Event Id | 612 |
Source | Security |
Description | Audit Policy Change: New Policy: Success Failure %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %13 %14 Account Management %11 %12 Policy Change %1 %2 System %9 %10 Detailed Tracking %15 %16 Directory Service Access %17 %18 Account Logon Changed By: User Name: %19 Domain Name: %20 Logon ID: %21 |
Event Information | Cause : Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP SP2. Resolution: In Windows XP SP2 and in Windows Server 2003 SP2, a change was made to the way audit policy is applied. Audit policy is now applied every time Windows starts. This behavior occurs regardless of whether there have been any changes to the audit policy. In earlier versions of Windows XP and of Windows Server 2003, the audit policy was applied when Windows restarted only if Windows detected a change in policy. This change helps make sure that Windows detects and logs a change in policy every time an administrator changes your audit policy. -------------------------------------------------------------------------------------------------Cause 1: This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message. This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack. Resolution : Verify that the audit policy change is authorized. If it is an authorized change, no user action is required. If the change is unauthorized, identify the attack and attacker to mitigate the threat. |
Reference Links | Event ID 612 from Source Security |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.