Audit Security State Change
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system audits changes in the security state of a system and reports any of the following events:
System startup and shutdown.
Change of system time.
System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.
Important
Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.
System startup and shutdown events are important to understand system usage.
Event volume: Low
Default: Success
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event Message Summary | Minimum OS Requirement |
|---|---|---|
4608 |
Windows is starting up. |
Windows Vista, Windows Server 2008 |
4609 |
Windows is shutting down. |
Windows Vista, Windows Server 2008 |
4616 |
The system time was changed. |
Windows Vista, Windows Server 2008 |
4621 |
Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. |
Windows Vista, Windows Server 2008 |