Windows NT stores the Audit Policy in the Registry at:
HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv
Administrators do no have access to this key, but the SYSTEM account does.
Use the Scheduler, running in the SYSTEM context (See tip 0243):
AT \[\\ComputerName\] HH:MM CMD /c "regedit /e <FileName> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"The <FileName> file contains an entry similar to:
\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\]
@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00,\
00,FF,00,00,00,GG,00,00,00,ii,00,00,00
where:
ii - Ignore these values.
ZZ - 01 indicates auditing is enabled, 00 means disabled.
AA - Restart, Shutdown, System.
BB - Logons and Logoffs.
CC - File and Object Access.
DD - Use of User Rights.
EE - Process Tracking.
FF - Security Policy Management.
GG - User and Group Management.
If the value of the AA / GG letter is 01, success auditing is enabled.
If the value of the AA / GG letter is 02, failure auditing is enabled.
If the value of the AA / GG letter is 03, success and failure auditing is enabled.
