How can I use Process Monitor to detect register changes made by GPEdit modifications?

All we need is an easy explanation of the problem, so here it is.

It is supposed that Process Monitor can capture the registry changes made by any program. This thread explains it fine (thanks you, James T).

But it seems things are not so easy when talking about Group Policies Editor (gpedit.msc), because I am getting more than 738 register events when trying to change just one entry:

User Configuration -> Administrative Templates -> Code signing for drivers

Lots of captured data

How can I isolate the specific registry change for my GPEdit change performed?

New data:

As suggested by Frank Thomas (thanks), there was only one RegSetValue entry, named HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing\BehaviorOnFailedVerify.
This BehaviorOnFailedVerify key was what I was changing, but such key has been changed in multiple places at the register:

  • At HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing as stated.
  • At HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing.
  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Policies\Microsoft\Windows NT\Driver Signing.

This is: four changes, and only one of them has been detected by Process Monitor.
Is this correct? Why?
If pretending to perform the same change via the reg command (without using gpedit.msc, which one should I change? All the four?

Note: I did not explain, as long as I did not think it was necessary, but my original idea was to be capable to change the key BehaviorOnFailedVerify via remote shell, like SSH or telnet).
Note-2: For those wondering what does this change: it disables driver signature verification request so nothing prompts no the screen to the GUI user when installing some unsigned drivers like TAP-driver (network) for OpenVPN unattended installation.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Use RegFromApp instead. Attach it to the MMC.exe that runs gpedit, and click on the green arrow to start logging. If you change the entries, the tool generates a .reg file that you can save and use later again.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply