JSI Tip 5231. How do I determine the Windows 2000 Audit Policy using the registry?
Jerold Schulman
April 28, 2002
1 Min Read
In tip 1915, we determined the Windows NT 4.0 Audit Policy.
Windows 2000 stores the Audit Policy at:
HKEY_LOCAL_MACHINESecurityPolicyPolAdtEv
Administrators do no have access to this key, but the SYSTEM account does.
Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a FileName.reg file:
AT [\ComputerName] HH:MM CMD /c "regedit /a HKEY_LOCAL_MACHINESecurityPolicyPoladtev"
The file contains an entry similar to:
[HKEY_LOCAL_MACHINESecurityPolicyPoladtev]@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00
where:
ii Ignore these values.ZZ 01 indicates auditing is enabled, 00 means disabled.AAAudit System EventsBBAudit Logon EventsCCAudit Object AccessDDAudit Privilege UseEEAudit Process TrackingFFAudit Policy ChangeGGAudit Account ManagementHHAudit Directory Service AccessIIAudit Account Logon EventsIf the value of the AA / II letter is 01, success auditing is enabled.If the value of the AA / II letter is 02, failure auditing is enabled.If the value of the AA / II letter is 03, success and failure auditing is enabled.
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like