Windows Legacy Collection: Configure Remote Registry Access

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode

This topic describes the procedure to enable Remote Registry Access method for collecting data from event sources.

Return to Procedures

Windows Legacy Collector performs an initial verification of the event source before collecting data. By default, Windows Legacy Collector uses Windows Management Instrumentation (WMI) method to perform this initial verification. If you enable Remote registry access method, Windows Legacy Collector performs a remote registry query to verify the event source.

Note:  Customers who have upgraded from RSA enVision can select the Remote Registry Access method so as to use the existing domain collection user without having to enable WMI permission.


  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Windows Legacy Log Collector service.
  3. In the toolbar, select View > Config > Event Sources.
  4. In the Event Sources tab, select Windows Legacy/Windows from the drop-down menu.
  5. Configure the alias:
    1. Click Icon-Add.png in the Event Categories panel toolbar.
      The Add Source dialog is displayed.
    2. Make sure that the Use Remote Registry Initialization checkbox is checked (it is checked by default) and click OK.


Remote Registry Access method is enabled.