Previous Topic: WebServiceNext Topic: Audit Log Records


Additional Registry Keys

You can also add or modify the following keys and values to change the way CA ControlMinder performs:

Registry Entry

Type

Description

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Parameters\DisableFileInterception

REG_DWORD

Specifies whether the file interception hooking is disabled (relevant functions are not initialized at boot time).

Value: 1 (disabled)

Note: If this registry entry does not exist (the default), or is set to any value other than 1, file interception is initialized at boot time.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Parameters\DisableNetworkInterception

REG_DWORD

Specifies whether network interception hooking is disabled (relevant functions are not initialized at boot time).

Value: 1 (disabled)

Note: If this registry entry does not exist (the default), or is set to any value other than 1, network interception is initialized at boot time.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Parameters\DisableProcessInterception

REG_DWORD

Specifies whether process interception hooking is disabled (relevant functions are not initialized at boot time).

Value: 1 (disabled)

Note: If this registry entry does not exist (the default), or is set to any value other than 1, process interception is initialized at boot time.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Parameters\DisableRegistryInterception

REG_DWORD

Specifies whether the registry interception hooking is disabled (relevant functions are not initialized at boot time).

Value: 1 (disabled)

Note: If this registry entry does not exist (the default), or is set to any value other than 1, registry interception is initialized at boot time.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SeosDrv\Parameters\KernelBuffersSize

REG_DWORD

When the CA ControlMinder kernel driver (seosdrv.sys) starts, it allocates, by default, memory for its internal use, according to the following formula:

number_of_buffers = amount_of_RAM

For example, 256 buffers are allocated for 256 MB of RAM. Each buffer is 4096 bytes long.

If you want to control the number of buffers that seos.drv allocates, create this registry key and set the value to the number of buffers to allocate.

Note: 32 is the minimum number of buffers.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\SeosDrv\EventMessageFile

REG_EXPAND_SZ

Defines the pathname to the seosdrv.sys driver.

Default: %SystemRoot%\System32\drivers\seosdrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\SeosDrv\TypesSupported

REG_DWORD

A standard Windows entry that defines the bitmask of supported event types.

Default: 7

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cainstrm\parameters\DllScanList

REG_SZ

Defines a list of comma-separated DLLs (by name) that trigger injection by cainstrm.sys

Default: No default

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cainstrm\parameters\DllScanListRefreshPeriod

REG_DWORD

Defines the interval, in seconds, for scanning the cainstrm registry entry.

Default: 600

HKEY_LOCAL_MACHINE\System\CCS\Services\Cainstrm\parameters\ExcludeProcess

REG_MULTI_SZ

Specifies processes by name to be excluded from native instrumentation by the driver.

Default: none

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Cainstrm\Parameters

REG_DWORD

Specifies the CA ControlMinder low-level instrumentation policy towards .Net assemblies.

Default: 1 (1 implies that the instrumentation of .Net assemblies is enabled).

HKLM\SYSTEM\CurrentControlSet\Services\cainstrm\Parameters\DotNetOperationMode

REG_DWORD

Defines the CA ControlMinder low-level instrumentation policy toward .Net assemblies.).

Default: 1 (1 enables the instrumentation of .Net assemblies. Any value different from 1 disables the instrumentation of .Net assemblies).