Windows Security Log Event ID 618

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4714  

618: Encrypted Data Recovery Policy Changed

On this page

This event gets logged when EFS data recovery agent information is changed. User name will usually correspond to the local computer's name because EFS is controlled through group policy. To find out who changed EFS policy you must determine who changed the relevant group policy object.

The encrypted data recovery agent policy is defined in group policy objects under Computer Configuratoin\Windows Settings\Securirty Settings\Public Key Policies\Encrypted File System.

Free Security Log Resources by Randy

Description Fields in 618

  • Encrypted Data Recovery Policy Changed:
  • Changed By:
    • User Name: %1
    • Domain Name: %2
    • Logon ID: %3
  • Changes made:('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 618

Encrypted Data Recovery Policy Changed:
Changed By:
  User Name:W3DC$
  Domain Name:ELM
  Logon ID:(0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:

: ( )) PolEfDat: (none);

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!