| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | AH | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Data Source | Sub - Data Source | Data Object | Relationship | Data Object | Event ID | Description | Provider Name | Event Channel | Data Category | Data Sub-Category | Minimun Operating System | GPO | Enable Commands | Client Default | Server Default | ||||||||||||||||||
2 | File monitoring | drivers load | driver | loaded | driver | 6 | The driver loaded events provides information about a driver being loaded on the system | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Driver Loaded | N/A | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -l /Sysmon64.exe -c -l / <DriverLoad onmatch="exclude"> | No auditing | No auditing | ||||||||||||||||||
3 | File monitoring | drive raw access | process | raw_access_read | drive | 9 | The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Drive Access | Raw Access Read | Windows 7, Windows 2008 R2 | N/A | <RawAccessRead onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
4 | File monitoring | file creation | process | created | file | 11 | File create operations are logged when a file is created or overwritten. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | File Monitoring | File Created | Windows 7, Windows 2008 R2 | N/A | <FileCreate onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
5 | File monitoring | file timestamp modification | process | modified | file | 2 | A process changed a file creation time | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | File Creation Time Changed | File Creation Time Changed | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -l / <FileCreateTime onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
6 | File monitoring | file modification | process | modified | file | 11 | File create operations are logged when a file is created or overwritten. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | File Monitoring | File Modified | Windows 7, Windows 2008 R2 | N/A | <FileCreate onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
7 | File monitoring | file modification | process | renamed | file | 11 | File create operations are logged when a file is created or overwritten. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | File Monitoring | File Renamed | Windows 7, Windows 2008 R2 | N/A | <FileCreate onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
8 | File monitoring | file download | process | downloaded | file | 11 | File create operations are logged when a file is created or overwritten. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | File Monitoring | File Downloaded | Windows 7, Windows 2008 R2 | N/A | <FileCreate onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
9 | File monitoring | file access | user | accessed | file | 5145 | A network share object was checked to see whether client can be granted desired access | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Detailed File Share | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon | auditpol.exe /set /subcategory:"Detailed File Share" /success:enable | No auditing | No auditing | ||||||||||||||||||
10 | File monitoring | file access request | user | requested_a_handle | file | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
11 | File monitoring | file deletion request | user | requested_a_handle | file | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
12 | File monitoring | file access | user | accessed | file | 4663 | An attempt was made to access an object. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
13 | File monitoring | file deletion | user | deleted | file | 4663 | An attempt was made to access an object. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
14 | File monitoring | file permissions change | user | changed_permissions | file | 4670 | Permissions on an object were changed. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
15 | Loaded DLLs | module load | process | loaded | module | 7 | The image loaded event logs when a module is loaded in a specific process . | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Image Loaded | Module loaded in Process | Windows 7, Windows 2008 R2 | N/A | <ImageLoad onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
16 | Named Pipes | win pipe creation | process | created | pipe | 17 | This event generates when a named pipe is created. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Pipe Creation | N/A | Windows 7, Windows 2008 R2 | N/A | <TargetFilename onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
17 | Named Pipes | win pipe connection | process | connected_to | pipe | 18 | This event logs when a named pipe connection is made between a client and a server. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Pipe Connection | N/A | Windows 7, Windows 2008 R2 | N/A | <TargetFilename onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
18 | Process monitoring | process creation | process | created | process | 4688 | A new process has been created | Microsoft-Windows-Security-Auditing | Security | Audit Detailed Tracking | Audit Process Creation | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation | auditpol.exe /set /subcategory:"Process Creation" /success:enable | No auditing | No auditing | ||||||||||||||||||
19 | Process monitoring | process creation | process | created | process | 1 | Process creation | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Creation | N/A | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i /Sysmon64.exe -i -l /Sysmon64.exe -c -l / <ProcessCreate onmatch="exclude"/> | No auditing | No auditing | ||||||||||||||||||
20 | Process monitoring | process termination | user | terminated | process | 4689 | A process has exited | Microsoft-Windows-Security-Auditing | Security | Audit Detailed Tracking | Audit Process Termination | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination | auditpol.exe /set /subcategory:"Process Termination" /success:enable | No auditing | No auditing | ||||||||||||||||||
21 | Process monitoring | process termination | process | terminated | 5 | The process terminate event reports when a process terminates. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Terminiation | N/A | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i /Sysmon64.exe -i -l / Sysmon64.exe -c -l / <ProcessTerminate onmatch="exclude" /> | No auditing | No auditing | |||||||||||||||||||
22 | Process monitoring | process write to process | process | wrote_to | process | 8 | The CreateRemoteThread event detects when a process creates a thread in another process. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Right to Process | CreateRemoteThread | Windows 7, Windows 2008 R2 | N/A | <CreateRemoteThread onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
23 | Process monitoring | process access | process | opened | process | 10 | The process accessed event reports when a process opens another process. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Access | Process Opens Another Process | Windows 7, Windows 2008 R2 | N/A | <ProcessAccess onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
24 | Process use of network | process network connection allow | process | connected_to | ip | 3 | The network connection event logs TCP/UDP connections on the machine. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Network Connection | Process Connected To IP | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -n / Sysmon64.exe -c -n / <NetworkConnect onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
25 | Process use of network | process network connection allow | process | connected_to | host | 3 | The network connection event logs TCP/UDP connections on the machine. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Network Connection | Process Connected To Host | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -n / Sysmon64.exe -c -n / <NetworkConnect onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
26 | Process use of network | process network connection allow | user | connected_to | host | 3 | The network connection event logs TCP/UDP connections on the machine. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Process Network Connection | User Connected To Host | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -n / Sysmon64.exe -c -n / <NetworkConnect onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
27 | Process use of network | process network connection allow | user | connected_to | ip | 3 | The network connection event logs TCP/UDP connections on the machine. | Microsoft-Windows-Sysmon | Microsoft-windows-sysmon/operational | Proccess Network Connection | User Connected To IP | Windows 7, Windows 2008 R2 | N/A | Sysmon64.exe -i -n / Sysmon64.exe -c -n / <NetworkConnect onmatch="exclude" /> | No auditing | No auditing | ||||||||||||||||||
28 | Process use of network | process network service connection block | host | blocked_service_connection_to | process | 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
29 | Process use of network | process network listener allow | host | permitted_listener_on | process | 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
30 | Process use of network | process network listener block | host | blocked_listener_on | process | 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
31 | Process use of network | process network connection allow | host | permitted_inbound_connection_on | process | 5156 | The Windows Filtering Platform has permitted a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
32 | Process use of network | process network connection allow | process | connected_from | ip | 5156 | The Windows Filtering Platform has permitted a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
33 | Process use of network | process network connection allow | host | permitted_outbound_connection_on | process | 5156 | The Windows Filtering Platform has permitted a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
34 | Process use of network | process network connection allow | process | connected_to | ip | 5156 | The Windows Filtering Platform has permitted a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
35 | Process use of network | process network connection block | host | blocked_inbound_connection_on | process | 5157 | The Windows Filtering Platform has blocked a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
36 | Process use of network | process network connection block | host | blocked_outbound_connection_on | process | 5157 | The Windows Filtering Platform has blocked a connection. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
37 | Process use of network | process network local port bind allow | host | permitted_local_port_bind_on | process | 5158 | The Windows Filtering Platform has permitted a bind to a local port. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
38 | Process use of network | process network local port bind allow | process | bound _to | port | 5158 | The Windows Filtering Platform has permitted a bind to a local port. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
39 | Process use of network | process network local port bind blocked | host | blocked_local_port_bind_on | process | 5159 | The Windows Filtering Platform has blocked a bind to a local port. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Filtering Platform Connection | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection | auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable | No auditing | No auditing | ||||||||||||||||||
40 | Windows event logs | kerberos TGT request | user | requested | ticket granting ticket | 4768 | A Kerberos authentication ticket (TGT) was requested | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Kerberos Authentication Service | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service | auditpol.exe /set /subcategory:"Kerberos Authentication Service" /success:enable | No auditing | Success | ||||||||||||||||||
41 | Windows event logs | kerberos service ticket request | user | requested | service ticket | 4769 | A Kerberos service ticket was requested | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Kerberos Service Ticket Operations | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations | auditpol.exe /set /subcategory:"Kerberos Service Ticket Operations" /success:enable | No auditing | Success | ||||||||||||||||||
42 | Windows event logs | kerberos service ticket renewal | user | renewed | service ticket | 4770 | A Kerberos service ticket was renewed | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Kerberos Service Ticket Operations | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations | auditpol.exe /set /subcategory:"Kerberos Service Ticket Operations" /success:enable | No auditing | Success | ||||||||||||||||||
43 | Windows event logs | kerberos service ticket failure | user | requested | service ticket | 4773 | A Kerberos service ticket request failed | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Kerberos Service Ticket Operations | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations | auditpol.exe /set /subcategory:"Kerberos Service Ticket Operations" /success:enable | Success | Success | ||||||||||||||||||
44 | Windows event logs | user rdp session | user | disconnected_from | host | 4779 | A session was disconnected from a Window Station | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Other Logon/Logoff Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events | auditpol.exe /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
45 | Windows event logs | user rdp session | user | connected_to | host | 4778 | A session was reconnected to a Window Station | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Other Logon/Logoff Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events | auditpol.exe /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
46 | Windows event logs | user lock operation | user | locked | host | 4800 | The workstation was locked | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Other Logon/Logoff Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events | auditpol.exe /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
47 | Windows event logs | user unlock operation | user | unlocked | host | 4801 | The workstation was unlocked | Microsoft-Windows-Security-Auditing | Security | Audit Account Logon | Audit Other Logon/Logoff Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events | auditpol.exe /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
48 | Windows event logs | computer account creation | user | created | computer | 4741 | A computer account was created | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Computer Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management | auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
49 | Windows event logs | computer account change | user | changed | computer | 4742 | A computer account was changed | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Computer Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management | auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
50 | Windows event logs | computer account deletion | user | deleted | computer | 4743 | A computer account was deleted | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Computer Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management | auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
51 | Windows event logs | distribution group creation | user | created | group | 4749 | A security-disabled global group was created | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Distribution Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management | auditpol.exe /set /subcategory:"Distribution Group Management" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
52 | Windows event logs | distribution group change | user | changed | group | 4750 | A security-disabled global group was changed | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Distribution Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management | auditpol.exe /set /subcategory:"Distribution Group Management" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
53 | Windows event logs | distribution group member addition | user | added | user | 4751 | A member was added to a security-disabled global group | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Distribution Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management | auditpol.exe /set /subcategory:"Distribution Group Management" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
54 | Windows event logs | distribution group member removal | user | removed | user | 4752 | A member was removed from a security-disabled global group | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Distribution Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management | auditpol.exe /set /subcategory:"Distribution Group Management" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
55 | Windows event logs | distribution group deletion | user | deleted | group | 4753 | A security-disabled global group was deleted | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Distribution Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management | auditpol.exe /set /subcategory:"Distribution Group Management" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
56 | Windows event logs | security group creation | user | created | group | 4731 | A security-enabled local group was created | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
57 | Windows event logs | security group member addition | user | added | user | 4732 | A member was added to a security-enabled local group. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
58 | Windows event logs | security group member removal | user | removed | user | 4733 | A member was removed from a security-enabled local group. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
59 | Windows event logs | security group deletion | user | deleted | group | 4734 | A security-enabled local group was deleted. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
60 | Windows event logs | security group change | user | changed | group | 4735 | A security-enabled local group was changed. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
61 | Windows event logs | security group type change | user | changed_type | group | 4764 | A group’s type was changed | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
62 | Windows event logs | security group enumeration | user | enumerated | group members | 4799 | A security-enabled local group membership was enumerated | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
63 | Windows event logs | user account creation | user | created | user | 4720 | A user account was created. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
64 | Windows event logs | user account enable | user | enabled | user | 4722 | A user account was enabled. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
65 | Windows event logs | user account password change | user | changed_password | user | 4723 | An attempt was made to change an account's password. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
66 | Windows event logs | user account password reset | user | reset_password | user | 4724 | An attempt was made to reset an account's password. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
67 | Windows event logs | user account disable | user | disabled | user | 4725 | A user account was disabled. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
68 | Windows event logs | user account deletion | user | deleted | user | 4726 | A user account was deleted. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
69 | Windows event logs | user account change | user | changed | user | 4738 | A user account was changed. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
70 | Windows event logs | user account lock | user | locked | user | 4740 | A user account was locked out. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
71 | Windows event logs | user account unlock | user | unlocked | user | 4767 | A user account was unlocked. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
72 | Windows event logs | user account name change | user | changed_name | user | 4781 | The name of an account was changed: | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
73 | Windows event logs | user account group enumeration | user | enumerated | user | 4798 | A user's local group membership was enumerated. | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit User Account Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
74 | Windows event logs | user account group enumeration | user | enumerated | group | 4799 | A security-enabled local group membership was enumerated | Microsoft-Windows-Security-Auditing | Security | Audit Account Management | Audit Security Group Management | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management | auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable | Success | Success | ||||||||||||||||||
75 | Windows event logs | directory service object access | user | accessed | ad object | 4662 | An operation was performed on an object | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Access | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
76 | Windows event logs | directory service object handle request | user | requested_a_handle | ad object | 4661 | A handle to an object was requested | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Access | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable | No auditing | Success | ||||||||||||||||||
77 | Windows event logs | directory service object modification | user | modified | ad object | 5136 | A directory service object was modified | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Changes | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
