How To Determine Audit Policies from the Registry

ID: Q246120

The information in this article applies to:

Microsoft Windows NT Server version 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article describes how to determine audit settings by checking the registry.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

For troubleshooting purposes, it may be useful to be able to determine the audit policy on a computer without using User Manager. This information is stored in the registry under:

HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

NOTE: Administrators do not have access to this information by default. You must change the permissions on the registry keys.

This location contains a string of numbers, with the following format:

0Z2114000A0000000B0000000C0000000D0000000E0000000F0000000G00000007000000

Value	Meaning
A	Restart, Shutdown, System
B	Logons and Logoffs
C	File and Object Access
D	Use of User Rights
E	Process Tracking
F	Security Policy Management
G	User and Group Management
Z	Determines if the policy is enabled or disabled.

If any of the values (A,B,C,D,E,F,G) are set to 1, success auditing is enabled on those areas.

If any of the values (A,B,C,D,E,F,G) are set to 2, failure auditing is enabled on those areas.

If any of the values (A,B,C,D,E,F,G) are set to 3, both success and failures are audited on those areas.

If the value of Z is 1, the policy is enabled; if it is 0, auditing is disabled.

NOTE: You can have an audit policy (such as Audit Successful and Failed Logon Attempts), but have it disabled. You may also have an enabled audit policy that audits nothing.

Examples:

Everything is Audited:

012114000300000003000000030000000300000003000000030000000300000007000000

Nothing is audited (but auditing is enabled):

012114000000000000000000000000000000000000000000000000000000000007000000

Additional query words:

Keywords : kbenv
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto