In tip 1915, we determined the Windows NT 4.0 Audit Policy.

Windows 2000 stores the Audit Policy at:


Administrators do no have access to this key, but the SYSTEM account does.

Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a <Folder_Path>\FileName.reg file:

AT \[\\ComputerName\] HH:MM CMD /c "regedit /a <Folder_Path\FileName.reg> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"

The <Folder_Path\FileName.reg> file contains an entry similar to:

\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\] @=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00


<b>ii</b>      Ignore these values.

<b>ZZ</b>      01 indicates auditing is enabled, 00 means disabled.

<b>AA</b>       Audit System Events
<b>BB</b>       Audit Logon Events
<b>CC</b>       Audit Object Access
<b>DD</b>       Audit Privilege Use
<b>EE</b>       Audit Process Tracking
<b>FF</b>       Audit Policy Change
<b>GG</b>       Audit Account Management
<b>HH</b>       Audit Directory Service Access
<b>II</b>       Audit Account Logon Events

If the value of the <b>AA</b> / <b>II</b> letter is 01, success auditing is enabled.
If the value of the <b>AA</b> / <b>II</b> letter is 02, failure auditing is enabled.
If the value of the <b>AA</b> / <b>II</b> letter is 03, success and failure auditing is enabled.