Q: What's the best way to retrieve the audit policy in effect for a Windows machine?

A: You can configure and check the Windows auditing settings by using different management tools. You can use the Group Policy Management Console (gpmc.msc) for dealing with the auditing settings using a domain-based Group Policy Object (GPO). But you can also use the Local Group Policy Editor (gpedit.msc) to manage audit settings using a local security policy. Or you can simply use auditpol.exe to manage auditing settings from the command line.

The most reliable tool to retrieve the effective audit policy from a Windows machine is the auditpol.exe command-line tool because only this tool reads the audit policy settings directly from the system registry location that contains the audit policy settings currently in effect on a Windows machine. A Windows box's local security authority (i.e., the lsass.exe process) reads the audit policy from the exact same registry location to effectively apply the audit policy to the machine.

To retrieve the complete effective audit policy on a Windows machine using auditpol.exe, enter the following at the command line:

auditpol.exe /get /category:*

Make sure you run the command from an elevated command box; you can use the Run as administrator option from the command prompt shortcut's context menu to elevate your privileges if necessary.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.