Change audit policy through the Registry

windows windows-10 windows-registry group-policy security-policy

13,840

I'm not sure if the Home edition has auditpol.exe, but if it does, this command will enable success and failure auditing for all logon-related activity:

auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable

If you really want to whack the Registry, you can take advantage of that excellent document you found. (The Microsoft one is outdated - it's for Windows NT, which didn't have audit subcategories.) You'll first need system-level access to the Registry. It looks like you've already accomplished that, but for everyone else, it can be done with PsExec:

psexec -s -i regedit

(That creates an instance of the Registry Editor running as SYSTEM.) As you've done, open the default value of HKLM\SECURITY\Policy\PolAdtEv. The second page of the document gives the locations that control each subcategory. For instance, Logon starts at the 22nd byte, or, in hex (used by the Registry Editor's sidebar), 16. In this screenshot, I've highlighted the part that controls Logon:

These are all 16-bit (two-byte) values. 00 00 means no auditing, 01 00 means success auditing, 02 00 means failure auditing, and 03 00 means all auditing.

So, if you wanted to audit Logon and Logoff successes, you would replace the data started at location 0x16 with 01 00 01 00. In the above screenshot, I turned on all auditing for those. If you want the entire Logon/Logoff category, you'll need nine 01 00s because there are nine subcategories.

You'll need to reboot to have the changes take effect.

13,840

grmbl

Updated on September 18, 2022

Comments

grmbl over 1 year
I'm developing an application to read audit event log entries. But I'm stuck on my home notebook with Windows 10 Home and I can't start gpedit.msc or secpol.msc. Thus I have to enable logon audit events through the Registry. I came up with this location:
```
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv
```
These are the resources I've found:
This is my current setting:

How should I change the setting to have logon successes logged to the Event Log?
- DavidPostill about 8 years
  
  "But I'm stuck on my home notebook with Windows 10 Home because I can't start gpedit.msc" - not true see my Q&A Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?
- DavidPostill about 8 years
  
  See also another answer of mine Can not set audit policy settings in windows 8.1, no matter what I do which shows with screenshots how to set the audit policy for logon.
- grmbl about 8 years
  
  Strange that the tool is hosted on deviantart.. And I'm not sure if the tool (supposedly for windows xp) will not break my registry setting... So I'll wait for a more trustful answer.
- DavidPostill about 8 years
  
  <shrug> It has been tested on Windows 10 by a high rep user Moab and confirmed as working.
- DavidPostill about 8 years
  
  Read also comments on askvg.com/… (the source link). Lots of confirmations that it works.
- grmbl about 8 years
  
  I know I might sound a bit paranoid but the source is not trustworthy IMO no matter what I stay clear from unofficial patches.. Thanks anyway
- Konrads almost 4 years
  
  This tool looks incredibly handy for making sense of those values kazamiya.net/en/PolAdtEvParser
browly about 4 years

The auditpol command worked fine on Windows 10 Home for me.
galaxis over 3 years

FYI, above link is broken: all I could find is what appears to be Rev2 ver: kazamiya.net/files/PolAdtEv_Structure_en_rev2.pdf