www.regxplor.com


Enable full privilege auditing

View all tweaks

Tweak #30 - april 17, 2002

By default, only a limited number of privileges can be audited. When someone uses the privilege "act as part of the operating system", this will appear in the event log, But this is not the case for certain other privileges.

This tweak enables auditing for the privileges "bypass traverse checking", "debug programs", "create a token object", "replace process level token", "generate security audits", "back up files and directories", and "restore files and directories".

The tweak

Go to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In this key, create the following REG_DWORD value:

FullPrivilegeAuditing

Set this value to 1.

Download reg file

Download tweak30.reg

Download reg file to restore the default

Download tweak30_restore.reg