deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into ado5400910

Browse Source
This commit is contained in:
MandiOhlinger 2021-09-22 09:06:42 -04:00
commit 01e4086ba6
176 changed files with 190 additions and 850 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/vpnv2-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: manikadhiman author: manikadhiman
ms.date: 10/30/2020 ms.date: 09/21/2021
--- ---
# VPNv2 CSP # VPNv2 CSP
@ -591,7 +591,7 @@ Valid values:
- True = Register the connection's addresses in DNS. - True = Register the connection's addresses in DNS.
<a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/**<em>ProfileName</em>**/DnsSuffix** <a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/**<em>ProfileName</em>**/DnsSuffix**
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
Value type is chr. Supported operations include Get, Add, Replace, and Delete. Value type is chr. Supported operations include Get, Add, Replace, and Delete.

11
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1,5 +1,5 @@
--- ---
title: Active Directory Security Groups (Windows 10) title: Active Directory Security Groups
description: Active Directory Security Groups description: Active Directory Security Groups
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -12,14 +12,15 @@ manager: dansimp
ms.collection: M365-identity-device-management ms.collection: M365-identity-device-management
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 04/19/2017 ms.date: 09/21/2021
ms.reviewer: ms.reviewer:
--- ---
# Active Directory Security Groups # Active Directory Security Groups
**Applies to** **Applies to**
- Windows Server 2016 - Windows Server 2016 or later
- Windows 10 or later
This reference topic for the IT professional describes the default Active Directory security groups. This reference topic for the IT professional describes the default Active Directory security groups.
@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td><p>Well-Known SID/RID</p></td> <td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-512</p></td> <td><p>S-1-5-21-&lt;domain&gt;-512</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p>Type</p></td> <td><p>Type</p></td>
@ -1885,7 +1886,7 @@ This security group has not changed since Windows Server 2008.
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td><p>Well-Known SID/RID</p></td> <td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-498</p></td> <td><p>S-1-5-21-&lt;root domain&gt;-498</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p>Type</p></td> <td><p>Type</p></td>

5
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Filtering Platform Policy Change # Audit Filtering Platform Policy Change
**Applies to**
- Windows 10
- Windows Server 2016
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following: Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:

5
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Group Membership # Audit Group Membership
**Applies to**
- Windows 10
- Windows Server 2016
By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.

5
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Handle Manipulation # Audit Handle Manipulation
**Applies to**
- Windows 10
- Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions. Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.

5
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 10/02/2018 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit IPsec Driver # Audit IPsec Driver
**Applies to**
- Windows 10
- Windows Server 2016
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:

6
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 10/02/2018 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit IPsec Extended Mode # Audit IPsec Extended Mode
**Applies to**
- Windows 10
- Windows Server 2016
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.

5
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 10/02/2018 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit IPsec Main Mode # Audit IPsec Main Mode
**Applies to**
- Windows 10
- Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.

5
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 10/02/2018 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit IPsec Quick Mode # Audit IPsec Quick Mode
**Applies to**
- Windows 10
- Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.

6
windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Kerberos Authentication Service # Audit Kerberos Authentication Service
**Applies to**
- Windows 10
- Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.

6
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Kerberos Service Ticket Operations # Audit Kerberos Service Ticket Operations
**Applies to**
- Windows 10
- Windows Server 2016
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests. Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.

6
windows/security/threat-protection/auditing/audit-kernel-object.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Kernel Object # Audit Kernel Object
**Applies to**
- Windows 10
- Windows Server 2016
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.

6
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 07/16/2018 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Logoff # Audit Logoff
**Applies to**
- Windows 10
- Windows Server 2016
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.

6
windows/security/threat-protection/auditing/audit-logon.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Logon # Audit Logon
**Applies to**
- Windows 10
- Windows Server 2016
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer. Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.

6
windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit MPSSVC Rule-Level Policy Change # Audit MPSSVC Rule-Level Policy Change
**Applies to**
- Windows 10
- Windows Server 2016
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).

5
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Network Policy Server # Audit Network Policy Server
**Applies to**
- Windows 10
- Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.

6
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Non-Sensitive Privilege Use # Audit Non-Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows Server 2016
Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:

15
windows/security/threat-protection/auditing/audit-other-account-logon-events.md
View File

@ -1,6 +1,6 @@
--- ---
title: Audit Other Account Logon Events (Windows 10) title: Audit Other Account Logon Events (Windows 10)
description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons. description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -11,24 +11,19 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Account Logon Events # Audit Other Account Logon Events
**Applies to**
- Windows 10
- Windows Server 2016
**General Subcategory Information:** **General Subcategory Information:**
This auditing subcategory does not contain any events. It is intended for future use. This auditing subcategory does not contain any events. It is intended for future use.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | | Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | | Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | | Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |

6
windows/security/threat-protection/auditing/audit-other-account-management-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Account Management Events # Audit Other Account Management Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit Other Account Management Events determines whether the operating system generates user account management audit events. Audit Other Account Management Events determines whether the operating system generates user account management audit events.

6
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Logon/Logoff Events # Audit Other Logon/Logoff Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.

6
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 05/29/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Object Access Events # Audit Other Object Access Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests. Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.

6
windows/security/threat-protection/auditing/audit-other-policy-change-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Policy Change Events # Audit Other Policy Change Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.

5
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other Privilege Use Events # Audit Other Privilege Use Events
**Applies to**
- Windows 10
- Windows Server 2016
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).

6
windows/security/threat-protection/auditing/audit-other-system-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Other System Events # Audit Other System Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.

6
windows/security/threat-protection/auditing/audit-pnp-activity.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit PNP Activity # Audit PNP Activity
**Applies to**
- Windows 10
- Windows Server 2016
Audit PNP Activity determines when Plug and Play detects an external device. Audit PNP Activity determines when Plug and Play detects an external device.

6
windows/security/threat-protection/auditing/audit-process-creation.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Process Creation # Audit Process Creation
**Applies to**
- Windows 10
- Windows Server 2016
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).

6
windows/security/threat-protection/auditing/audit-process-termination.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Process Termination # Audit Process Termination
**Applies to**
- Windows 10
- Windows Server 2016
Audit Process Termination determines whether the operating system generates audit events when process has exited. Audit Process Termination determines whether the operating system generates audit events when process has exited.

6
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Registry # Audit Registry
**Applies to**
- Windows 10
- Windows Server 2016
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.

6
windows/security/threat-protection/auditing/audit-removable-storage.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Removable Storage # Audit Removable Storage
**Applies to**
- Windows 10
- Windows Server 2016
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on objects [SACL](/windows/win32/secauthz/access-control-lists). Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on objects [SACL](/windows/win32/secauthz/access-control-lists).

6
windows/security/threat-protection/auditing/audit-rpc-events.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit RPC Events # Audit RPC Events
**Applies to**
- Windows 10
- Windows Server 2016
Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.

6
windows/security/threat-protection/auditing/audit-sam.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit SAM # Audit SAM
**Applies to**
- Windows 10
- Windows Server 2016
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects. Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.

5
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 02/28/2019 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Security Group Management # Audit Security Group Management
**Applies to**
- Windows 10
- Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed. Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.

6
windows/security/threat-protection/auditing/audit-security-state-change.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Security State Change # Audit Security State Change
**Applies to**
- Windows 10
- Windows Server 2016
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time. Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.

12
windows/security/threat-protection/auditing/audit-security-system-extension.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Security System Extension # Audit Security System Extension
**Applies to**
- Windows 10
- Windows Server 2016
Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events. Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
@ -36,9 +32,9 @@ Attempts to install or load security system extensions or services are critical
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:** **Events List:**

6
windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Sensitive Privilege Use # Audit Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows Server 2016
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:

6
windows/security/threat-protection/auditing/audit-special-logon.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit Special Logon # Audit Special Logon
**Applies to**
- Windows 10
- Windows Server 2016
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.

6
windows/security/threat-protection/auditing/audit-system-integrity.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit System Integrity # Audit System Integrity
**Applies to**
- Windows 10
- Windows Server 2016
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.

4
windows/security/threat-protection/auditing/audit-token-right-adjusted.md
View File

@ -11,10 +11,6 @@ ms.technology: mde
# Audit Token Right Adjusted # Audit Token Right Adjusted
**Applies to**
- Windows 10
- Windows Server 2016
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token. Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.

