Windows Security Log Event ID 4719
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Policy Change
• Audit Policy Change |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
612
|
4719: System audit policy was changed
On this page
This computer's system level audit policy was modified - either via Local Security Policy, Group Policy in Active Directory or the audipol command.
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
If group policy was used to configure audit policy unfortunately the Subject fields don't identify who actually changed the policy. In such cases this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
If auditpol was used to configure audit policy will properly reflect the user in Subject:.
Subject:
The ID and logon session of the user that changed the policy - always the local system - see note above.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Audit Policy Change:
Category:
- Account Logon
- Account Management
- Detailed Tracking
- Directory Service
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System Events
Subcategory:
- Security State Change
- Security System Extension
- System Integrity
- IPsec Driver
- Other System Events
- Logon
- Logoff
- Account Lockout
- IPsec Main Mode
- Special Logon
- IPsec Quick Mode
- IPsec Extended Mode
- Other Logon/Logoff Events
- Network Policy Server
- File System
- Registry
- Kernel Object
- SAM
- Other Object Access Events
- Certification Services
- Application Generated
- Handle Manipulation
- File Share
- Filtering Platform Packet Drop
- Filtering Platform Connection
- Sensitive Privilege Use
- Non Sensitive Privilege Use
- Other Privilege Use Events
- Process Creation
- Process Termination
- DPAPI Activity
- RPC Events
- Audit Policy Change
- Authentication Policy Change
- Authorization Policy Change
- MPSSVC Rule-Level Policy Change
- Filtering Platform Policy Change
- Other Policy Change Events
- User Account Management
- Computer Account Management
- Security Group Management
- Distribution Group Management
- Application Group Management
- Other Account Management Events
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
- Credential Validation
- Kerberos Service Ticket Operations
- Other Account Logon Events
- Kerberos Authentication Service
- Subcategory GUID: the globally unique identifier of the subcategory
Changes:
- Failure added
- Failure moved
- Success added
- Success removed
Free Security Log Resources by Randy
Subject:
- Security ID: %1
- Account Name: %2
- Account Domain: %3
- Logon ID: %4
Audit Policy Change:
- Category: %5
- Subcategory: %6
- Subcategory GUID: %7
- Changes: %8
Supercharger Enterprise
System audit policy was changed.
Subject:
Security ID: S-1-5-21-3108364787-189202583-342365621-500
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x169e9
Audit Policy Change:
Category: Logon/Logoff
Subcategory: Special Logon
Subcategory GUID: {0CCE921B-69AE-11D9-BED3-505054503030}
Changes: Failure added
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection