www.regxplor.com
Tweak of the week
Tweak #30 - april 17, 2002
By default, only a limited number of privileges can be audited. When someone uses the privilege "act as part of the operating system", this will appear in the event log, But this is not the case for certain other privileges.
This tweak enables auditing for the privileges "bypass traverse checking", "debug programs", "create a token object", "replace process level token", "generate security audits", "back up files and directories", and "restore files and directories".
Go to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In this key, create the following REG_DWORD value:
FullPrivilegeAuditing
Set this value to 1.