Audit Policy Manager
The auditpol command displays information about and performs functions to manipulate audit policies in Windows. It allows administrators to configure what security events are logged in the Windows Security Event Log.
Think of it like setting up security cameras in your building. You decide what activities to monitor (logons, file access, policy changes) and auditpol configures Windows to track those events for security analysis and compliance.
Advertisement
[ Insert Google AdSense Banner Code Here ]
Track user logons, file access, and security policy changes.
Meet PCI-DSS, HIPAA, and other regulatory audit requirements.
Collect evidence after security breaches or suspicious activity.
Save and restore audit configurations across systems.
auditpol /get /category:* Display all current audit policy settings for all categories.
auditpol /list /category List all available audit policy categories.
auditpol /list /subcategory List all available audit subcategories.
auditpol /set /subcategory:"Logon" /success:enable Enable success auditing for logon events.
auditpol /backup /file:C:\audit.csv Backup current audit policy to a file.
All auditpol commands require Administrator privileges to view or configure audit policies.
To run commands as Administrator in the simulator:
runas /user:administrator cmd Request administrator privileges
admin123 Enter the password when prompted
auditpol /get /category:* Now you can use auditpol commands
Real Windows: Right-click Command Prompt and select "Run as administrator" before running auditpol commands.
Practice auditpol commands in the interactive terminal below: