2

I have written a program that receives WMI events. Right now I have to manually go into the security settings in order to turn on the events of interest.

Local Security Policy

I can do this through the Windows GUI, but would like a way to do this programmatically.

I've looked at secedit and auditpol, but I can't seem to get their syntax correct. I either do not know which database to use, can't establish valid paths, or don't have the right permissions figured out.

I'd be happy with help in batch, powershell, or even C++. How can I create a small script or app that sets the audit policies when ran?

Edit 8/3/16

Why can't a backup with auditpol?

PS E:\agent\bin> auditpol /backup /file:backup.csv
Error 0x0000000D occurred:
The data is invalid.

PS E:\agent\bin> auditpol /backup /file:C\backup.csv
Failed to open file
Error 0x00000003 occurred:
The system cannot find the path specified.

PS E:\agent\bin> auditpol /backup /file:E\backup.csv
Failed to open file
Error 0x00000003 occurred:
The system cannot find the path specified.
Coop
  • 189
  • 1
  • 15
  • 1
    `auditpol` is probably the right tool for the job here. Show us what you've tried and how it fails – Mathias R. Jessen Aug 01 '16 at 15:08
  • I'm having a hard time mapping the options for `auditpol` to what I see in the GUI. `auditpol /list /subcategory:"Policy Change"` only mentions Audit in one of the `Audit Policy Change` line. https://technet.microsoft.com/en-us/library/cc753632(v=ws.11).aspx – Coop Aug 01 '16 at 15:40
  • 2
    The thing you're looking at in `secpol.msc` is the "old" audit configuration options. Look at the "Advanced Audit Policy Configuration" item at the bottom, those are the Audit categories (and subcategories) modifiable by `auditpol` – Mathias R. Jessen Aug 01 '16 at 15:44
  • Doh! Is there any documentation available about switching from the "old" audit configuration options to the "new" ones? I just want to make sure I am not changing my expected results. Thanks for the insight. That explains my disconnect! – Coop Aug 01 '16 at 16:55
  • 1
    For posterity: [KB2573113](http://support.microsoft.com/kb/2573113/) seems to talk about the disconnect I had. I got there from http://www.thewindowsclub.com/what-is-auditpol-in-windows-7-and-how-to-enable-it – Coop Aug 01 '16 at 18:55
  • Coming back to this. Any idea why I'm having trouble with backing things up? I edited the original question. – Coop Aug 03 '16 at 16:17

0 Answers0