Change audit policy through the Registry
I'm not sure if the Home edition has auditpol.exe
, but if it does, this command will enable success and failure auditing for all logon-related activity:
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
If you really want to whack the Registry, you can take advantage of that excellent document you found. (The Microsoft one is outdated - it's for Windows NT, which didn't have audit subcategories.) You'll first need system-level access to the Registry. It looks like you've already accomplished that, but for everyone else, it can be done with PsExec:
psexec -s -i regedit
(That creates an instance of the Registry Editor running as SYSTEM.) As you've done, open the default value of HKLM\SECURITY\Policy\PolAdtEv
. The second page of the document gives the locations that control each subcategory. For instance, Logon starts at the 22nd byte, or, in hex (used by the Registry Editor's sidebar), 16. In this screenshot, I've highlighted the part that controls Logon:
These are all 16-bit (two-byte) values. 00 00
means no auditing, 01 00
means success auditing, 02 00
means failure auditing, and 03 00
means all auditing.
So, if you wanted to audit Logon and Logoff successes, you would replace the data started at location 0x16 with 01 00 01 00
. In the above screenshot, I turned on all auditing for those. If you want the entire Logon/Logoff category, you'll need nine 01 00
s because there are nine subcategories.
You'll need to reboot to have the changes take effect.
Related videos on Youtube
grmbl
Updated on September 18, 2022Comments
-
grmbl over 1 year
I'm developing an application to read audit event log entries. But I'm stuck on my home notebook with Windows 10 Home and I can't start
gpedit.msc
orsecpol.msc
. Thus I have to enable logon audit events through the Registry. I came up with this location:HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv
These are the resources I've found:
- How To Determine Audit Policies from the Registry
- Audit Other Logon/Logoff Events
- Audit Policy Registry Format
This is my current setting:
How should I change the setting to have logon successes logged to the Event Log?
-
DavidPostill about 8 years"But I'm stuck on my home notebook with Windows 10 Home because I can't start gpedit.msc" - not true see my Q&A Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?
-
DavidPostill about 8 yearsSee also another answer of mine Can not set audit policy settings in windows 8.1, no matter what I do which shows with screenshots how to set the audit policy for logon.
-
grmbl about 8 yearsStrange that the tool is hosted on deviantart.. And I'm not sure if the tool (supposedly for windows xp) will not break my registry setting... So I'll wait for a more trustful answer.
-
DavidPostill about 8 years<shrug> It has been tested on Windows 10 by a high rep user Moab and confirmed as working.
-
DavidPostill about 8 yearsRead also comments on askvg.com/… (the source link). Lots of confirmations that it works.
-
grmbl about 8 yearsI know I might sound a bit paranoid but the source is not trustworthy IMO no matter what I stay clear from unofficial patches.. Thanks anyway
-
Konrads almost 4 yearsThis tool looks incredibly handy for making sense of those values kazamiya.net/en/PolAdtEvParser
-
browly about 4 yearsThe
auditpol
command worked fine on Windows 10 Home for me. -
galaxis over 3 yearsFYI, above link is broken: all I could find is what appears to be Rev2 ver: kazamiya.net/files/PolAdtEv_Structure_en_rev2.pdf