Auditing in Windows

Before you start

Objectives: Learn what is Auditing in Windows, when can we use it, and how to enable it.

Prerequisites: no prerequisites.

Key terms: auditing, Windows, events, success, failure, log, Event Viewer, policies, audit


 What is Auditing

Auditing tracks (records) success or failure of certain events on our system. Success auditing identifies when an action was completed with success. Failure auditing identifies when an action could not be completed.

All this enables us to track when someone was able to do something, or if someone is trying to do something that it is not suppose to do. By default, there are nine auditing policies which can be enabled. This includes:

  • Account Logon events – generated when a domain user authenticates to a domain. The event is stored on the Domain Controller (DC) which processed the authentication.
  • Logon events – generated when a user logs on locally. Event is stored on a local computer.
  • Account Management event – generated when an action regarding account management happens (creation, modification and deletion of users and groups).
  • Object Access event – generated when objects are accessed (files, folders, printers).
  • Policy Change event – generated when user rights, audit or trust policies change.
  • Privilege Use –  tracks the use of user rights.
  • System Events – generated in cases like system shutdown, restart, boot, or changes in the security log.
  • Process Tracking – tracks events like program running, termination and when it executes some action.

So, from all this we see that we can track who opened the file, who modified it, who deleted it, or who tried to open a file but failed to do so.

Auditing is enabled by configuring audit policies, Auditing can be only enabled on NTFS partitions. To enable auditing we must first enable the object access audit policy. Then we have to go to the object itself (file or folder) and open its properties, select the Audit tab, and select the events that we want to track. We can select only the behaviors that we want to monitor. All events will be logged in the Event Viewer -> Security Log. By default, event logs will overwrite existing entries when the log is full. To preserve all auditing entries, we can enable the ‘Do not overwrite events’ setting.

We should only enable auditing for specific events and only for specific period of time. The reason is, security logs can fill up quickly.

In different versions of Windows we will get different degree in granularity of tracking auditing events. Newer versions of Windows will typically have more granular and more advanced audit policies which we can use. For example, Windows 7 also includes auditing categories like Credential Validation, Account Lockout, etc.

Example Configuration

We have separate articles in which we show how to enable and work with auditing in different versions of Windows: