0

I'd like to change object audit policy with vb.net. Like enabling Object Access auditing. Is that possible? If not, is powershell an option? I know I can get gpedit running on any version of Windows, but I want to be able to change the setting programmatically.

Also, I do know some settings can be changed by Registry, but I haven't seen one for audit policy.

http://www.lshift.net/blog/2013/03/25/programmatically-updating-local-policy-in-windows/

I found this, but will give it a try in a little while.

Tyler Montney
  • 1,402
  • 1
  • 17
  • 25
  • Hi, please grab some code, try it, and post your results so we can help you debug it. – sodawillow Dec 29 '15 at 09:53
  • Grab some code from what? The link? I only found the link after posting. I have absolutely no clue otherwise how to accomplish this, and I still haven't had a chance to look at the link (I'm going to in an hour or so). Otherwise I was looking for other suggestions. – Tyler Montney Dec 29 '15 at 17:09
  • Grab some code from Google, like everyone does : https://social.technet.microsoft.com/Forums/windows/en-US/046d0082-740a-486b-9078-08307a754d97/powershell-group-policy-auditing-tab?forum=winserverpowershell – sodawillow Dec 29 '15 at 17:11
  • See that's really inaccurate. You came across a post I didnt. I Googled for quite a while and never came across that. That's why I came here to ask. I'll take a look at that link shortly too. – Tyler Montney Dec 29 '15 at 17:13
  • 1
    I can understand that. I Googled *powershell audit policy*. Try to use the code and if it fails, include it in your question along with the encountered error. – sodawillow Dec 29 '15 at 17:14
  • Found this based off your last post. When I saw "Get-ACL", I used that to refine my search and found this: http://technochat.in/2014/05/set-file-system-auditing-via-powershell/ – Tyler Montney Dec 29 '15 at 17:16

1 Answers1

1

Update: It is possible to import, via VB (or probably any other language), but using REG IMPORT. Make sure you're putting the .REG file where System can access it (System does not have the same privileges as Administrator). You'd have to launch a separate app that runs as System and, on load, imports a registry key. You can run as System using PSTools (psexec), from Sysinternals. You can also do it by creating a service, running the service, then deleting the service: Running application as System (without PSTools)

I realized all the links I thought were the answer, were not. They all change the Audit Policy tab, and I can already do that programmatically. What I want to change is the global audit policy, which is only available in Group Policy (gpedit.msc). Of course, you can "install" it on any version of Windows, but I want a solution that doesn't require the end user to have to set it (aka not use gpedit.msc).

I knew that Process Monitor could monitor virtually anything going on in the background, and one link in my comments also was using Process Monitor (comments of my OP). So, I figured that was really my only way. Naturally, you'd think mmc.exe is the one to look for, but it's not. It does a TON of registry open/query/enum/closes. However, no setting or deleting. I decided to look a little before and after the large block of mmc operations (well and of course anywhere in between). Anything that wasn't mmc but happened in the exact timeframe. I found lsass had done some setting and deleting. It was changing the value of a Registry key that is owned by System. I used PSTools to run regedit as System, so I could access the key. I then used gpedit to switch back and forth (from No Auditing to Success), and found it always set the same values (something like 0 for off and 1 for on). I exported the keys when I changed the values in gpedit, and then imported them to test. I can confirm it works by reopening gpedit after importing, and the value changes. I can also confirm simply by enabling Auditing on a folder, and seeing logs in Event Viewer.

tl;dr

  1. HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv\(Default) is the you want.
  2. Download the .reg files here
  3. Run this in an elevated command prompt: psexec -i -s regedit
  4. Import the .reg file you need.
  5. Confirm by reopening gpedit.msc and checking Event Viewer (Security)

Don't trust the .reg files? Here are the values you if you'd rather create them yourself. Value type is REG_NONE, so @=hex(0).

No Audit: 00010000090000007e00000001000000030000000300010001000100000001000000000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

Success: 00010000090000007e00000001000000030000000300010001000100000001000000000000000300000001000100010001000100010001000100010001000100010001000100000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

Community
  • 1
  • 1
Tyler Montney
  • 1,402
  • 1
  • 17
  • 25