How to enable Windows 11 system user login and behavior audit log features?

tj_zero 45 Reputation points

How to enable Windows 11 system user login and behavior audit log features?

Hope to achieve the following objectives;

  1. Record the user ID login information and record the operation content in as much detail as possible; (e.g., file deletion or access)
  2. Set the PC log to be saved to the specified PC; (Remote records to avoid tampering and destruction)

This is a necessary condition for direct behavior tracing of common PC users;

Hope to have this experience of engineers to help, thank you;

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
6,025 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Darrell Gorter 706 Reputation points


    There are some policies you can use to track some of items you list.

    I would start by running gpedit.msc

    and looking at the following sections:Event_Viewer

    You can use wevtutil to retrieve event log information.



  2. チャブーン 81 Reputation points MVP

    Hi, tj_zero

    This is Chaboon.

    First, You should understand that user logon auditing and file access auditing are configured separately.

    For example, You audit Security Log Event ID 4648 and 4647 in Windows 11, see below articles,

    For file access auditing, configure the auditing settings using group policy, and then configure the settings for the "file server" resources that you want to audit. see below article,

    Audit logs output to Windows 11 and file servers, you can be collected in one place with event log subscription.see below article,

    0 comments No comments