Export (0) Print
Expand All

Auditing Constants

The following constants represent categories and subcategories of audit-policy events.

The following constants represent categories of audit-policy events. These constants are defined as GUID structures in Ntsecapi.h.

Audit_System
69979848-797a-11d9-bed3-505054503030

Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.

Audit_Logon
69979849-797a-11d9-bed3-505054503030

Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.

Audit_ObjectAccess
6997984a-797a-11d9-bed3-505054503030

Audit attempts to access securable objects.

Audit_PrivilegeUse
6997984b-797a-11d9-bed3-505054503030

Audit attempts to use privileges.

Audit_DetailedTracking
6997984c-797a-11d9-bed3-505054503030

Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.

Audit_PolicyChange
6997984d-797a-11d9-bed3-505054503030

Audit attempts to change Policy object rules.

Audit_AccountManagement
6997984e-797a-11d9-bed3-505054503030

Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.

Audit_DirectoryServiceAccess
6997984f-797a-11d9-bed3-505054503030

Audit attempts to access the directory service.

Audit_AccountLogon
69979850-797a-11d9-bed3-505054503030

Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller.

The following constants represent subcategories of audit-policy events. These constants are defined as GUID structures in Ntsecapi.h.

Audit_System_SecurityStateChange (0cce9210-69ae-11d9-bed3-505054503030)
Audit_System_SecuritySubsystemExtension (0cce9211-69ae-11d9-bed3-505054503030)
Audit_System_Integrity (0cce9212-69ae-11d9-bed3-505054503030)
Audit_System_IPSecDriverEvents (0cce9213-69ae-11d9-bed3-505054503030)
Audit_System_Others (0cce9214-69ae-11d9-bed3-505054503030)
Audit_Logon_Logon (0cce9215-69ae-11d9-bed3-505054503030)
Audit_Logon_Logoff (0cce9216-69ae-11d9-bed3-505054503030)
Audit_Logon_AccountLockout (0cce9217-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecMainMode (0cce9218-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecQuickMode (0cce9219-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecUserMode (0cce921a-69ae-11d9-bed3-505054503030)
Audit_Logon_SpecialLogon (0cce921b-69ae-11d9-bed3-505054503030)
Audit_Logon_Others (0cce921c-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FileSystem (0cce921d-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Registry (0cce921e-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Kernel (0cce921f-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Sam (0cce9220-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_CertificationServices (0cce9221-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_ApplicationGenerated (0cce9222-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Handle (0cce9223-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Share (0cce9224-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FirewallPacketDrops (0cce9225-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FirewallConnection (0cce9226-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Other (0cce9227-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_Sensitive (0cce9228-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_NonSensitive (0cce9229-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_Others (0cce922a-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_ProcessCreation (0cce922b-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_ProcessTermination (0cce922c-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_DpapiActivity (0cce922d-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_RpcCall (0cce922e-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuditPolicy (0cce922f-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuthenticationPolicy (0cce9230-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuthorizationPolicy (0cce9231-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_MpsscvRulePolicy (0cce9232-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_WfpIPSecPolicy (0cce9233-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_Others (0cce9234-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_UserAccount (0cce9235-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_ComputerAccount (0cce9236-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_SecurityGroup (0cce9237-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_DistributionGroup (0cce9238-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_ApplicationGroup (0cce9239-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_Others (0cce923a-69ae-11d9-bed3-505054503030)
Audit_DSAccess_DSAccess (0cce923b-69ae-11d9-bed3-505054503030)
Audit_DsAccess_AdAuditChanges (0cce923c-69ae-11d9-bed3-505054503030)
Audit_Ds_Replication (0cce923d-69ae-11d9-bed3-505054503030)
Audit_Ds_DetailedReplication (0cce923e-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_CredentialValidation (0cce923f-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_Kerberos (0cce9240-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_Others (0cce9241-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_KerbCredentialValidation (0cce9242-69ae-11d9-bed3-505054503030)
Audit_Logon_NPS (0cce9243-69ae-11d9-bed3-505054503030)

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Header

Ntsecapi.h

 

 

Community Additions

ADD
Show:
© 2014 Microsoft