JSI Tip 5231. How do I determine the Windows 2000 Audit Policy using the registry?

Jerold Schulman

April 28, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

In tip 1915, we determined the Windows NT 4.0 Audit Policy.

Windows 2000 stores the Audit Policy at:

HKEY_LOCAL_MACHINESecurityPolicyPolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a FileName.reg file:

AT [\ComputerName] HH:MM CMD /c "regedit /a HKEY_LOCAL_MACHINESecurityPolicyPoladtev"

The file contains an entry similar to:

[HKEY_LOCAL_MACHINESecurityPolicyPoladtev]@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00

where:

ii      Ignore these values.ZZ      01 indicates auditing is enabled, 00 means disabled.AAAudit System EventsBBAudit Logon EventsCCAudit Object AccessDDAudit Privilege UseEEAudit Process TrackingFFAudit Policy ChangeGGAudit Account ManagementHHAudit Directory Service AccessIIAudit Account Logon EventsIf the value of the AA / II letter is 01, success auditing is enabled.If the value of the AA / II letter is 02, failure auditing is enabled.If the value of the AA / II letter is 03, success and failure auditing is enabled.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like