JSI Tip 1915. How do I determine the Audit Policy of a computer without using User Manager?


Windows NT stores the Audit Policy in the Registry at:

HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Scheduler, running in the SYSTEM context (See tip 0243):

AT \[\\ComputerName\] HH:MM CMD /c "regedit /e <FileName> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"
The <FileName> file contains an entry similar to:

\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\]
@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00,\
00,FF,00,00,00,GG,00,00,00,ii,00,00,00

where:

ii    -    Ignore these values.

ZZ - 01 indicates auditing is enabled, 00 means disabled.

AA - Restart, Shutdown, System.
BB - Logons and Logoffs.
CC - File and Object Access.
DD - Use of User Rights.
EE - Process Tracking.
FF - Security Policy Management.
GG - User and Group Management.

If the value of the AA / GG letter is 01, success auditing is enabled.
If the value of the AA / GG letter is 02, failure auditing is enabled.
If the value of the AA / GG letter is 03, success and failure auditing is enabled.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish