Windows Security Log Event ID 4885

4885: The audit filter for Certificate Services changed

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Windows logs this event whenever you modify the Auditing tab of the Properties dialog of the CA in the Certification Authority MMC snap-in.  The Audit tab controls which CA releated events are reported to the security log.

The Filter: field below is a bitwise representation of the check boxes on the Audit tab mentioned above.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4885

Filter:

Selected values

0 - all auditing disabled

127 - all auditing enabled

Bit	Meaning
1	Start and stop Active Directory Certificate Services
2	Backup and restore the CA database
3	Issue and manage certificate requests
4	Revoke certificates and publish CRLs
5	Change CA security settings
6	Store and retrieve archived keys
7	Change CA configuration

The order of the check boxes in the Auditing tab dialog do not correspond to the order of the bits in the filter.

The decision to log this event at all is governed by the filter itself, specifically the "Change CA configuration" check box.  Unfortunateley if you disable this box, no event is recorded.

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Mini-Seminars Covering Event ID 4885 27 Most Important Windows Security Events

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy