Using the Audit Policy to diagnose security problems
A neat trick to help you diagnose troublesome security problems. Modify your the audit settings for process tracking, so that successes and failures are logged in your Security log.
- Go to Start -> Run.
- Type: gpedit.msc
- Expand Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
- Review the “Audit process tracking” policy.
- Right-click the “Audit process tracking” policy, and select Properties.
- On the Local Security Setting folder, check the “Success” and “Failure” checkboxes under “Audit these attempts”.
- Click OK to continue.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
These audits are now tracked in the Security log in the Event Viewer. Here’s an example of a “Detailed Tracking” event.
Some additional details can be found on TechNet.
Pretty easy to configure, and very useful when you’re trying to figure out why applications are not running appropriately and you think it might be related to security issues.