JSI Tip 5231. How do I determine the Windows 2000 Audit Policy using the registry?

In tip 1915, we determined the Windows NT 4.0 Audit Policy.

Windows 2000 stores the Audit Policy at:

HKEY_LOCAL_MACHINESecurityPolicyPolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a FileName.reg file:

AT [\ComputerName] HH:MM CMD /c "regedit /a HKEY_LOCAL_MACHINESecurityPolicyPoladtev"

The file contains an entry similar to:

[HKEY_LOCAL_MACHINESecurityPolicyPoladtev]@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00

where:

ii      Ignore these values.ZZ      01 indicates auditing is enabled, 00 means disabled.AAAudit System EventsBBAudit Logon EventsCCAudit Object AccessDDAudit Privilege UseEEAudit Process TrackingFFAudit Policy ChangeGGAudit Account ManagementHHAudit Directory Service AccessIIAudit Account Logon EventsIf the value of the AA / II letter is 01, success auditing is enabled.If the value of the AA / II letter is 02, failure auditing is enabled.If the value of the AA / II letter is 03, success and failure auditing is enabled.