FIM Registry trouble App version: 4.14.1

[Dmitry Mikheev]

FIM Registry worked until the last update!

Agent Ossec.config
<syscheck>
<disabled>no</disabled>
<frequency>86400</frequency>
<windows_registry check_mtime="no" arch="both">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Id\System\ClientServices\Email\CITest</windows_registry>

Dashboard
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Id\System\ClientServices\Email
Last modify
Jan 9, 2026 @ 13:11:30.000

But I changed this key yesterday and again today!

Jan 9, 2026 @ 13:11:30.000
This is the approximate time the agent was updated to the new version...

Tested on Windows Server 2019 & 2022. 

Where to look?

[tomas....@wazuh.com]

Hello,

To help determine whether the registry changes are being detected correctly, please perform the following tests:

1. Force a new syscheck scan

   • Restart the Wazuh agent service, or temporarily reduce the scan interval:

     <frequency>60</frequency>

   • After the scan runs, modify the registry key again and check if a new event is generated.

2. Enable registry modification time checks

   • Update the configuration as follows:

     <windows_registry check_mtime="yes" arch="both">

   • Restart the agent and modify the registry key once more.

3. Ensure the value actually changes

   • Writing the same value again will not trigger a FIM event.

   • Please modify the data to a different value for testing purposes.

4. Review agent logs

   • Check ossec.log for syscheck-related entries after making the change.

These steps should help clarify whether the behavior is related to scan timing, configuration, or change detection. Please let us know the results so we can continue assisting.

Best regards,

Tomás Turina

[Dmitry Mikheev]

After setting check_mtime="yes" everything worked. 

Thanks.