defenders investigate registry activity and connect suspicious changes back to the device, user, process and timeline.
Attackers may modify registry keys to establish persistence, weaken protections, change startup behaviour or hide activity inside normal Windows configuration areas.
DeviceRegistryEvents helps defenders investigate registry activity and connect suspicious changes back to the device, user, process and timeline.
Registry evidenceInvestigate which registry keys and values changed, when they changed and on which devices.
Value evidenceReview RegistryValueName and RegistryValueData to understand what was written or modified.
Initiating process evidenceUse initiating process fields to understand what caused the registry change.
Investigation scenario
Agent Foskett is investigating a device where suspicious execution activity may have created persistence.
DeviceRegistryEvents showed what ran, but the next question is just as important: did the process change the registry?
By querying DeviceRegistryEvents, the analyst can review registry keys, value names, value data, action types and the initiating process behind the change.
DeviceRegistryEvents showed what ran, but the next question is just as important: did the process change the registry?
By querying DeviceRegistryEvents, the analyst can review registry keys, value names, value data, action types and the initiating process behind the change.
Step 1 — Review recent registry activity
Start with recent DeviceRegistryEvents activity and focus on fields that explain what changed.
- 1
- 2
- 3
- 4
- 5
- 6
DeviceRegistryEvents | where Timestamp > ago(24h) | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by Timestamp desc
Step 2 — Review common persistence locations
Registry persistence often appears in startup and run locations. Start by reviewing common keys that are frequently abused for persistence.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceRegistryEvents | where Timestamp > ago(7d) | where RegistryKey has_any ("\\Run", "\\RunOnce", "CurrentVersion\\Run") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by Timestamp desc
Step 3 — Review the initiating process
Initiating process evidence helps defenders understand which executable or script made the registry change.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceRegistryEvents | where Timestamp > ago(7d) | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc
Examples of registry changes to review
Startup persistenceRun and RunOnce keys can indicate software startup behaviour or attacker persistence.
Security setting changesUnexpected changes to security or policy-related registry paths deserve investigation.
Suspicious value dataRegistry values that reference unusual paths, scripts, encoded content or user-writable folders need review.
Step 4 — Look for suspicious value data
Suspicious registry value data can reveal persistence commands, unusual script paths or hidden execution behaviour.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceRegistryEvents | where Timestamp > ago(7d) | where RegistryValueData has_any ("powershell", "cmd.exe", "wscript", "mshta", "AppData") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by Timestamp desc
How DeviceRegistryEvents supports investigations
DeviceRegistryEvents does not just show that something changed.
It can show the key, value name, value data, action type, device, user and initiating process behind the change.
It can show the key, value name, value data, action type, device, user and initiating process behind the change.
Change evidenceIdentify what registry item changed and when it changed during the investigation timeline.
Persistence evidenceUse RegistryKey and RegistryValueData to identify startup, run key and configuration changes.
Cause evidenceUse InitiatingProcessFileName to understand which process made the registry change.
Step 5 — Summarise registry activity
Summarising by registry key can help identify noisy changes, repeated modifications and suspicious persistence patterns across devices.
- 1
- 2
- 3
- 4
- 5
- 6
DeviceRegistryEvents | where Timestamp > ago(7d) | summarize ChangeCount = count() by DeviceName, RegistryKey | order by ChangeCount desc
Step 6 — Correlate with process activity
Join registry evidence to process evidence when you need to understand what ran before or around a suspicious registry change.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
let RegistryChanges = DeviceRegistryEvents | where Timestamp > ago(7d) | where RegistryKey has_any ("\\Run", "\\RunOnce") | project DeviceName, RegistryTimestamp = Timestamp, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName; DeviceProcessEvents | where Timestamp > ago(7d) | join kind=inner RegistryChanges on DeviceName | project RegistryTimestamp, Timestamp, DeviceName, FileName, ProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | order by RegistryTimestamp desc
Common investigation uses
Persistence huntingReview Run, RunOnce and startup-related registry paths that may launch activity after sign-in or reboot.
Configuration tamperingInvestigate unexpected registry changes that weaken security controls or change endpoint behaviour.
Malware investigationFollow registry changes made before and after suspicious process, file or network activity.
Common mistakes
Looking only at RegistryKeyAlways review RegistryValueName and RegistryValueData because the value often reveals the real intent.
Ignoring initiating processesUnderstanding which process made the change can explain how the activity started.
Not correlating evidenceRegistry evidence becomes much stronger when connected to process, file, network and identity activity.
What you learned
Registry changes matterYou learned how DeviceRegistryEvents reveals key, value and data changes across protected endpoints.
Value data reveals intentYou learned how RegistryValueData can expose startup commands, script paths and suspicious persistence behaviour.
Initiating processes matterYou learned how initiating process fields help defenders trace what caused the registry change.
Related Agent Foskett Academy lessons
Investigating DeviceProcessEvents
Review how defenders investigate process execution, command lines and parent-child process evidence.
Connecting Tables with join
Review how defenders connect registry, process, network, email and identity evidence.
Continue learning with Building Investigation Timelines, KQL Threat Hunting Guide and Microsoft Security.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD