Event ID 4719

System audit policy was changed

System audit policy was changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Audit Policy Change:
    Category:           %5
    Subcategory:        %6
    Subcategory GUID:   %7
    Changes:            %8

This event generates when the computer's audit policy changes.

This event is always logged regardless of the "Audit Policy Change" sub-category setting.

Auditing: Always

This event should always be monitored, since changes to the local audit policy, especially the disabling of one or more options, could allow attackers to perform destructive actions on a system without a trace.

Volume: Low

Low, since audit policy changes usually do not happen on a regular basis.

Microsoft Documentation

Event ID - 4719

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	SYSTEM
Account Name	SubjectUserName	%2	Any	DC01$
Account Domain	SubjectDomainName	%3	Any	DOMAIN
Logon ID	SubjectLogonId	%4	Any	0x3e7
Category	CategoryId	%5	Any	Logon/Logoff
Subcategory	SubcategoryId	%6	Any	Account Lockout
Subcategory GUID	SubcategoryGuid	%7	Any	{0CCE9217-69AE-11D9-BED3-505054503030}
Changes	AuditPolicyChanges	%8	Any	Success added, Failure added

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Audit Policy Change"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:

Audit Success

Audit Category:

Policy Change

Audit Subcategory:

Audit Policy Change

Legacy Events:

612

LEFT/RIGHT arrow keys for navigation

Back to List