This security policy setting determines whether the operating system audits changes in the security state of a system and reports any of the following events:
- System startup and shutdown.
- Change of system time.
- System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.
Important: Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.
System startup and shutdown events are important to understand system usage.
Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
- 4608: Windows is starting up.
- 4609: Windows is shutting down.
- 4616: The system time was changed.
- 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.