Enable "Audit Process Tracking" from CMD regardless of the system language

Question

I want to edit the local security audit policy from the command line. From what I found out, there's auditpol.exe and I can set the policy using the "/set" parameter. This does indeed work, but there's one problem:

I need specify the category and subcategory by a string that is in the systems language. For example, my windows is set to german, therefore the command looks like this:

auditpol.exe /set /category:"detaillierte Nachverfolgung" /subcategory:"Prozesserstellung" /success:enable

"detaillierte Nachverfolgung" = detailed Tracking

"Prozesserstellung" = Process creation

When ever I try to use the english names, I get the error 0x00000057 (wrong parameter).

This is copyied from the official documentation from Microsoft:

Auditpol /set /category:"Detailed Tracking" /success:enable

If i execute this, I get the error mentioned above.

I need to be able to set the policy regardless of the users system language.

Is there any way to do so?

jjxtra · Answer 1 · 2020-07-03T22:29:00.467

2

You have to use the guid, this is language agnostic. Example for account login and logon/logoff:

auditpol /set /category:"{69979849-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /category:"{69979850-797A-11D9-BED3-505054503030}" /success:enable /failure:enable

Get the list of guids by doing this:

auditpol /list /subcategory:* /r

edited Jul 03 '20 at 22:29

answered Dec 07 '19 at 21:19

jjxtra

20,415
16
100
140

This doesn't include the subcategories. For those, it's `auditpol /list /cubcategory:* /r` (the `/r` is needed because `auditpol` would omit the GUIDs without it). – Bowi Apr 20 '20 at 12:44
```auditpol /list /cubcategory:* /r``` Is not a valid command on my system. – derekbaker783 Jul 02 '20 at 16:34
Typo, fixed it. – jjxtra Jul 03 '20 at 22:29

Enable "Audit Process Tracking" from CMD regardless of the system language

1 Answers1