Audit Security State Change
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
Changes in the security state of the operating system include:
System startup and shutdown.
Change of system time.
System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.
Important
Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.
System startup and shutdown events are important for understanding system usage.
Event volume: Low
Default: Success
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic in addition to Windows Server 2008 and Windows Vista.
Event ID |
Event Message Summary |
Minimum Requirement |
|---|---|---|
4608 |
Windows is starting up. |
Windows Vista, Windows Server 2008 |
4609 |
Windows is shutting down. |
Windows Vista, Windows Server 2008 |
4616 |
The system time was changed. |
Windows Vista, Windows Server 2008 |
4621 |
Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. |
Windows Vista, Windows Server 2008 |