1. Log on with administrative authority.
  2. Start User Manager. Select Policies, Audit, and the Audit These Events check box.
  3. Choose the items to audit for Success or Failure--at a minimum, enable auditing logon and logoff attempts. Close the dialog box to enable basic system auditing.
  4. Open the Services applet in Control Panel, set the NT Scheduler service to run under the SYSTEM account, and start (or restart) the service.
  5. Open a DOS command window, and check the current system time.
  6. Add 1 or 2 minutes to the time (e.g., if it's 11:30, use 11:32), and issue the following command at the DOS prompt:
    at 11:32 /interactive "regedt32.exe"

    This command establishes a scheduled event that launches regedt32 on the desktop at 11:32 running under the security context of the SYSTEM account.

  7. Wait until 11:32, at which time NT Scheduler launches the Registry editor. At this point, you have access to the entire Registry, including the SAM database. Be careful when you edit the Registry; mistakes can render a system unbootable.
  8. Select HKEY_LOCAL_MACHINE, locate the SAM tree, and select it in the left pane.
  9. Choose Security, Auditing.
  10. In the Auditing dialog box, click Add, Show Users.
  11. Add the SYSTEM account, the Domain Admins group, all of your trusted administrator accounts, and any other account that has the following User Rights:
    • Take ownership of files or other objects
    • Back up files and directories
    • Manage auditing and security log
    • Restore files and directories
    • Add workstations to domain
    • Replace a process-level token
  12. Select the Audit Permission on Existing Subkeys check box.
  13. Select the Success and Failure check boxes for the following entries:
    • Query Value
    • Set Value
    • Write DAC
    • Read Control
  14. Click OK, Yes.
  15. Repeat steps 10 through 14 for the SECURITY key, if necessary. This step isn't required if you want to audit only the keys containing passwords.
  16. Exit the Registry editor.
  17. Stop NT Scheduler, and reconfigure the service account to run under the same account it was running under before step 4. If you don't use NT Scheduler, simply leave it stopped, or better yet, disabled.