Windows Security Log Events by ID: Event ID 618

Windows Security Log Events by ID

look up more events by Event ID or Category

Event ID

618

Title

Encrypted Data Recovery Policy Changed

Type:

Example:

Randy's Comments:

Success

OS:

Windows 2000
XP
Windows 2003

Category:

Policy Change

Encrypted Data Recovery Policy Changed:
Changed By:
User Name:W3DC$
Domain Name:ELM
Logon ID:(0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
PolEfDat: <binary data> (none);

This event gets logged when EFS data recovery agent information is changed. User name will usually correspond to the local computer's name because EFS is controlled through group policy. To find out who changed EFS policy you must determine who changed the relevant group policy object.

The encrypted data recovery agent policy is defined in group policy objects under Computer Configuratoin\Windows Settings\Securirty Settings\Public Key Policies\Encrypted File System.

Windows Security Log Events by ID

618

Encrypted Data Recovery Policy Changed

Upcoming Webinars by Randy Franklin Smith

Additional Links