File System
|
Audit user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL.
|
Registry
|
Audit attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
|
Kernel Object
|
Audit attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events.
Note
The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.
|
SAM
|
Audit events generated by attempts to access Security Accounts Manager (SAM) objects.
|
Certification Services
|
Audit Active Directory Certificate Services (AD CS) operations.
|
Application Generated
|
Audit applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
|
Handle Manipulation
|
Audit events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events.
|
File Share
|
Audit attempts to access a shared folder. However, no security audit events are generated when a folder is created, deleted, or its share permissions are changed.
|
Detailed File Share
|
Audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
|
Filtering Platform Packet Drop
|
Audit packets that are dropped by Windows Filtering Platform (WFP).
|
Filtering Platform Connection
|
Audit connections that are allowed or blocked by WFP.
|
Other Object Access Events
|
Audit events generated by the management of Task Scheduler jobs or COM+ objects.
|