bjornk Posted May 3, 2017 Posted May 3, 2017 Could you post your audit policy output using the following command please (along with the version of Windows you use)? I need that as a reference. 1. Go to Start Menu and type CMD, right-click and select "Run as Administrator"2. Run the following command: auditpol /get /category:"Logon/Logoff" Here's my output on Windows 7 Home Premium: System audit policy Category/Subcategory Setting Logon/Logoff Logon Success and Failure Logoff Success and Failure Account Lockout Success and Failure IPsec Main Mode Success and Failure IPsec Quick Mode Success and Failure IPsec Extended Mode Success and Failure Special Logon Success and Failure Other Logon/Logoff Events Success and Failure Network Policy Server Success and Failure Here's the output of Windows 7 & 8 Professional (which is probably the default): System audit policy Category/Subcategory Setting Logon/Logoff Logon Success Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure The lists above simply shows that whether or not your system keeps track of certain Logon/Logoff activities. "No Auditing" means none of these events are being monitored, "Success" means only successful events are monitored (same for "Failure"), "Success and Failure" means both are being monitored. The reason I need this is because I've been seeing 4802 & 4803 event pairs (screensaver invoked and dismissed) since I changed the screensaver a few days ago. They show up every time when the screensaver triggers (which I never saw before) and it seems a bit weird as neither of the other two Windows I have have that.
windpl Posted May 3, 2017 Posted May 3, 2017 My are same as default. win7 System audit policy Category/Subcategory Setting Logon/Logoff Logon Success Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure Raw Systemowe zasady inspekcji Kategoria/podkategoria Ustawienie Logowanie/wylogowywanie Logowanie Sukces Wylogowanie Sukces Blokada konta Sukces Tryb główny protokołu IPsec Brak inspekcji Tryb szybki protokołu IPsec Brak inspekcji Tryb rozszerzony protokołu IPsec Brak inspekcji Logowanie specjalne Sukces Inne zdarzenia logowania/wylogowywania Brak inspekcji Serwer zasad sieciowych Sukces i niepowodzenie
bjornk Posted May 3, 2017 Author Posted May 3, 2017 Thanks a lot. I don't know why I've been seeing these two events since a few days ago, but there are two possibilities I can think of, either my audit policy settings have changed recently (which isn't very likely) or my screensaver has never worked before and now works (which is also weird). But if the setting tells the system to audit the screensaver events then this should be the expected behavior, I mean, you are indeed supposed to see the events 4802 & 4803 when auditing is enabled, but damn, I've never seen them before... Bet this also has something to do with goddamn Chrome...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.