Monitor attempts to access and change settings on your computer
You must be logged on as an administrator to perform these steps.
You can monitor (also known as audit) what's happening on your computer to help make it more secure. By auditing your computer, you can tell if someone has logged on to the computer, created a new user account, changed a security policy, or opened a document. Auditing doesn't prevent a hacker or someone who has an account on your computer from making changes, it just lets you know when a change is made and who made it. There are five different kinds of events you can monitor: account management, logon, object access, policy change, and system events. If you choose to monitor any of these kinds of events, Windows will record the events in a log that you can look at with Event Viewer.
-
Account management
Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
-
Logon events
Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
-
Directory service access
Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
-
Object access
Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend that unless you have advanced computer knowledge and know how to use the registry.
-
Policy change
Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
-
Privilege use
Monitor this to see when someone performs a user right.
-
Process tracking
Monitor this to see when events such as program activation or a process exiting occur.
-
System events
Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.
Show all-
Open Local Security Policy by clicking the Start button 
, typing secpol.msc into the Search box, and then clicking secpol.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
Click Local Policies, and then double-click Audit Policy.
-
Double-click the event type that you want to audit.
-
Select the Success or Failure check box, or both, and then click OK.
If you select Success, Windows will record any successful attempts to complete the type of event that you are monitoring. For example, if you are auditing logon events, any time someone logs on to your computer would be considered a successful logon event. If you select Failure, any unsuccessful attempt to log on to your computer will be recorded. If you select both Success and Failure, Windows will record all attempts. There is a limit to how many events can be recorded and, if the audit log gets too full, it can slow down your computer. To make more space, you can delete events from the log when you are viewing them in Event Viewer.
-
Right-click the document or file that you want to keep track of, and then click Properties.
-
Click the Security tab, click Advanced, and then click Auditing.
-
Click Continue.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
Click Add.
-
In the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK.
If you want to monitor everyone, type Everyone. If you want to monitor a particular person, type the name of the computer followed by the person's user name: computer\user name.
-
Select the check box for any action you want to audit, and then click OK. The following table describes what you can audit.
Auditable actions for files
|
Action
|
Description
|
|
Traverse folder / execute file
|
Keeps track of when someone runs a program file.
|
|
List folder / read data
|
Keeps track of when someone views the data in a file.
|
|
Read attributes
|
Keeps track of when someone views the attributes of a file, such as read-only or hidden.
|
|
Read extended attributes
|
Keeps track of when someone views the extended attributes of a file. The extended attributes are defined by the program that created the file.
|
|
Create files / write data
|
Keeps track of when someone changes the contents of a file.
|
|
Create folders / append data
|
Keeps track of when someone adds data to the end of a file.
|
|
Write attributes
|
Keeps track of when someone changes the attributes of a file.
|
|
Write extended attributes
|
Keeps track of when someone changes the extended attributes of the file.
|
|
Delete subfolders and files
|
Keeps track of when someone deletes a folder.
|
|
Delete
|
Keeps track of when someone deletes a file.
|
|
Read permissions
|
Keeps track of when someone reads the permissions on a file.
|
|
Change permissions
|
Keeps track of when someone changes the permissions on a file.
|
|
Take ownership
|
Keeps track of when someone takes ownership of a file.
|
Note
Selecting the Full control check box will select all of the auditable actions.
-
Open Event Viewer by clicking the Start button , clicking Control Panel, clicking System and Maintenance, clicking Administrative Tools, and then double-clicking Event Viewer.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
In the Navigation pane, double-click Windows Logs, and then click Security.
-
Double-click an event to see the details.
Note
To delete logs, click Clear Log in the Actions pane.
