WinSecWiki > Security Settings > Local Policies > Audit Policy > System Events

Audit System Events

The Audit system events policy logs several miscellaneous security events.  

The following is an exerpt from my book, The Windows Security Log Revealed :  

System Events are an eclectic mix of system events relevant to security including system startup and shutdown. The Windows security infrastructure is designed to be modular and to facilitate new, plug-in security functionality from Microsoft and third-party vendors. These plug-ins can be authentication packages, trusted logon processes, or notification packages. Because these plug-ins are completely trusted modules of code that augment the operating system, Windows logs each plug-in as it loads, using the events from this category. 

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success on all computers including workstations. We have not observed any failure events in this category.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: System Events (Windows Server 2008 and Vista) .

Child articles:

Back to top


Upcoming Webinars
    Additional Resources