Monitor attempts to access and change settings on your computer

You must be logged on as an administrator to perform these steps.

You can monitor (also known as audit) what's happening on your computer to help make it more secure. By auditing your computer, you can tell if someone has logged on to the computer, created a new user account, changed a security policy, or opened a document. Auditing doesn't prevent a hacker or someone who has an account on your computer from making changes, it just lets you know when a change is made and who made it.

The following table describes the different kinds of events you can monitor. If you choose to monitor any of these kinds of events, Windows will record the events in a log that you can look at with Event Viewer.

Event Description
Event

Account management

Description

Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.

Event

Logon events

Description

Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).

Event

Directory service access

Description

Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).

Event

Object access

Description

Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend doing that unless you have advanced computer knowledge and know how to use the registry.

Event

Policy change

Description

Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.

Event

Privilege use

Description

Monitor this to see when someone performs a task on the computer that they have permission to perform.

Event

Process tracking

Description

Monitor this to see when events such as program activation or a process exiting occur.

Event

System events

Description

Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.

Show all

To turn on auditing

  1. Open Local Security Policy by clicking the Start button Picture of the Start button, typing secpol.msc into the search box, and then clicking secpol. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

  2. In the left pane, double-click Local Policies, and then click Audit Policy.

  3. Double-click the event type that you want to audit.

  4. Select the Success or Failure check box, or both, and then click OK.

    • If you select Success, Windows will record any successful attempts to complete the type of event that you are monitoring. For example, if you're auditing logon events, any time someone logs on to your computer would be considered a successful logon event.

    • If you select Failure, any unsuccessful attempt to log on to your computer will be recorded.

    • If you select both Success and Failure, Windows will record all attempts.

    There is a limit to how many events can be recorded and, if the audit log gets too full, it can slow down your computer. To make more space, you can delete events from the log when you're viewing them in Event Viewer.

To monitor who opens documents

  1. Right-click the document or file that you want to keep track of, and then click Properties.

  2. Click the Security tab, click Advanced, and then click the Auditing tab.

  3. Click Continue. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

  4. Click Add.

  5. In the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK in each of the four open dialog boxes.

    If you want to monitor everyone, type Everyone. If you want to monitor a particular person, type the name of the computer followed by the person's user name or the name of the domain followed by the person's user name (if the computer is on a domain): computer\user name or domain\user name.

  6. Select the check box for any action you want to audit, and then click OK. The following table describes what you can audit.

    Auditable actions for files

    Action Description
    Action

    Traverse folder/execute file

    Description

    Keeps track of when someone runs a program file.

    Action

    List folder/read data

    Description

    Keeps track of when someone views the data in a file.

    Action

    Read attributes

    Description

    Keeps track of when someone views the attributes of a file, such as read-only or hidden.

    Action

    Read extended attributes

    Description

    Keeps track of when someone views the extended attributes of a file. The extended attributes are defined by the program that created the file.

    Action

    Create files/write data

    Description

    Keeps track of when someone changes the contents of a file.

    Action

    Create folders/append data

    Description

    Keeps track of when someone adds data to the end of a file.

    Action

    Write attributes

    Description

    Keeps track of when someone changes the attributes of a file.

    Action

    Write extended attributes

    Description

    Keeps track of when someone changes the extended attributes of the file.

    Action

    Delete subfolders and files

    Description

    Keeps track of when someone deletes a folder.

    Action

    Delete

    Description

    Keeps track of when someone deletes a file.

    Action

    Read permissions

    Description

    Keeps track of when someone reads the permissions on a file.

    Action

    Change permissions

    Description

    Keeps track of when someone changes the permissions on a file.

    Action

    Take ownership

    Description

    Keeps track of when someone takes ownership of a file.

    Note

    • Selecting the Full control check box selects all of the auditable actions.

To view audit logs

  1. Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel, clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

  2. In the left pane, double-click Windows Logs, and then click Security.

  3. Double-click an event to see the details.

Note

  • To delete logs, click Clear Log in the Actions pane.

For more information about security auditing, including detailed audit policies, go to Security Auditing on the Microsoft website.