Windows Security EventLog is based on Audit Policy of Security Policy. There are 9 categories in Windows XP/2003. Since Vista, on the other hand, there are over 50 categories.
Default audit policy is disabled at XP, but is enabled with some categories at 7/Vista. Auditpol(audituser) or Local Security Policy shows these condition when target is online, but if offline, we need to read and analyze Registry(HKLM\Security\Policy\PolAdtEv).
Below is the sample screenshot of PolAdtEv value of Windows 7.
Following is the information about PolAdtEv in Windows NT 4.0
How To Determine Audit Policies from the Registry
http://support.microsoft.com/kb/246120
In NT 4.0, there are only 7 categories. It differs from XP/2003 which have 9 categories. Book "EnCE Study Guide" by Steve Bunting or "Windows Forensic Analysis" by Steve Bunting introduce structure of PolAdtEv value. RegRipper or RegDog can parse these value and display information.
Now it seems that no information is available in 7/2008/Vista, I looked at the structure and document PDF. Feel free to comment and feedback if you have any question.
(Addendum 2010/08/08)
The PDF is divided into (1)Windows 7/2008 (x64) and (2)Windows 2008(x32)/Vista. (1) includes "Detailed File Share" of "Object Access" category, but (2) does not include.
| Attachment | Size |
|---|---|
 PolAdtEv_Structure_en_rev2.pdf | 63.01 KB |
Comments
I was just about to dig into
I was just about to dig into this myself and try to determine each although you beat me too it!
Thank you!