Overview
The Windows auditing feature provides a comprehensive mechanism for tracking security-relevant events within the operating system. This includes events such as user logins, object access, privilege use, and system policy changes. By enabling and configuring auditing, administrators can gain valuable insights into system activity, detect potential security breaches, and comply with regulatory requirements.
This section details the core components of the Windows auditing subsystem, including the event logging architecture, the types of events that can be audited, and the API functions available for programmatic control and retrieval of audit information.
Key Concepts
Security Auditing
Security auditing is the process of recording events that indicate potential security policy violations or unauthorized access attempts. These events are logged in the Windows Event Log system, specifically in the Security log.
Audit Policy
An audit policy defines which types of security events are to be audited. Policies can be configured at the local machine level or through Group Policy for domain-joined systems. Common categories include:
- Audit account logon events
- Audit logon events
- Audit object access
- Audit privilege use
- Audit system events
- Audit process tracking
- Audit policy change
- Audit directory service access
- Audit registry
- Audit file system
Event Viewer
Event Viewer is a graphical utility that allows users to view and manage the Windows Event Logs, including the Security log. It provides filtering and searching capabilities to analyze audit events.
API Functions
The following Win32 API functions are relevant to auditing:
| Function | Description |
|---|---|
AllocateAndInitializeSid |
Allocates and initializes a security identifier (SID). |
CheckTokenMembership |
Determines whether a specified SID is a member of the specified token. |
DuplicateTokenEx |
Creates a duplicate of an existing access token. |
FindNextFile |
Searches a directory for a file or subdirectory with a name matching a specified pattern. |
FreeSid |
Frees a previously allocated buffer that contains a security identifier (SID). |
GetAce |
Retrieves a pointer to a specific access control entry (ACE) in an access control list (ACL). |
GetAclInformation |
Retrieves information about an access control list (ACL). |
GetFileSecurity |
Retrieves a copy of the security descriptor for a specified file or directory. |
GetSecurityDescriptorControl |
Retrieves control information from the security descriptor of a specified security descriptor. |
GetSecurityDescriptorDacl |
Retrieves a pointer to the discretionary access control list (DACL) of a security descriptor. |
GetSecurityDescriptorOwner |
Retrieves the owner, group, or creator-owner SID from a security descriptor. |
GetTokenInformation |
Retrieves various types of information about a specified access token. |
ImpersonateLoggedOnUser |
Enables the calling thread to impersonate the owner of the specified access token. |
IsValidSid |
Indicates whether a security identifier (SID) is valid. |
LookupAccountName |
Attempts to look up default properties associated with a given account name on a given computer. |
LookupPrivilegeName |
Retrieves the display name that corresponds to a privilege value. |
OpenProcessToken |
Opens the access token associated with a process. |
PrivilegeCheck |
Determines whether a token has a specified set of privileges. |
RevertToSelf |
Disables the impersonation of a client by the calling thread. |
SetEntriesInAcl |
Modifies an access control list (ACL) by adding or removing access control entries (ACEs). |
SetFileSecurity |
Sets the security of a specified file or directory. |
Note
Many of these functions interact with the Security Descriptor Definition Language (SDDL) and Access Control Lists (ACLs) to manage object security and audit policies.