6
windows/security/threat-protection/auditing/audit-user-account-management.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit User Account Management # Audit User Account Management
**Applies to**
- Windows 10
- Windows Server 2016
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.

6
windows/security/threat-protection/auditing/audit-user-device-claims.md
View File

@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit User/Device Claims # Audit User/Device Claims
**Applies to**
- Windows 10
- Windows Server 2016
Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.

4
windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit account logon events # Audit account logon events
**Applies to**
- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.

4
windows/security/threat-protection/auditing/basic-audit-account-management.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit account management # Audit account management
**Applies to**
- Windows 10
Determines whether to audit each event of account management on a device. Determines whether to audit each event of account management on a device.

4
windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit directory service access # Audit directory service access
**Applies to**
- Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.

4
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit logon events # Audit logon events
**Applies to**
- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device. Determines whether to audit each instance of a user logging on to or logging off from a device.

4
windows/security/threat-protection/auditing/basic-audit-object-access.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit object access # Audit object access
**Applies to**
- Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.

4
windows/security/threat-protection/auditing/basic-audit-policy-change.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit policy change # Audit policy change
**Applies to**
- Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.

4
windows/security/threat-protection/auditing/basic-audit-privilege-use.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit privilege use # Audit privilege use
**Applies to**
- Windows 10
Determines whether to audit each instance of a user exercising a user right. Determines whether to audit each instance of a user exercising a user right.

4
windows/security/threat-protection/auditing/basic-audit-process-tracking.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit process tracking # Audit process tracking
**Applies to**
- Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.

4
windows/security/threat-protection/auditing/basic-audit-system-events.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Audit system events # Audit system events
**Applies to**
- Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

4
windows/security/threat-protection/auditing/basic-security-audit-policies.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Basic security audit policies # Basic security audit policies
**Applies to**
- Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

4
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/06/2021
ms.technology: mde ms.technology: mde
--- ---
# Basic security audit policy settings # Basic security audit policy settings
**Applies to**
- Windows 10
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.

4
windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
View File

@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.technology: mde ms.technology: mde
--- ---
# Create a basic audit policy for an event category # Create a basic audit policy for an event category
**Applies to**
- Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.

6
windows/security/threat-protection/auditing/event-1100.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 1100(S): The event logging service has shut down. # 1100(S): The event logging service has shut down.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" /> <img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-1102.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 1102(S): The audit log was cleared. # 1102(S): The audit log was cleared.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" /> <img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-1104.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 1104(S): The security log is now full. # 1104(S): The security log is now full.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" /> <img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-1105.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 1105(S): Event log automatic backup # 1105(S): Event log automatic backup
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" /> <img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-1108.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1. # 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" /> <img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4608.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4608(S): Windows is starting up. # 4608(S): Windows is starting up.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" /> <img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" />

6
windows/security/threat-protection/auditing/event-4610.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4610(S): An authentication package has been loaded by the Local Security Authority. # 4610(S): An authentication package has been loaded by the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" /> <img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4611.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4611(S): A trusted logon process has been registered with the Local Security Authority. # 4611(S): A trusted logon process has been registered with the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" /> <img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4612.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
**Applies to**
- Windows 10
- Windows Server 2016
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk. This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.

6
windows/security/threat-protection/auditing/event-4614.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4614(S): A notification package has been loaded by the Security Account Manager. # 4614(S): A notification package has been loaded by the Security Account Manager.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" /> <img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4615.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4615(S): Invalid use of LPC port. # 4615(S): Invalid use of LPC port.
**Applies to**
- Windows 10
- Windows Server 2016
It appears that this event never occurs. It appears that this event never occurs.

6
windows/security/threat-protection/auditing/event-4616.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4616(S): The system time was changed. # 4616(S): The system time was changed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" /> <img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" />

6
windows/security/threat-protection/auditing/event-4618.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4618(S): A monitored security event pattern has occurred. # 4618(S): A monitored security event pattern has occurred.
**Applies to**
- Windows 10
- Windows Server 2016
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md) ***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)

5
windows/security/threat-protection/auditing/event-4621.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,9 +16,6 @@ ms.technology: mde
# 4621(S): Administrator recovered system from CrashOnAuditFail. # 4621(S): Administrator recovered system from CrashOnAuditFail.
**Applies to**
- Windows 10
- Windows Server 2016
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.

