Auditpol

Windows 10

Flynn Weeks

Flynn Weeks

January 31, 2022

Auditpol.exe is the command line tool that What2Log utilizes to check the status of and enable or disable logs in Windows environments. It can be used in both Powershell and the Command prompt, but all of our examples utilize Powershell. Entering the command auditpol will return a list of the available commands.

With the auditpol /list /category command, the user can see the list of categories they can edit with the auditpol command, of which there are 10.

Auditpol then breaks each of these main categories into several subcategories, which are what is edited when changing the audit policy. These subcategories can be viewed with the command auditpol /list /subcategory:* Our screenshot only shows a portion of the output.

In order to get the current status of an audit setting, the command is auditpol /get, which needs to be followed by a /category or /subcategory. Doing a category will give you a list of all the subcategories and their current settings, as shown with the command auditpol /get /category:System Replacing the name of the category with * will show all of the categories and subcategories with their current setting.

Using the auditpol /get command with /subcategory, however, will only return the setting of a specific singular subcategory. For subcategories longer than 1 word, the name must be placed inside parentheses for it to be read correctly.

In order to enable or disable a log, the command is auditpol /set, which is then followed by a category or subcategory. After this, you must specify what you want to change and how. You can specify if you want to change the auditing of a success or failure, and then if you want to enable or disable them; both do not have to be changed. The auditpol command will then look something like auditpol /set /subcategory:"Other System Events" /Success:Enable /Failure:Enable

This command can also be applied to all categories at once, although it is not recommended. The changes made through the command line can also be observed in the group policy editor under Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies, as pictured.