Windows 7 Security Auditing being turned off - By what?












0















This has been driving me nuts. I've searched high and low for a solution but have found nothing. I did find this question which I thought held the solution through auditpol.exe. No dice.



I can set my Windows Audit Policy using either secpol.msc or gpedit.msc. The problem is that after a few minutes, they're being cleared (all getting set to "No Auditing"). From the event log, the only clue I get is:



System audit policy was changed.

Subject:
Security ID: SYSTEM
Account Name: MYCOMPUTERNAME$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Audit Policy Change:
Category: Account Logon
Subcategory: Kerberos Authentication Service
Subcategory GUID: {0cce9242-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed


After the last of these, no further entries of any kind will be written to the Security Event Log.



My system configuration:



OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials


Update:



I've also sought help on Microsoft's Community Forums on this issue and it's clear from the response I've received (from Microsoft) that they don't understand the issue. To that end, I thought it might be appropriate to add additional detail here.



The specific commands I'm using to configure auditing are as follows:



auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable


and the output from auditpol.exe /get /category:*



System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes Failure
Directory Service Replication Failure
Detailed Directory Service Replication Failure
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure


After a few minutes, and without touching anything relating to auditing, a repeat yields:



System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing


There is no indication in the event log of what has made the changes.










share|improve this question

























  • What were the events before this?

    – Colyn1337
    May 20 '14 at 18:01
















0















This has been driving me nuts. I've searched high and low for a solution but have found nothing. I did find this question which I thought held the solution through auditpol.exe. No dice.



I can set my Windows Audit Policy using either secpol.msc or gpedit.msc. The problem is that after a few minutes, they're being cleared (all getting set to "No Auditing"). From the event log, the only clue I get is:



System audit policy was changed.

Subject:
Security ID: SYSTEM
Account Name: MYCOMPUTERNAME$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Audit Policy Change:
Category: Account Logon
Subcategory: Kerberos Authentication Service
Subcategory GUID: {0cce9242-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed


After the last of these, no further entries of any kind will be written to the Security Event Log.



My system configuration:



OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials


Update:



I've also sought help on Microsoft's Community Forums on this issue and it's clear from the response I've received (from Microsoft) that they don't understand the issue. To that end, I thought it might be appropriate to add additional detail here.



The specific commands I'm using to configure auditing are as follows:



auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable


and the output from auditpol.exe /get /category:*



System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes Failure
Directory Service Replication Failure
Detailed Directory Service Replication Failure
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure


After a few minutes, and without touching anything relating to auditing, a repeat yields:



System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing


There is no indication in the event log of what has made the changes.










share|improve this question

























  • What were the events before this?

    – Colyn1337
    May 20 '14 at 18:01














0












0








0








This has been driving me nuts. I've searched high and low for a solution but have found nothing. I did find this question which I thought held the solution through auditpol.exe. No dice.



I can set my Windows Audit Policy using either secpol.msc or gpedit.msc. The problem is that after a few minutes, they're being cleared (all getting set to "No Auditing"). From the event log, the only clue I get is:



System audit policy was changed.

Subject:
Security ID: SYSTEM
Account Name: MYCOMPUTERNAME$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Audit Policy Change:
Category: Account Logon
Subcategory: Kerberos Authentication Service
Subcategory GUID: {0cce9242-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed


After the last of these, no further entries of any kind will be written to the Security Event Log.



My system configuration:



OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials


Update:



I've also sought help on Microsoft's Community Forums on this issue and it's clear from the response I've received (from Microsoft) that they don't understand the issue. To that end, I thought it might be appropriate to add additional detail here.



The specific commands I'm using to configure auditing are as follows:



auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable


and the output from auditpol.exe /get /category:*



System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes Failure
Directory Service Replication Failure
Detailed Directory Service Replication Failure
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure


After a few minutes, and without touching anything relating to auditing, a repeat yields:



System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing


There is no indication in the event log of what has made the changes.










share|improve this question
















This has been driving me nuts. I've searched high and low for a solution but have found nothing. I did find this question which I thought held the solution through auditpol.exe. No dice.



I can set my Windows Audit Policy using either secpol.msc or gpedit.msc. The problem is that after a few minutes, they're being cleared (all getting set to "No Auditing"). From the event log, the only clue I get is:



System audit policy was changed.

Subject:
Security ID: SYSTEM
Account Name: MYCOMPUTERNAME$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Audit Policy Change:
Category: Account Logon
Subcategory: Kerberos Authentication Service
Subcategory GUID: {0cce9242-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed


After the last of these, no further entries of any kind will be written to the Security Event Log.



My system configuration:



OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials


Update:



I've also sought help on Microsoft's Community Forums on this issue and it's clear from the response I've received (from Microsoft) that they don't understand the issue. To that end, I thought it might be appropriate to add additional detail here.



The specific commands I'm using to configure auditing are as follows:



auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable


and the output from auditpol.exe /get /category:*



System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes Failure
Directory Service Replication Failure
Detailed Directory Service Replication Failure
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure


After a few minutes, and without touching anything relating to auditing, a repeat yields:



System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing


There is no indication in the event log of what has made the changes.







windows-7 security event-log






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 20 '17 at 10:17









Community

1




1










asked May 3 '14 at 23:59









BillP3rdBillP3rd

4,93712237




4,93712237













  • What were the events before this?

    – Colyn1337
    May 20 '14 at 18:01



















  • What were the events before this?

    – Colyn1337
    May 20 '14 at 18:01

















What were the events before this?

– Colyn1337
May 20 '14 at 18:01





What were the events before this?

– Colyn1337
May 20 '14 at 18:01










1 Answer
1






active

oldest

votes


















0














Perhaps "Audit: Force audit policy subcategory settings" is set to Enabled? Seems this will overwrite the "legacy" audit policies periodically and after a reboot.



See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f749450%2fwindows-7-security-auditing-being-turned-off-by-what%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Perhaps "Audit: Force audit policy subcategory settings" is set to Enabled? Seems this will overwrite the "legacy" audit policies periodically and after a reboot.



    See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx






    share|improve this answer




























      0














      Perhaps "Audit: Force audit policy subcategory settings" is set to Enabled? Seems this will overwrite the "legacy" audit policies periodically and after a reboot.



      See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx






      share|improve this answer


























        0












        0








        0







        Perhaps "Audit: Force audit policy subcategory settings" is set to Enabled? Seems this will overwrite the "legacy" audit policies periodically and after a reboot.



        See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx






        share|improve this answer













        Perhaps "Audit: Force audit policy subcategory settings" is set to Enabled? Seems this will overwrite the "legacy" audit policies periodically and after a reboot.



        See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 20 '15 at 21:14









        Niklas BäckmanNiklas Bäckman

        1




        1






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f749450%2fwindows-7-security-auditing-being-turned-off-by-what%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Probability when a professor distributes a quiz and homework assignment to a class of n students.

            Aardman Animations

            Are they similar matrix