Submit a ticketCall us

Cloud Workloads: Meet Your New Hybrid IT Reality
Have you found yourself in that evolving, hybrid IT grey area and wondering if cloud workloads are now part of your purview? And if so, will monitoring cloud workloads require a new set of dedicated cloud monitoring tools? Your answers: yes, they should be, and no, they don’t.

Find out how SolarWinds® Server & Application Monitor (SAM) can help you monitor your cloud workloads side by side with your on-premises workloads. Register Now.

Home > Success Center > Log & Event Manager (LEM) > FIM Does Not Support Specifying Registry Aliases

FIM Does Not Support Specifying Registry Aliases

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 11 Votes: 0 Revisions: 10

FIM does not support specifying aliases due to the fact  that the registry has many aliased regions where the same key appears in multiple locations.  For example, when a  foo.ttt file is created and the association is set , it creates the .ttt key.  This key shows up in all the following locations in regedit:



The first location listed below is an actual location where the key is created with others being its aliases. This actual path goes through at the kernel level. You can capture the action by setting the driver to watch HKEY_USERS key recursively with a pattern of *ttt*, however in this case monitoring other 3 locations will not capture event.




RegKey Read (RegNotifyClass = RegNtQueryKey)
         Time: 2014-03-21 17:02:22.365
      Reg Key: \REGISTRY\USER\S-1-5-21-138434890-818224588-799959843-500_CLASSES\.ttt
    WEDirName: HKU
    WEPattern: *TTT*
     User SID: S-1-5-21-138434890-818224588-799959843-500
     WE Flags: 0x0
   WE Op Mask: 0xff
       Status: 0x0
        Flags: 0x0



Note: The example above is tied to the way Windows processes the “add new file association” scenario. Monitoring aliases can still prove useful in case Registry actions are performed manually via regedit or command line.

Additionally the entire HKEY_CURRENT_USER Windows key is an alias whose definition is constantly changing depending on the context. This is why FIM works with complete, fully resolved names instead. You should avoid using aliases (e.g. HKEY_CURRENT_USER key) explicitly in your FIM Connector Configuration and select the actual keys.  Instead of using HKEY_CURRENT_USER choose the key for a specific user from USERS Registry Key (e.g. HKEY_USER\<user_sid>).</user_sid>

In a 64-bit Windows configuration, the WOW64 subsystem plays additional remapping and aliasing depending on whether an app is 32-bit or 64-bit.  For more information, see

Last modified