First you must turn on auditing.
Use Control Panel / Services to Stop the Schedule service. Configure Startup to use the System account and check the Allow Service to Interact with Desktop checkbox. Start the Schedule service.
At a CMD prompt, type:
at HH:MM /interactive "regedt32.exe"
where HH:MM is 2 minutes from now. Close the CMD window.
Regedt32 will open at HH:MM, running under the System context.
Select the HKEY_LOCAL_MACHINE\SAM key.
On the Security menu, click Auditing.
Click the Add button.
Click Show Users.
Add any users or groups (plus SYSTEM, Domain Admins, and Backup Operators) that have the following user rights:
- Take ownership of files or other objects - Back up files and directories - Manage auditing and security log - Restore files and directories - Add workstations to domain - Replace a process level tokenand click OK.
Check Audit Permission on Existing Subkeys.
Check the Success and Failure checkboxes for:
- Query Value - Set Value - Write DAC - Read Controland click OK.
If you want to audit other registry related security events, you may perform the above procedure on the SECURITY key.
If you altered the Startup of the Schedule service, you may wish to revert to your previous settings.
The above procedure will cause any successful or failed access to password information to be logged in the Security Even log. Don't forget to periodically review the log.