Windows Security Log Event ID 612

Operating Systems	Windows Server 2000 Windows 2003 and XP
Category	Policy Change
Type	Success
Corresponding events in Windows 2008 and Vista	4719

612: Audit Policy Change

On this page

Description of this event
Field level details
Examples

This indicates the system's audit policy was modified. Pluses indicate auditing is enabled, minuses indicate it is disabled. Unfortunately the Change By fields don't always identify who actually changed the policy because audit policy might not be directly configured by administrators. Instead it might be edited in a group policy object which then gets applied to the computer. In that case this event shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Different service packs of the OS handle this event differently. Windows XP SP2 may log this event every time the system starts up. Earlier implementations of Windows 2000 sometimes logged this event twice in quick succession every time the group policy was refreshed. In that case it indicated auditing was turned off and then back on. Thankfully these problems have now been resolved.

Free Security Log Resources by Randy

Description Fields in 612

Windows 2003:

ID: 612 Description: Audit Policy Change:
New Policy:
Success Failure
     %3     %4 Logon/Logoff
     %5     %6 Object Access
     %7     %8 Privilege Use
     %13    %14 Account Management
     %11    %12 Policy Change
     %1     %2 System
     %9     %10 Detailed Tracking
     %15    %16 Directory Service Access
     %17    %18 Account Logon
Changed By:
   User Name: %19
   Domain Name: %20
   Logon ID: %21

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 612

Audit Policy Change:
New Policy:
  Success Failure
      +     + Logon/Logoff
      +     + Object Access
      +     + Privilege Use
      +     + Account Management
      +     + Policy Change
      +     + System
      +     + Detailed Tracking
      +     + Directory Service Access
      +     + Account Logon

Changed By:
    User Name: administrator
    Domain Name: ACME
    Logon ID: (0x0,0x3CF6B)

Changed by group policy:

Audit Policy Change:
New Policy:
  Success Failure
      +     + Logon/Logoff
      +     + Object Access
      -     - Privilege Use
      +     + Account Management
      +     + Policy Change
      +     + System
      -     - Detailed Tracking
      -     - Directory Service Access
      +     + Account Logon

Changed By:
  User Name: MS2-W2K$
  Domain Name: ACME
  Logon ID:  (0x0,0x3E7)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 612

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.