Applies to these editions of Windows Vista

Business

Ultimate

Enterprise

Monitor attempts to access and change settings on your computer

You must be logged on as an administrator to perform these steps.

You can monitor (also known as audit) what's happening on your computer to help make it more secure. By auditing your computer, you can tell if someone has logged on to the computer, created a new user account, changed a security policy, or opened a document. Auditing doesn't prevent a hacker or someone who has an account on your computer from making changes, it just lets you know when a change is made and who made it. There are five different kinds of events you can monitor: account management, logon, object access, policy change, and system events. If you choose to monitor any of these kinds of events, Windows will record the events in a log that you can look at with Event Viewer.

Account management

Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
Logon events

Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
Directory service access

Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
Object access

Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend that unless you have advanced computer knowledge and know how to use the registry.
Policy change

Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
Privilege use

Monitor this to see when someone performs a user right.
Process tracking

Monitor this to see when events such as program activation or a process exiting occur.
System events

Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.

Show all

To turn on auditing

Open Local Security Policy by clicking the Start button , typing secpol.msc into the Search box, and then clicking secpol.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Click Local Policies, and then double-click Audit Policy.
Double-click the event type that you want to audit.
Select the Success or Failure check box, or both, and then click OK.

If you select Success, Windows will record any successful attempts to complete the type of event that you are monitoring. For example, if you are auditing logon events, any time someone logs on to your computer would be considered a successful logon event. If you select Failure, any unsuccessful attempt to log on to your computer will be recorded. If you select both Success and Failure, Windows will record all attempts. There is a limit to how many events can be recorded and, if the audit log gets too full, it can slow down your computer. To make more space, you can delete events from the log when you are viewing them in Event Viewer.

To monitor who opens documents

Right-click the document or file that you want to keep track of, and then click Properties.
Click the Security tab, click Advanced, and then click Auditing.
Click Continue. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Click Add.
In the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK.

If you want to monitor everyone, type Everyone. If you want to monitor a particular person, type the name of the computer followed by the person's user name: computer\user name.

Select the check box for any action you want to audit, and then click OK. The following table describes what you can audit.

Auditable actions for files

Action		Description
Traverse folder / execute file		Keeps track of when someone runs a program file.
List folder / read data		Keeps track of when someone views the data in a file.
Read attributes		Keeps track of when someone views the attributes of a file, such as read-only or hidden.
Read extended attributes		Keeps track of when someone views the extended attributes of a file. The extended attributes are defined by the program that created the file.
Create files / write data		Keeps track of when someone changes the contents of a file.
Create folders / append data		Keeps track of when someone adds data to the end of a file.
Write attributes		Keeps track of when someone changes the attributes of a file.
Write extended attributes		Keeps track of when someone changes the extended attributes of the file.
Delete subfolders and files		Keeps track of when someone deletes a folder.
Delete		Keeps track of when someone deletes a file.
Read permissions		Keeps track of when someone reads the permissions on a file.
Change permissions		Keeps track of when someone changes the permissions on a file.
Take ownership		Keeps track of when someone takes ownership of a file.

Note

Selecting the Full control check box will select all of the auditable actions.

To view audit logs

Open Event Viewer by clicking the Start button , clicking Control Panel, clicking System and Maintenance, clicking Administrative Tools, and then double-clicking Event Viewer.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
In the Navigation pane, double-click Windows Logs, and then click Security.
Double-click an event to see the details.