At least once a day, the integrated camera on my laptop stops working for meetings. I can disable and re-enable my camera to get it working again which makes me think that something is using my camera so I can't initialize it for my meeting. I've looked at all my apps and nothing appears to be using my camera so I'm trying to investigate this. I'm trying to monitor edits to my system registry using the advice in this post. With this I should be able to detect when my camera gets turned on/off or used by something.
For the life of my I can't get registry modifications to show up in the event log. Turned on/off my camera and I can see the DWORD for camera last used update. I've also modified other registry values manually and I've added and removed attributes but nothing shows up in the event viewer.
I've downloaded and installed Sysmon. I can see it running and can view the event logs. To reduce noise, I modified the config file to exclude all ProcessCreate, ProcessTerminate, NetworkConnect, and DriverLoad Events and include all RegistryEvents. I've tried doing this various ways leaving each include/exclude as it's own command which resulted in a config file like this:
Rule configuration (version 4.90):
- ProcessCreate onmatch: exclude combine rules using 'And'
- NetworkConnect onmatch: exclude combine rules using 'And'
- ProcessTerminate onmatch: exclude combine rules using 'And'
- DriverLoad onmatch: exclude combine rules using 'And'
- RegistryEvent onmatch: include combine rules using 'And'
I also put all of the excludes in a rule group with an "or" rule and left the include outside the rule group which resulted in a rule config like this:
Rule configuration (version 4.90):
- ProcessCreate onmatch: exclude combine rules using 'Or'
- NetworkConnect onmatch: exclude combine rules using 'Or'
- ProcessTerminate onmatch: exclude combine rules using 'Or'
- DriverLoad onmatch: exclude combine rules using 'Or'
- RegistryEvent onmatch: include combine rules using 'And'
Finally, in case the And/Or things were getting in the way, I removed all the excludes leave this rule config:
Rule configuration (version 4.90):
- RegistryEvent onmatch: include combine rules using 'And'
I can see the sysmon property changes in the event viewer but I can't finds any RegistryEvents in my event viewer. Any advice on how to get registry events to show up in my event log? I could share my config files if that helps but since I'm able to modify the Rule configuration, I don't think that's the issue. Thanks in advance.
