How do I enable auditing on the SAM?

John Savill

December 21, 1999

2 Min Read
ITPro Today logo in a gray background | ITPro Today

A. It is possible to enable auditing of any failed or successfulaccess to your sensitive information by the only accounts which have theability to access such information, e.g. Administrators. This can be done asfollows:

  1. First ensure auditing is enabled on the system using User Manager -Policies menu - Audit. Select the "Audit These Events". Choose theobjects to audit and click OK.

  2. Next make sure the Scheduler service is running on the machine either viathe Services Control Panel applet (Start - Settings - Control Panel - Services)or type "net start" and look for "Scheduler". If it is notrunning you can start by typing
    C:> net start schedule

  3. At the command prompt (cmd.exe) type
    C:> at /interactive "regedt32.exe"
    where is a minute in the future.

  4. At the time entered Regedt32.exe will be started but running under theinternal System account. This allows access to areas normally inaccessible.

  5. Select the HKEY_LOCAL_MACHINE window

  6. Select the SAM key and from the Security menu select Auditing
    Click here to view image

  7. Click the Add button and on the displayed dialog (which will show groups)click the 'Show Users' button.

  8. Add the following:
    - SYSTEM
    - Domain Admins
    - Administrator
    - Backup Operators
    and any other accounts with the following:
    - Take ownership of files or other objects
    - Back up files and directories
    - Manage auditing and security log
    - Restore files and directories
    - Add workstations to domain
    - Replace a process level token
    Click OK

  9. Check the "Audit Permissions on Existing Subkeys" box

  10. Set Success and Failure for
    - Query Value
    - Set Value
    - Write DAC
    - Read Control
    Click here to view image

  11. Click OK. Click Yes to the dialog that asks if you want to audit allexisting subkeys in the SAM.

  12. You should now repeat but on the Security key steps 6 to 11.

  13. Close the registry editor

  14. Stop the schedule service is you only started it for this task
    C:> net stop schedule

Auditing the Security key is optional but without it only password keys willbe audited. Setting auditing on the Security key will allow you to track othersecurity relevant changes to the system.

You will now see entries in the Security log via event viewer, e.g.

Click here to view image

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like