How To Determine Audit Policies from the Registry (246120)

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For troubleshooting purposes, it may be useful to be able to determine the audit policy on a computer without using User Manager. This information is stored in the registry under: NOTE: Administrators do not have access to this information by default. You must change the permissions on the registry keys.

This location contains a string of numbers, with the following format:

Value	Meaning
A	Restart, Shutdown, System
B	Logons and Logoffs
C	File and Object Access
D	Use of User Rights
E	Process Tracking
F	Security Policy Management
G	User and Group Management
Z	Determines if the policy is enabled or disabled.

If any of the values (A,B,C,D,E,F,G) are set to 1, success auditing is enabled on those areas.

If any of the values (A,B,C,D,E,F,G) are set to 2, failure auditing is enabled on those areas.

If any of the values (A,B,C,D,E,F,G) are set to 3, both success and failures are audited on those areas.

If the value of Z is 1, the policy is enabled; if it is 0, auditing is disabled.

NOTE: You can have an audit policy (such as Audit Successful and Failed Logon Attempts), but have it disabled. You may also have an enabled audit policy that audits nothing.

Examples:

Everything is Audited: Nothing is audited (but auditing is enabled):