WinSecWiki > Security Settings > Local Policies > Audit Policy > System Events

Audit System Events

The Audit system events policy logs several miscellaneous security events.

The following is an exerpt from my book, The Windows Security Log Revealed :

System Events are an eclectic mix of system events relevant to security including system startup and shutdown. The Windows security infrastructure is designed to be modular and to facilitate new, plug-in security functionality from Microsoft and third-party vendors. These plug-ins can be authentication packages, trusted logon processes, or notification packages. Because these plug-ins are completely trusted modules of code that augment the operating system, Windows logs each plug-in as it loads, using the events from this category.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom line

Windows XP, 2000 and 2003: I recommend enabling this policy for success on all computers including workstations. We have not observed any failure events in this category.
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: System Events (Windows Server 2008 and Vista) .

Child articles:

Upcoming Webinars

Additional Resources

System Events

•	Security State Change
•	Security System Extension
•	System Integrity
•	IPsec Driver
•	Other System Events

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.