Most of the time, whenever you make a change to a group policy object, Windows actually creates and/or modifies registry values. If you ever want to find out what registry settings are being changed in the background when you modify a policy object, you can do so pretty easily. Let’s learn how.
Note: for this article it’s assumed you already know what Windows Registry is and its different components like keys, values, value types, value data, etc.
1. Use Group Policy Search Website
Microsoft has a dedicated website to search and find information about group policy objects. This website not only gives a variety of details about each and every available group policy object but also shows what registry changes are made when you modify a policy object.
1. First, head over to the group policy search website, and use the search bar to find the policy you want to modify.
2. For instance, I want to modify the biometric usage policy. I searched and selected that policy. As soon as you select the policy, you will see a bunch of information about that particular object on the right panel.
3. Under the Details section, you will see the registry key that is being modified right next to the “Registry Key” heading. The registry value name is specified right next to the “Value” heading. For the value data, you will find it at the bottom of the “Explanation” section.
4. When you put all three together, you get a full picture of what registry keys and values are being modified. In my case a dword or qword value called “Enabled” is created under the “HKLM\SOFTWARE\Policies\Microsoft\Biometrics” key, and its value is set to “1” if the policy object is enabled and “0” if the policy object is disabled.
It’s as simple as that.
2. Use Process Monitor to Find Registry Changes
Sometimes you won’t find the registry details or the target policy object in the group policy search website. In those cases you can use the SysInternals Process Monitor to get the job done. This tiny software will monitor and show the changes made to the registry.
1. First, download Process Monitor, extract it to your desktop, right-click on it and select “Run as administrator.”
2. By default, the process monitor will show all processes. Since we only need to monitor group policy, we need to filter out everything else. To do that, select the “Filter” option from the “Filter” menu.
3. Under the “display entries matching these conditions” section you will see a bunch of drop-down menus. Select “Process Name” from the first drop-down menu, “is” from the second drop-down menu, type in “mmc.exe” in the third drop-down menu and “Include” from the fourth drop-down menu. Click on the add button to add the filter.
4. We need to create another filter. Select “Operation” from the first drop-down menu, “is” from the second drop-down menu, select “RegSetValue” from the third drop-down menu and “Include” from the fourth drop-down menu. Click on the add button to add the filter.
5. Once you are done, this how it should look in the Filter window. Click on the “OK” button to apply the filter.
6. After applying the filter, open Group Policy Editor, find the policy you want to change and double-click on it.
7. Don’t make any changes to the policy yet. If you look at the Process Monitor, you will see that it has already tracked a huge list of events related to the Group Policy. Since we are only interested in the registry change made by a policy modification, this is nothing but noise. Clear the list by going to “Edit” and then selecting the “Clear Display” option.
8. Now, go ahead and make changes to the policy, and click on the “OK” button to save policy changes. In my case, I’m enabling the policy.
9. As soon as you save the policy, the event is tracked in the Process Monitor. Right-click on the event, and select the “Jump to” option.
10. You will be instantly taken to the modified registry value within the Windows Registry.
It is that simple to see which registry settings or values are changed when you modify a group policy object.