Sorry for the late response. I was ill and not in the office.
One attempt was creating the registry file by a simple export via the command regedit /E.
Problem: The multiple lines in the file, that have to checked for the search string - it works fine in regexr.com, but
not (as you figured out) in the logmon probe.
Another attempt was using a REG QUERY and parse the result for the search string - same problem.
Finally I chose your idea/alternative: I exported the needed registry key via the regedit /E command to file and used
a simple batch to search for the needed string. Depending on the found/not found the string, the batch file generates
a "result" file with only one entry: FOUND or NOTFOUND.
Now logmon is able to parse the new generated file in cat mode for NOTFOUND and generate an alarm.
Not a nice solution, but it works.
Thanks a lot for hint.
-Drazen