Audit Security State Change

Updated: June 15, 2009

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system audits changes in the security state of a system and reports any of the following events:

  • System startup and shutdown.

  • Change of system time.

  • System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.

    ImportantImportant
    Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.

System startup and shutdown events are important to understand system usage.

Event volume: Low

Default: Success

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

 

Event ID Event Message Summary Minimum OS Requirement

4608

Windows is starting up.

Windows Vista, Windows Server 2008

4609

Windows is shutting down.

Windows Vista, Windows Server 2008

4616

The system time was changed.

Windows Vista, Windows Server 2008

4621

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Windows Vista, Windows Server 2008

Community Additions

ADD
Show: