Auditing settings on object were changed
On this page
When you change the audit SACL of an object, such as a file or folder, Windows logs this event. In the example below, Administrator configured a new audit policy on C:\Users\Administrator\testfolder.
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
This is the object whose audit policy was changed.
- Object Server: always "Security"
- Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc.
- Object Name: The name of the object being accessed
- Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
- Process ID: The process ID specified when the executable started as logged in 4688.
- Process Name: Identifies the program executable that accessed the object.
- Original Security Descriptor: blank if no audit policy configured. Otherwise the old audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language). See http://msdn2.microsoft.com/en-us/library/aa379567.aspx
- New Security Descriptor: The new audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language)
Top 10 Windows Security Events to Monitor
Auditing settings on object were changed.
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\testfolder
Handle ID: 0x1d0
Process ID: 0x8c0
Process Name: C:\Windows\explorer.exe
Original Security Descriptor:
New Security Descriptor: S:ARAI (AU;OIIOSAFA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Keep me up-to-date on the Windows Security Log.
*We will NOT share this