JSI Tip 1915. How do I determine the Audit Policy of a computer without using User Manager?

Windows NT stores the Audit Policy in the Registry at:

HKEY_LOCAL_MACHINESecurityPolicyPolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Scheduler, running in the SYSTEM context (See tip 0243):

AT [\ComputerName] HH:MM CMD /c "regedit /e  HKEY_LOCAL_MACHINESecurityPolicyPoladtev"

The file contains an entry similar to:

[HKEY_LOCAL_MACHINESecurityPolicyPoladtev]
@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00,
00,FF,00,00,00,GG,00,00,00,ii,00,00,00

where:

ii    -    Ignore these values.

ZZ - 01 indicates auditing is enabled, 00 means disabled.

AA - Restart, Shutdown, System.
BB - Logons and Logoffs.
CC - File and Object Access.
DD - Use of User Rights.
EE - Process Tracking.
FF - Security Policy Management.
GG - User and Group Management.

If the value of the AA / GG letter is 01, success auditing is enabled.
If the value of the AA / GG letter is 02, failure auditing is enabled.
If the value of the AA / GG letter is 03, success and failure auditing is enabled.