Sysmon Event ID 13


13: RegistryEvent (Value Set)

This is an event from Sysmon.

On this page

This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.

Free Security Log Resources by Randy

Description Fields in 13

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • EventType
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetObject
  • Details

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 13

Registry value set:
EventType: SetValue
UtcTime: 2017-05-11 04:31:19.613
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf
Details: run


Event XML:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <TimeCreated SystemTime="2017-05-11T04:31:19.619361100Z" />
    <Correlation />
    <Execution ProcessID="3188" ThreadID="3836" />
    <Security UserID="S-1-5-18" />
    <Data Name="EventType">SetValue</Data>
    <Data Name="UtcTime">2017-05-11 04:31:19.613</Data>
    <Data Name="ProcessGuid">{A23EAE89-E8BF-5913-0000-0010DB9F7109}</Data>
    <Data Name="ProcessId">25228</Data>
    <Data Name="Image">C:\Windows\regedit.exe</Data>
    <Data Name="TargetObject">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf</Data>
    <Data Name="Details">run</Data>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources