Freigeben über


Audit Security State Change

 

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.

Changes in the security state of the operating system include:

  • System startup and shutdown.

  • Change of system time.

  • System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.

    Important

    Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.

System startup and shutdown events are important for understanding system usage.

Event volume: Low

Default: Success

If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic in addition to Windows Server 2008 and Windows Vista.

Event ID

Event Message Summary

Minimum Requirement

4608

Windows is starting up.

Windows Vista, Windows Server 2008

4609

Windows is shutting down.

Windows Vista, Windows Server 2008

4616

The system time was changed.

Windows Vista, Windows Server 2008

4621

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Windows Vista, Windows Server 2008

Advanced Security Audit Policy Settings