78 | Windows event logs | directory service object creation | user | created | ad object | 5137 | A directory service object was created | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Changes | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
79 | Windows event logs | directory service object restoration | user | restored | ad object | 5138 | A directory service object was undeleted | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Changes | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
80 | Windows event logs | directory service object move | user | moved | ad object | 5139 | A directory service object was moved | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Changes | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
81 | Windows event logs | directory service object deletion | user | deleted | ad object | 5141 | A directory service object was deleted | Microsoft-Windows-Security-Auditing | Security | Audit DS Access | Audit Directory Service Changes | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access | auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
82 | Windows event logs | user account lockout | user | failed | host | 4625 | An account failed to log on | Microsoft-Windows-Security-Auditing | Security | Audit Logon/Logoff | Audit Account Lockout | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout | auditpol.exe /set /subcategory:"Account Lockout" /success:enable | Success | Success | ||||||||||||||||||
83 | Windows event logs | network share access | user | accessed | network share | 5140 | A network share object was accessed. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File Share | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share | auditpol.exe /set /subcategory:"File Share" /success:enable | No auditing | No auditing | ||||||||||||||||||
84 | Windows event logs | network share addition | user | added | network share | 5142 | A network share object was added. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File Share | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share | auditpol.exe /set /subcategory:"File Share" /success:enable | No auditing | No auditing | ||||||||||||||||||
85 | Windows event logs | network share modification | user | modified | network share | 5143 | A network share object was modified. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File Share | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share | auditpol.exe /set /subcategory:"File Share" /success:enable | No auditing | No auditing | ||||||||||||||||||
86 | Windows event logs | network share deletion | user | deleted | network share | 5144 | A network share object was deleted. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File Share | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share | auditpol.exe /set /subcategory:"File Share" /success:enable | No auditing | No auditing | ||||||||||||||||||
87 | Windows event logs | win registry access request | process | requested_a_handle | win registry key | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"Registry" /success:enable | No auditing | No auditing | ||||||||||||||||||
88 | Windows event logs | win registry access request | user | requested_a_handle | win registry key | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"Registry" /success:enable | No auditing | No auditing | ||||||||||||||||||
89 | Windows event logs | win registry deletion request | process | requested_a_handle | win registry key | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"Registry" /success:enable | No auditing | No auditing | ||||||||||||||||||
90 | Windows event logs | win registry deletion request | user | requested_a_handle | win registry key | 4656 | A handle to an object was requested. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"Registry" /success:enable | No auditing | No auditing | ||||||||||||||||||
91 | Windows event logs | symbolic link creation | user | created | symbolic link | 4664 | An attempt was made to create a hard link. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation | auditpol.exe /set /subcategory:"File System" /success:enable | No auditing | No auditing | ||||||||||||||||||
92 | Windows event logs | scheduled task creation | user | created | scheduled task | 4698 | A scheduled task was created. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Other Object Access Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events | auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable | No auditing | No auditing | ||||||||||||||||||
93 | Windows event logs | scheduled task deletion | user | deleted | scheduled task | 4699 | A scheduled task was deleted. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Other Object Access Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events | auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable | No auditing | No auditing | ||||||||||||||||||
94 | Windows event logs | scheduled task enable | user | enabled | scheduled task | 4700 | A scheduled task was enabled. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Other Object Access Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events | auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable | No auditing | No auditing | ||||||||||||||||||
95 | Windows event logs | scheduled tast disable | user | disabled | scheduled task | 4701 | A scheduled task was disabled. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Other Object Access Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events | auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable | No auditing | No auditing | ||||||||||||||||||
96 | Windows event logs | scheduled task update | user | updated | scheduled task | 4702 | A scheduled task was updated. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Other Object Access Events | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events | auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable | No auditing | No auditing | ||||||||||||||||||
97 | Windows event logs | win registry key deletion | process | deleted | 4660 | An object was deleted | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry | auditpol.exe /set /subcategory:"Registry" /success:enable /failure:enable | No auditing | No auditing | |||||||||||||||||||
98 | File monitoring | file deletion | process | deleted | 4660 | An object was deleted | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit File System | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit File System | auditpol.exe /set /subcategory:"File System" /success:enable /failure:enable | No auditing | No auditing | |||||||||||||||||||
99 | Windows event logs | win registry key access | process | accessed | win registry key | 4663 | An attempt was made to access an object. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry | auditpol.exe /set /subcategory:"Registry" /success:enable /failure:enable | No auditing | No auditing | ||||||||||||||||||
100 | Windows event logs | win registry key access | user | accessed | win registry key | 4663 | An attempt was made to access an object. | Microsoft-Windows-Security-Auditing | Security | Audit Object Access | Audit Registry | Windows Vista, Windows 2008 | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry | auditpol.exe /set /subcategory:"Registry" /success:enable /failure:enable | No auditing | No auditing |