Windows Security Log Event ID 618

618: Encrypted Data Recovery Policy Changed

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event gets logged when EFS data recovery agent information is changed. User name will usually correspond to the local computer's name because EFS is controlled through group policy. To find out who changed EFS policy you must determine who changed the relevant group policy object.

The encrypted data recovery agent policy is defined in group policy objects under Computer Configuratoin\Windows Settings\Securirty Settings\Public Key Policies\Encrypted File System.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 618

• Encrypted Data Recovery Policy Changed:
• Changed By:
  • User Name: %1
  • Domain Name: %2
  • Logon ID: %3
• Changes made:('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy