When files are being backed up, Windows NT checks to ensure that the user performing the backup has the Back Up Files and Directories special right each time the backup program attempts to copy a file to the backup media. In the same way, Windows NT checks for the Restore Files and Directories right for each file that is being restored from backup media. Obviously, if Windows NT were to record an audit event each time those rights were invoked, thousands of events would be recorded during a routine backup. Because this would flood the security log with event records that most often would be of little value for maintaining system security, Windows NT does not normally record audit events for the use of these rights, even when success auditing of Use of User Rights is enabled in the system user rights policy.
To audit the use of these rights, use the Registry Editor to create or assign the following Registry key value:
Hive: | HKEY_LOCAL_MACHINE\System |
Key: | \CurrentControlSet\Control\Lsa |
Name: | FullPrivilegeAuditing |
Type: | REG_BINARY |
Value: | 1 |
The changes take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.
Note
The use of the following rights is never audited, even when the FullPrivilegeAuditing Registry entry is set to 1. However, the assignment of these rights, during logon, is audited.