Audit Security State Change
Audit Security State Change
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
Event volume: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
4608(S): Windows is starting up.
4616(S): The system time was changed.
4621(S): Administrator recovered system from CrashOnAuditFail.
[!NOTE] Event 4609(S): Windows is shutting down doesn’t currently generate. It is a defined event, but it is never invoked by the operating system.