When you want to change the settings for a registry key, you first need to identify the key’s name. This is done by reading the registry key’s description and looking for the string “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” (without the quotes). If this string is present, then you can identify the registry key by its name. If you don’t find the string “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” in the registry key’s description, then you can’t change its settings. You must use another method to change its settings.


Today we are going to show you how to use one of our favorite tools, Proc Mon, to see which registry keys are edited when you change a Group Policy setting on your PC.

Using Proc Mon to See Which Registry Settings a Group Policy Object Modifies

The first thing you will want to do is go and get yourself a copy of Proc Mon from the Sys Internals website.

Then you will need to extract the folder and run  the Procmon.exe file.

When Proc Mon opens, you will need to add a condition as follows:

Then click the add button.

To get only the registry keys that are changed, we need add another one:

Then again click the add button.

Once the two rules have been added, you can go ahead and click ok.

Now go and open the Group Policy setting that you wish to edit.

Before you actually change the setting, switch back over to Proc Mon and clear the log.

Then go and change the GPO and click apply.

If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

That will fire up Regedit and take you to the exact key which was modified

That’s all there is to it guys.