mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into ado5400910
This commit is contained in:
MandiOhlinger
commit
01e4086ba6
@ -9,7 +9,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: manikadhiman
|
||||
ms.date: 10/30/2020
|
||||
ms.date: 09/21/2021
|
||||
---
|
||||
|
||||
# VPNv2 CSP
|
||||
@ -591,7 +591,7 @@ Valid values:
|
||||
- True = Register the connection's addresses in DNS.
|
||||
|
||||
<a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/**<em>ProfileName</em>**/DnsSuffix**
|
||||
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
|
||||
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
|
||||
|
||||
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Active Directory Security Groups (Windows 10)
|
||||
title: Active Directory Security Groups
|
||||
description: Active Directory Security Groups
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,14 +12,15 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/21/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Active Directory Security Groups
|
||||
|
||||
**Applies to**
|
||||
- Windows Server 2016
|
||||
- Windows Server 2016 or later
|
||||
- Windows 10 or later
|
||||
|
||||
This reference topic for the IT professional describes the default Active Directory security groups.
|
||||
|
||||
@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-<domain>-512</p></td>
|
||||
<td><p>S-1-5-21-<domain>-512</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
@ -1885,7 +1886,7 @@ This security group has not changed since Windows Server 2008.
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-21-<domain>-498</p></td>
|
||||
<td><p>S-1-5-21-<root domain>-498</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Group Membership
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Handle Manipulation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Driver
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Extended Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Main Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Quick Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kerberos Authentication Service
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kerberos Service Ticket Operations
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kernel Object
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 07/16/2018
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Logoff
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Logon
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit MPSSVC Rule-Level Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Network Policy Server
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Non-Sensitive Privilege Use
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Audit Other Account Logon Events (Windows 10)
|
||||
description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons.
|
||||
description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
|
||||
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
@ -11,24 +11,19 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Account Logon Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
**General Subcategory Information:**
|
||||
|
||||
This auditing subcategory does not contain any events. It is intended for future use.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
|
||||
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
|
||||
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Account Management Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Account Management Events determines whether the operating system generates user account management audit events.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Logon/Logoff Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 05/29/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Object Access Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Policy Change Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Privilege Use Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other System Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit PNP Activity
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit PNP Activity determines when Plug and Play detects an external device.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Process Creation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Process Termination
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Process Termination determines whether the operating system generates audit events when process has exited.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Registry
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Removable Storage
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists).
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit RPC Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit SAM
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
|
||||
|
||||
|
||||
@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 02/28/2019
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security Group Management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security State Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security System Extension
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
|
||||
|
||||
@ -36,9 +32,9 @@ Attempts to install or load security system extensions or services are critical
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Sensitive Privilege Use
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Special Logon
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit System Integrity
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
|
||||
|
||||
|
||||
@ -11,10 +11,6 @@ ms.technology: mde
|
||||
|
||||
# Audit Token Right Adjusted
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit User Account Management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
|
||||
|
||||
|
||||
@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit User/Device Claims
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit account logon events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit account management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit each event of account management on a device.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit directory service access
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit logon events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit each instance of a user logging on to or logging off from a device.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit object access
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit policy change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit privilege use
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit each instance of a user exercising a user right.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit process tracking
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit system events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Basic security audit policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Basic security audit policy settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
|
||||
|
||||
|
||||
@ -14,14 +14,12 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Create a basic audit policy for an event category
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 1100(S): The event logging service has shut down.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 1102(S): The audit log was cleared.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 1104(S): The security log is now full.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 1105(S): Event log automatic backup
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4608(S): Windows is starting up.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4610(S): An authentication package has been loaded by the Local Security Authority.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4614(S): A notification package has been loaded by the Security Account Manager.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4615(S): Invalid use of LPC port.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
It appears that this event never occurs.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4616(S): The system time was changed.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4618(S): A monitored security event pattern has occurred.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,9 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4621(S): Administrator recovered system from CrashOnAuditFail.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4622(S): A security package has been loaded by the Local Security Authority.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4624(S): An account was successfully logged on.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4625(F): An account failed to log on.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4626(S): User/Device claims information.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4627(S): Group membership information.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 11/20/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4634(S): An account was logged off.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4647(S): User initiated logoff.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4648(S): A logon was attempted using explicit credentials.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4649(S): A replay attack was detected.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4656(S, F): A handle to an object was requested.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4656.png" alt="Event 4656 illustration" width="764" height="895"/>
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4657(S): A registry value was modified.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4657.png" alt="Event 4657 illustration" width="449" height="570" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4658(S): The handle to an object was closed.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4658.png" alt="Event 4658 illustration" width="449" height="463" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4660(S): An object was deleted.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4660.png" alt="Event 4660 illustration" width="449" height="477" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4661(S, F): A handle to an object was requested.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4661.png" alt="Event 4661 illustration" width="449" height="661" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4662(S, F): An operation was performed on an object.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4662.png" alt="Event 4662 illustration" width="496" height="614" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4663(S): An attempt was made to access an object.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4663.png" alt="Event 4663 illustration" width="530" height="589" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4664(S): An attempt was made to create a hard link.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4664.png" alt="Event 4664 illustration" width="449" height="419" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4670(S): Permissions on an object were changed.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4670.png" alt="Event 4670 illustration" width="449" height="605" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,11 +16,7 @@ ms.technology: mde
|
||||
|
||||
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
*
|
||||
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
|
||||
|
||||
***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 12/20/2018
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4672(S): Special privileges assigned to new logon.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
|
||||
</br>
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4673(S, F): A privileged service was called.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4673.png" alt="Event 4673 illustration" width="449" height="503" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4674(S, F): An operation was attempted on a privileged object.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4674.png" alt="Event 4674 illustration" width="449" height="543" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4675(S): SIDs were filtered.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event generates when SIDs were filtered for specific Active Directory trust.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4688(S): A new process has been created.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4689(S): A process has exited.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4689.png" alt="Event 4689 illustration" width="449" height="421" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4690(S): An attempt was made to duplicate a handle to an object.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4690.png" alt="Event 4690 illustration" width="449" height="463" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4691(S): Indirect access to an object was requested.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4691.png" alt="Event 4691 illustration" width="485" height="515" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4692(S, F): Backup of data protection master key was attempted.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4692.png" alt="Event 4692 illustration" width="448" height="396" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4693(S, F): Recovery of data protection master key was attempted.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4693.png" alt="Event 4693 illustration" width="449" height="477" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4694(S, F): Protection of auditable protected data was attempted.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))  [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4695(S, F): Unprotection of auditable protected data was attempted.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4696(S): A primary token was assigned to process.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4696.png" alt="Event 4696 illustration" width="442" height="454" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4697(S): A service was installed in the system.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4697.png" alt="Event 4697 illustration" width="438" height="380" hspace="10" align="left" />
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
@ -16,10 +16,6 @@ ms.technology: mde
|
||||
|
||||
# 4698(S): A scheduled task was created.
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
<img src="images/event-4698.png" alt="Event 4698 illustration" width="361" height="555" hspace="10" align="left" />
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user