8
windows/security/threat-protection/auditing/event-4622.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4622(S): A security package has been loaded by the Local Security Authority. # 4622(S): A security package has been loaded by the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" /> <img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" />
@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority. For 4622(S): A security package has been loaded by the Local Security Authority.
- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not. - Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.

6
windows/security/threat-protection/auditing/event-4624.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4624(S): An account was successfully logged on. # 4624(S): An account was successfully logged on.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" /> <img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" />

6
windows/security/threat-protection/auditing/event-4625.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4625(F): An account failed to log on. # 4625(F): An account failed to log on.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" /> <img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" />

6
windows/security/threat-protection/auditing/event-4626.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4626(S): User/Device claims information. # 4626(S): User/Device claims information.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" /> <img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4627.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4627(S): Group membership information. # 4627(S): Group membership information.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" /> <img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4634.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 11/20/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4634(S): An account was logged off. # 4634(S): An account was logged off.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" /> <img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4647.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4647(S): User initiated logoff. # 4647(S): User initiated logoff.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" /> <img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4648.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4648(S): A logon was attempted using explicit credentials. # 4648(S): A logon was attempted using explicit credentials.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" /> <img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4649.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4649(S): A replay attack was detected. # 4649(S): A replay attack was detected.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.

6
windows/security/threat-protection/auditing/event-4656.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4656(S, F): A handle to an object was requested. # 4656(S, F): A handle to an object was requested.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4656.png" alt="Event 4656 illustration" width="764" height="895"/> <img src="images/event-4656.png" alt="Event 4656 illustration" width="764" height="895"/>

6
windows/security/threat-protection/auditing/event-4657.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4657(S): A registry value was modified. # 4657(S): A registry value was modified.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4657.png" alt="Event 4657 illustration" width="449" height="570" hspace="10" align="left" /> <img src="images/event-4657.png" alt="Event 4657 illustration" width="449" height="570" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4658.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4658(S): The handle to an object was closed. # 4658(S): The handle to an object was closed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4658.png" alt="Event 4658 illustration" width="449" height="463" hspace="10" align="left" /> <img src="images/event-4658.png" alt="Event 4658 illustration" width="449" height="463" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4660.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4660(S): An object was deleted. # 4660(S): An object was deleted.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4660.png" alt="Event 4660 illustration" width="449" height="477" hspace="10" align="left" /> <img src="images/event-4660.png" alt="Event 4660 illustration" width="449" height="477" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4661.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4661(S, F): A handle to an object was requested. # 4661(S, F): A handle to an object was requested.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4661.png" alt="Event 4661 illustration" width="449" height="661" hspace="10" align="left" /> <img src="images/event-4661.png" alt="Event 4661 illustration" width="449" height="661" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4662.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4662(S, F): An operation was performed on an object. # 4662(S, F): An operation was performed on an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4662.png" alt="Event 4662 illustration" width="496" height="614" hspace="10" align="left" /> <img src="images/event-4662.png" alt="Event 4662 illustration" width="496" height="614" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4663.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4663(S): An attempt was made to access an object. # 4663(S): An attempt was made to access an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4663.png" alt="Event 4663 illustration" width="530" height="589" hspace="10" align="left" /> <img src="images/event-4663.png" alt="Event 4663 illustration" width="530" height="589" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4664.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4664(S): An attempt was made to create a hard link. # 4664(S): An attempt was made to create a hard link.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4664.png" alt="Event 4664 illustration" width="449" height="419" hspace="10" align="left" /> <img src="images/event-4664.png" alt="Event 4664 illustration" width="449" height="419" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4670.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4670(S): Permissions on an object were changed. # 4670(S): Permissions on an object were changed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4670.png" alt="Event 4670 illustration" width="449" height="605" hspace="10" align="left" /> <img src="images/event-4670.png" alt="Event 4670 illustration" width="449" height="605" hspace="10" align="left" />

8
windows/security/threat-protection/auditing/event-4671.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,11 +16,7 @@ ms.technology: mde
# 4671(-): An application attempted to access a blocked ordinal through the TBS. # 4671(-): An application attempted to access a blocked ordinal through the TBS.
**Applies to** *
- Windows 10
- Windows Server 2016
Currently this event doesnt generate. It is a defined event, but it is never invoked by the operating system. Currently this event doesnt generate. It is a defined event, but it is never invoked by the operating system.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md) ***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

6
windows/security/threat-protection/auditing/event-4672.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 12/20/2018 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4672(S): Special privileges assigned to new logon. # 4672(S): Special privileges assigned to new logon.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" /> <img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
</br> </br>

6
windows/security/threat-protection/auditing/event-4673.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4673(S, F): A privileged service was called. # 4673(S, F): A privileged service was called.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4673.png" alt="Event 4673 illustration" width="449" height="503" hspace="10" align="left" /> <img src="images/event-4673.png" alt="Event 4673 illustration" width="449" height="503" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4674.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4674(S, F): An operation was attempted on a privileged object. # 4674(S, F): An operation was attempted on a privileged object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4674.png" alt="Event 4674 illustration" width="449" height="543" hspace="10" align="left" /> <img src="images/event-4674.png" alt="Event 4674 illustration" width="449" height="543" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4675.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4675(S): SIDs were filtered. # 4675(S): SIDs were filtered.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust. This event generates when SIDs were filtered for specific Active Directory trust.

6
windows/security/threat-protection/auditing/event-4688.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4688(S): A new process has been created. # 4688(S): A new process has been created.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" /> <img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4689.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4689(S): A process has exited. # 4689(S): A process has exited.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4689.png" alt="Event 4689 illustration" width="449" height="421" hspace="10" align="left" /> <img src="images/event-4689.png" alt="Event 4689 illustration" width="449" height="421" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4690.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4690(S): An attempt was made to duplicate a handle to an object. # 4690(S): An attempt was made to duplicate a handle to an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4690.png" alt="Event 4690 illustration" width="449" height="463" hspace="10" align="left" /> <img src="images/event-4690.png" alt="Event 4690 illustration" width="449" height="463" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4691.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4691(S): Indirect access to an object was requested. # 4691(S): Indirect access to an object was requested.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4691.png" alt="Event 4691 illustration" width="485" height="515" hspace="10" align="left" /> <img src="images/event-4691.png" alt="Event 4691 illustration" width="485" height="515" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4692.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4692(S, F): Backup of data protection master key was attempted. # 4692(S, F): Backup of data protection master key was attempted.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4692.png" alt="Event 4692 illustration" width="448" height="396" hspace="10" align="left" /> <img src="images/event-4692.png" alt="Event 4692 illustration" width="448" height="396" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4693.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4693(S, F): Recovery of data protection master key was attempted. # 4693(S, F): Recovery of data protection master key was attempted.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4693.png" alt="Event 4693 illustration" width="449" height="477" hspace="10" align="left" /> <img src="images/event-4693.png" alt="Event 4693 illustration" width="449" height="477" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4694.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4694(S, F): Protection of auditable protected data was attempted. # 4694(S, F): Protection of auditable protected data was attempted.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))&thinsp; [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))&thinsp; [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.

6
windows/security/threat-protection/auditing/event-4695.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4695(S, F): Unprotection of auditable protected data was attempted. # 4695(S, F): Unprotection of auditable protected data was attempted.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.

6
windows/security/threat-protection/auditing/event-4696.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4696(S): A primary token was assigned to process. # 4696(S): A primary token was assigned to process.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4696.png" alt="Event 4696 illustration" width="442" height="454" hspace="10" align="left" /> <img src="images/event-4696.png" alt="Event 4696 illustration" width="442" height="454" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4697.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4697(S): A service was installed in the system. # 4697(S): A service was installed in the system.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4697.png" alt="Event 4697 illustration" width="438" height="380" hspace="10" align="left" /> <img src="images/event-4697.png" alt="Event 4697 illustration" width="438" height="380" hspace="10" align="left" />

6
windows/security/threat-protection/auditing/event-4698.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -16,10 +16,6 @@ ms.technology: mde
# 4698(S): A scheduled task was created. # 4698(S): A scheduled task was created.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4698.png" alt="Event 4698 illustration" width="361" height="555" hspace="10" align="left" /> <img src="images/event-4698.png" alt="Event 4698 illustration" width="361" height="555" hspace="10" align="left" />

Some files were not shown because too many files have changed in this diff Show More