Ringfencing Registry Activity

2 min. readlast update: 07.11.2025

Malware often hides in the registry. Ringfencing allows you to block an application from making any changes to your registry, preventing the possibility that something malicious could be written to it. When you toggle on 'Restrict this application from changing the registry?', no registry access will be permitted unless it is listed in ‘Registry Access Exceptions’. 

Picture 

Many legitimate programs, such as 'Notepad++', require access to the registry. To observe which programs need to access the registry, you can enable registry restrictions and then set the policy to 'Monitor Only'. This will log all interactions with the registry without blocking them. 

undefined, Picture 

The Unified Audit will show you the exact path of the registry key that was created or changed. You can filter by 'Policy Name' using 'Advanced Search' and enter the name of the policy whose registry interaction you wish to view. Then, under 'Action Type', select 'Registry' from the dropdown to view only registry interactions.

You will see the exact path to the registry key in the' Details' column.

Picture

You can permit any denied registry activity by expanding the entry in the Unified Audit and selecting the 'Add to Policy' button.   

Picture

Picture

You can use wildcards in the path if desired. As you can see in the Unified Audit excerpt above, ‘Notepad++’ makes many different registry entries when executing, and many follow the same path. In the screenshot below, you can see how we permitted these using wildcards in the path. 

Picture 

When you apply Ringfencing to an application that has not previously had it applied, it is important to place that specific policy into a 'Monitor Only' status for about a week.   

Failure to place a new Ringfencing policy into a Monitor Only status for a week may impact your day-to-day business operations.

Was this article helpful?