Audit Security State Change

This security policy setting determines whether the operating system audits changes in the security state of a system and reports any of the following events:

  • System startup and shutdown. 
  • Change of system time. 
  • System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail. 

Important: Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.
System startup and shutdown events are important to understand system usage.
Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  • 4608: Windows is starting up.
  • 4609: Windows is shutting down.
  • 4616: The system time was changed.
  • 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.





Related content