How do I enable auditing on the SAM?

First ensure auditing is enabled on the system using User Manager -Policies menu - Audit. Select the "Audit These Events". Choose theobjects to audit and click OK.

Next make sure the Scheduler service is running on the machine either viathe Services Control Panel applet (Start - Settings - Control Panel - Services)or type "net start" and look for "Scheduler". If it is notrunning you can start by typing
C:> net start schedule

At the command prompt (cmd.exe) type
C:> at /interactive "regedt32.exe"
where is a minute in the future.

At the time entered Regedt32.exe will be started but running under theinternal System account. This allows access to areas normally inaccessible.

Select the HKEY_LOCAL_MACHINE window

Select the SAM key and from the Security menu select Auditing
Click here to view image

Click the Add button and on the displayed dialog (which will show groups)click the 'Show Users' button.

Add the following:
- SYSTEM
- Domain Admins
- Administrator
- Backup Operators
and any other accounts with the following:
- Take ownership of files or other objects
- Back up files and directories
- Manage auditing and security log
- Restore files and directories
- Add workstations to domain
- Replace a process level token
Click OK

Check the "Audit Permissions on Existing Subkeys" box

Set Success and Failure for
- Query Value
- Set Value
- Write DAC
- Read Control
Click here to view image

Click OK. Click Yes to the dialog that asks if you want to audit allexisting subkeys in the SAM.

You should now repeat but on the Security key steps 6 to 11.

Close the registry editor

Stop the schedule service is you only started it for this task
C:> net stop schedule