Event ID: 4719

System audit policy was changed

System audit policy was changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Audit Policy Change:
    Category:           %5
    Subcategory:        %6
    Subcategory GUID:   %7
    Changes:            %8


This event generates when the computer's audit policy changes.

This event is always logged regardless of the "Audit Policy Change" sub-category setting.

Auditing:     Always

This event should always be monitored, since changes to the local audit policy, especially the disabling of one or more options, could allow attackers to perform destructive actions on a system without a trace.


Volume:     Low

Low, since audit policy changes usually do not happen on a regular basis.


Microsoft Documentation

Event ID - 4719



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any DC01$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Category CategoryId %5 Any %%8274
Subcategory SubcategoryId %6 Any %%12807
Subcategory GUID SubcategoryGuid %7 Any {0CCE9223-69AE-11D9-BED3-505054503030}
Changes AuditPolicyChanges %8 Any %%8448, %%8450


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Audit Policy Change"



LEFT/RIGHT arrow keys for navigation

Back to List