## Type (ignore/directory/global/notify),
# <watch>,<directory>,realtime <yes/no>,check_all <yes/no>,check_sum <yes/no>,check_sha1sum <yes/no>,check_md5sum <yes/no>, check_size <yes/no>, check_owner <yes/no>, check_group <yes/no>, check_perm <yes/no>, report_changes <yes/no>, restrict <sregex>
watch,%WINDIR%/regedit.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/system.ini,,yes,,,,,,,,,,,
watch,%WINDIR%/win.ini,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/at.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/attrib.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/cacls.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/cmd.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/drivers/etc,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/eventcreate.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/ftp.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/lsass.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/net.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/net1.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/netsh.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/reg.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/regedt32.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/regsvr32.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/runas.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/sc.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/schtasks.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/sethc.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/subst.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/wbem/WMIC.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/SysNative/winrm.vbs,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/at.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/attrib.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/cacls.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/cmd.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/drivers/etc,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/eventcreate.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/ftp.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/net.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/net1.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/netsh.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/reg.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/regedit.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/regedt32.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/regsvr32.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/runas.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/sc.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/schtasks.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/sethc.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/subst.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/wbem/WMIC.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe,,yes,,,,,,,,,,,
watch,%WINDIR%/System32/winrm.vbs,,yes,,,,,,,,,,,
watch,%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup,yes,yes,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\batfile,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\cmdfile,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\comfile,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\exefile,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\piffile,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\Directory,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\Folder,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Classes\Protocols,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Policies,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Security,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx,,,,,,,,,,,,,
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon,,,,,,,,,,,,,both
watch,HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components,,,,,,,,,,,,,both

# <ignore>,<directory/type>, <sregex>
ignore,,.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$
ignore,,\Enum$
ignore,HKEY_LOCAL_MACHINE\Security\Policy\Secrets,
ignore,HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users,

# Global options

# <global>,frequency <0-9999999>, scan_time <time>, scan_day <day>, auto_ignore <yes/no>, alert_new_files <yes/no>, scan_on_start <yes/no>
global,43200,,,,,,

# <notify>,<directory>,<level>,<email>