Jump to content

I need your Windows audit policy output

bjornk

By bjornk,
in Technical Support

Recommended Posts

bjornk

bjornk

Posted
Posted

Could you post your audit policy output using the following command please (along with the version of Windows you use)? I need that as a reference.
 
1. Go to Start Menu and type CMD, right-click and select "Run as Administrator"
2. Run the following command: auditpol /get /category:"Logon/Logoff"
 
Here's my output on Windows 7 Home Premium:
 

System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure

 
Here's the output of Windows 7 & 8 Professional (which is probably the default):
 

System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure

The lists above simply shows that whether or not your system keeps track of certain Logon/Logoff activities. "No Auditing" means none of these events are being monitored, "Success" means only successful events are monitored (same for "Failure"), "Success and Failure" means both are being monitored.

 

The reason I need this is because I've been seeing 4802 & 4803 event pairs (screensaver invoked and dismissed) since I changed the screensaver a few days ago. They show up every time when the screensaver triggers (which I never saw before) and it seems a bit weird as neither of the other two Windows I have have that.

 

 

Link to comment

windpl

windpl

Posted
Posted

My are same as default. win7


System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure

Raw

 

 


Systemowe zasady inspekcji
Kategoria/podkategoria                    Ustawienie
Logowanie/wylogowywanie
  Logowanie                               Sukces
  Wylogowanie                             Sukces
  Blokada konta                           Sukces
  Tryb główny protokołu IPsec             Brak inspekcji
  Tryb szybki protokołu IPsec             Brak inspekcji
  Tryb rozszerzony protokołu IPsec        Brak inspekcji
  Logowanie specjalne                     Sukces
  Inne zdarzenia logowania/wylogowywania  Brak inspekcji
  Serwer zasad sieciowych                 Sukces i niepowodzenie

 

 

 

Link to comment
bjornk

bjornk

Posted
  • Author
Posted

Thanks a lot. I don't know why I've been seeing these two events since a few days ago, but there are two possibilities I can think of, either my audit policy settings have changed recently (which isn't very likely) or my screensaver has never worked before and now works (which is also weird). But if the setting tells the system to audit the screensaver events then this should be the expected behavior, I mean, you are indeed supposed to see the events 4802 & 4803 when auditing is enabled, but damn, I've never seen them before... Bet this also has something to do with goddamn Chrome... :dodgy:

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

View Community Rules

Help Support LoversLab

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. For more information, see our Privacy Policy & Terms of Use