How can I monitor changes to IIS when neither FileSystemWatcher nor IIS-Configuration event log will report on System32 changes?

We have to monitor changes to IIS 8.5 on 2012 R2

The FileSystemWatcher Windows service I wrote works on anything except System32 subdirectories,
 despite System having permissions on the inetsrv\config folder (cannot get Read permission on anything higher), and
 The OOTB IIS-Configuration event log won't report manual changes to inetsrv\config\applicationHost.config 
      (e.g. via Notepad++).

Doesn't make a difference where the FSW Windows service is installed. And IIS takes applicationHost.config changes immediately, without restart.

The business case is that Security said so. Any ideas?

You can Monitor IIS Configuration Changes using SAM via event logs by ensuring that you enable the EVENT LOGS first for IIS Configuration changes:

Enable the IIS configuration change to be written on Event Logs

  1. Go to Start > Event Viewer.

  2. Expand Applications and Services Logs > Microsoft > Windows > IIS-Configuration > Operational > Enable Log.

  3. Close Event Viewer to Finish.

Then you may now IMPORT the attached SAM Templates and create a component monitor alert so you will know which IIS Configuration has been changed.

How to Monitor IIS Configuration change using Event Logs in SAM.