JSI Tip 5231. How do I determine the Windows 2000 Audit Policy using the registry?

In tip 1915, we determined the Windows NT 4.0 Audit Policy.

Windows 2000 stores the Audit Policy at:

HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a <Folder_Path>\FileName.reg file:

AT \[\\ComputerName\] HH:MM CMD /c "regedit /a <Folder_Path\FileName.reg> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"

The <Folder_Path\FileName.reg> file contains an entry similar to:

\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\] @=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00

where:

ii      Ignore these values.

ZZ      01 indicates auditing is enabled, 00 means disabled.

AA	Audit System Events
BB	Audit Logon Events
CC	Audit Object Access
DD	Audit Privilege Use
EE	Audit Process Tracking
FF	Audit Policy Change
GG	Audit Account Management
HH	Audit Directory Service Access
II	Audit Account Logon Events

If the value of the AA / II letter is 01, success auditing is enabled.
If the value of the AA / II letter is 02, failure auditing is enabled.
If the value of the AA / II letter is 03, success and failure auditing is enabled.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish