Computer Hacking Forensic Investigator (CHFI v10) — Question 382

Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via
Windows Event Viewer. Which of the following event ID should she look for in this scenario?

Answer options

• A. Event ID 4657
• B. Event ID 4688
• C. Event ID 7040
• D. Event ID 4624

Correct answer: A

Explanation

Event ID 4657 indicates a registry value has been changed, making it the correct choice for tracking modifications. Event ID 4688 relates to process creation, Event ID 7040 pertains to service changes, and Event ID 4624 indicates successful logon attempts, none of which directly address registry modifications.