Windows Security Log Event ID 612

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4719  
Discussions on Event ID 612
Differentiate Between Reboots and Policy Change

612: Audit Policy Change

On this page

This indicates the system's audit policy was modified. Pluses indicate auditing is enabled, minuses indicate it is disabled. Unfortunately the Change By fields don't always identify who actually changed the policy because audit policy might not be directly configured by administrators. Instead it might be edited in a group policy object which then gets applied to the computer. In that case this event shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs. 

Different service packs of the OS handle this event differently. Windows XP SP2 may log this event every time the system starts up. Earlier implementations of Windows 2000 sometimes logged this event twice in quick succession every time the group policy was refreshed. In that case it indicated auditing was turned off and then back on. Thankfully these problems have now been resolved.

Free Security Log Resources by Randy

Description Fields in 612

Windows 2003: 

ID: 612 Description: Audit Policy Change:
New Policy:
 Success Failure
     %3     %4 Logon/Logoff
     %5     %6 Object Access
     %7     %8 Privilege Use
     %13    %14 Account Management
     %11    %12 Policy Change
     %1     %2 System
     %9     %10 Detailed Tracking
     %15    %16 Directory Service Access
     %17    %18 Account Logon
Changed By:
   User Name: %19
   Domain Name: %20
   Logon ID: %21

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 612

Audit Policy Change:
 New Policy:
  Success Failure
      +     + Logon/Logoff
      +     + Object Access
      +     + Privilege Use
      +     + Account Management
      +     + Policy Change
      +     + System
      +     + Detailed Tracking
      +     + Directory Service Access
      +     + Account Logon

 Changed By:
    User Name: administrator
    Domain Name: ACME
    Logon ID: (0x0,0x3CF6B)

Changed by group policy:

Audit Policy Change:
 New Policy:
  Success Failure
      +     + Logon/Logoff
      +     + Object Access
      -     - Privilege Use
      +     + Account Management
      +     + Policy Change
      +     + System
      -     - Detailed Tracking
      -     - Directory Service Access
      +     + Account Logon

 Changed By:
  User Name: MS2-W2K$
  Domain Name: ACME
  Logon ID:  (0x0,0x3E7)

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources