Windows 10: Audit policy

Hi! I want to monitor user activities of each user, and I'm using winlogbeat on windows server VM to collect audit log. I enabled recommended policy following this link https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendationsI haven't login the machine for days, but the log still show many processes created by my user. For example, C:\Windows\System32\svchost.exe is created. It's has user test2, but I did not login as test2 for weeks. Another example, C:\Windows\System32\cleanmgr.exe is created with my user test2, and I did not ru

:)

 

Advance Audit Policies are not being applied via GPO

Advanced Audit Policy Configuration inclusive of System Audit Policies like Account Logon, Account Management, DS Access, Logon/Logoff, etc are not being applied on the servers when GPO is implemented for the same.

We have additional settings applied via same GPO which is successfully applied.

 

Change audit policy through the Registry

I'm developing an application to read audit event log entries.
But I'm stuck on my home notebook with Windows 10 Home and I can't start
gpedit.msc or secpol.msc. Thus I have to enable logon audit events through the Registry. I came up with this location:

These are the resources I've found:

• How To Determine Audit Policies from the Registry
  
• Audit Other Logon/Logoff Events
  
• Audit Policy Registry Format
  

This is my current setting:





How should I change the setting to have logon successes logged to the Event Log?

 

Audit mode

Hi Diane,

Windows boots into Windows Welcome Mode and Audit Mode. Windows Welcome Mode
is the first user experience while the Audit mode is used to add customization to Windows images. Sometimes, Windows keeps running in Audit Mode and user has no idea about it, just like in your case. While your machine is running Audit
Mode when upgrading or reinstalling Windows 10, the upgrade won’t progress.

Here's how to exit from Audit mode to reinstall Windows 10:

• Open the administrative or elevated Command Prompt. Type cmd in the
  Search field at the taskbar.
• Type the following command and press Enter key: sysprep /oobe /generalize
  DISCLAIMER: Running sysprep command each time resets Windows licensing state to default. So if your Windows is activated and you run this command, you’ll need to reactivate Windows after executing this command.
  
  
• Once the command IS successfully executed, you’ll be out of Audit Mode. Now you can re-try to upgrade to Windows 10 and it should work.

Let us know if the steps above worked for you.