Audit Policy Changed

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security Auditing

Log type: Security

A change to the audit policy can mean that an unauthorized party is trying gain access to a location they shouldn't be or escalate their privilege use. This log is recommended for HIPAA and PCI DSS compliance and is recommended by the NSA Event Forwarding Guidance.

Changes to the audit policy are logged by default in Windows 10 Professional. To view the logs, navigate to the Event Viewer Security tab and sort of filter by Event ID 4719.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4719'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4719)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4719'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"audit policy change"
Disable Logging
auditpol /set /subcategory:"audit policy change" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"audit policy change" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile