ERROR: Unable to open registry key

[Jerry Right]

Hello, we have Ossec deployed across our environment and have been encountering a couple of issues with registry keys lately. We are running the agents on Windows and using version 8.1. We monitor some custom registry keys but we have been seeing an error occurring and it doesn't track any of the changes. It is also having issues with some generic windows registry keys as follows;

2015/06/24 08:07:02 ossec-agent(1758): ERROR: Unable to open registry key: 'SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP'.

2015/06/24 08:07:02 ossec-agent(1758): ERROR: Unable to open registry key: 'SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.

2015/06/24 08:07:02 ossec-agent(1758): ERROR: Unable to open registry key: 'SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.

2015/06/24 08:07:02 ossec-agent(1758): ERROR: Unable to open registry key: 'SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.

2015/06/24 08:07:02 ossec-agent(1758): ERROR: Unable to open registry key: 'SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo'.

We are seeing the exact same error on our custom keys. I turned debugging on but it just says attempting to read the registry key and then the above error. I have checked the permissions and SYSTEM has full control so I am at a loss for why it can't open the registry key.

Any help would be appreciated.

Thanks

[SoulAuctioneer]

Looks like you might be hitting the limitation of the OSSEC agent on Windows where it has trouble seeing the registry on x64 machines. This is a known issue and will hopefully be addressed in future versions. For now you might find this workaround useful:

https://github.com/ossec/ossec-hids/issues/301#issuecomment-97449163