Auditing Constants

Article
2024-07-18

The following constants represent categories and subcategories of audit-policy events.

The following constants represent categories of audit-policy events. These constants are defined as GUID structures in Ntsecapi.h.

Audit_System

69979848-797a-11d9-bed3-505054503030
Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.

Audit_Logon

69979849-797a-11d9-bed3-505054503030
Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.

Audit_ObjectAccess

6997984a-797a-11d9-bed3-505054503030
Audit attempts to access securable objects.

Audit_PrivilegeUse

6997984b-797a-11d9-bed3-505054503030
Audit attempts to use privileges.

Audit_DetailedTracking

6997984c-797a-11d9-bed3-505054503030
Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.

Audit_PolicyChange

6997984d-797a-11d9-bed3-505054503030
Audit attempts to change Policy object rules.

Audit_AccountManagement

6997984e-797a-11d9-bed3-505054503030
Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.

Audit_DirectoryServiceAccess

6997984f-797a-11d9-bed3-505054503030
Audit attempts to access the directory service.

Audit_AccountLogon

69979850-797a-11d9-bed3-505054503030
Audit logon attempts by privileged accounts that log on to the ___domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the ___domain controller.

The following constants represent subcategories of audit-policy events. These constants are defined as GUID structures in Ntsecapi.h.

Audit_System_SecurityStateChange (0cce9210-69ae-11d9-bed3-505054503030)
Audit_System_SecuritySubsystemExtension (0cce9211-69ae-11d9-bed3-505054503030)
Audit_System_Integrity (0cce9212-69ae-11d9-bed3-505054503030)
Audit_System_IPSecDriverEvents (0cce9213-69ae-11d9-bed3-505054503030)
Audit_System_Others (0cce9214-69ae-11d9-bed3-505054503030)
Audit_Logon_Logon (0cce9215-69ae-11d9-bed3-505054503030)
Audit_Logon_Logoff (0cce9216-69ae-11d9-bed3-505054503030)
Audit_Logon_AccountLockout (0cce9217-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecMainMode (0cce9218-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecQuickMode (0cce9219-69ae-11d9-bed3-505054503030)
Audit_Logon_IPSecUserMode (0cce921a-69ae-11d9-bed3-505054503030)
Audit_Logon_SpecialLogon (0cce921b-69ae-11d9-bed3-505054503030)
Audit_Logon_Others (0cce921c-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FileSystem (0cce921d-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Registry (0cce921e-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Kernel (0cce921f-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Sam (0cce9220-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_CertificationServices (0cce9221-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_ApplicationGenerated (0cce9222-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Handle (0cce9223-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Share (0cce9224-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FirewallPacketDrops (0cce9225-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_FirewallConnection (0cce9226-69ae-11d9-bed3-505054503030)
Audit_ObjectAccess_Other (0cce9227-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_Sensitive (0cce9228-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_NonSensitive (0cce9229-69ae-11d9-bed3-505054503030)
Audit_PrivilegeUse_Others (0cce922a-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_ProcessCreation (0cce922b-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_ProcessTermination (0cce922c-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_DpapiActivity (0cce922d-69ae-11d9-bed3-505054503030)
Audit_DetailedTracking_RpcCall (0cce922e-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuditPolicy (0cce922f-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuthenticationPolicy (0cce9230-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_AuthorizationPolicy (0cce9231-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_MpsscvRulePolicy (0cce9232-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_WfpIPSecPolicy (0cce9233-69ae-11d9-bed3-505054503030)
Audit_PolicyChange_Others (0cce9234-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_UserAccount (0cce9235-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_ComputerAccount (0cce9236-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_SecurityGroup (0cce9237-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_DistributionGroup (0cce9238-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_ApplicationGroup (0cce9239-69ae-11d9-bed3-505054503030)
Audit_AccountManagement_Others (0cce923a-69ae-11d9-bed3-505054503030)
Audit_DSAccess_DSAccess (0cce923b-69ae-11d9-bed3-505054503030)
Audit_DsAccess_AdAuditChanges (0cce923c-69ae-11d9-bed3-505054503030)
Audit_Ds_Replication (0cce923d-69ae-11d9-bed3-505054503030)
Audit_Ds_DetailedReplication (0cce923e-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_CredentialValidation (0cce923f-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_Kerberos (0cce9240-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_Others (0cce9241-69ae-11d9-bed3-505054503030)
Audit_AccountLogon_KerbCredentialValidation (0cce9242-69ae-11d9-bed3-505054503030)
Audit_Logon_NPS (0cce9243-69ae-11d9-bed3-505054503030)

Requirements

Requirement	Value
Minimum supported client	Windows Vista [desktop apps only]
Minimum supported server	Windows Server 2008 [desktop apps only]
Header	Ntsecapi.h

Share via

Auditing Constants

Requirements

Feedback

Additional resources