MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  rT@$q.rsrcr@@( @Xp   k}MUINU~< F:V.aqHG MUI en-US  $ <options>] %n Commands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs %n Use AuditPol <command> /? for details on each command Usage: AuditPol /get [/user[:<username>|<{sid}>]] [/category:*|<name>|<{guid}>[,:<name>|<{guid}>...]] [/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]] [/option:<option name>] [/sd] [/r] %n This command displays the current audit policy. %n Commands /? Help (context-sensitive) /user The security principal for whom the per-user audit policy is queried. Either the /category or /subcategory option must be specified. The user may be specified as a SID or name. If no user account is specified, then the system audit policy is queried. /category One or more audit categories specified by GUID or name. An asterisk ("*") may be used to indicate that all audit categories should be queried. /subcategory One or more audit subcategories specified by GUID or name. /sd Retrieves the security descriptor used to delegate access to the audit policy. /option Retrieve existing policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /r Display the output in report (CSV) format. %n Sample usage: auditpol /get /user:domain\user /Category:"Detailed Tracking","Object Access" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:"System" auditpol /get /sd Usage: AuditPol /set [/user[:<username>|<{sid}>][/include][/exclude]] [/category:<name>|<{guid}>[,:<name>|<{guid}>...]] [/success:<enable>|<disable>][/failure:<enable>|<disable>] [/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]] [/success:<enable>|<disable>][/failure:<enable>|<disable>] [/option:<option name> /value:<enable>|<disable>] %n This command sets the current audit policy. %n Commands /? Help (context-sensitive) /user The security principal for whom per-user audit policy specified by the category/subcategory is set. Either the category or subcategory option must be specified, as a SID or name. /include Specified with /user; indicates that user's per-user policy will cause audit to be generated even if not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude options are explicitly specified. /exclude Specified with /user; indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. This setting is not honored for users who are members of the Administrators local group. /category One or more audit categories specified by GUID or name. If no user is specified, the system policy is set. /subcategory One or more audit subcategories specified by GUID or name. If no user is specified, system policy is set. /success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure options are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting. /failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting. /option Set the audit policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified using SDDL. The security descriptor must have a DACL. %n Example: auditpol /set /user:domain\user /Category:"System" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) HUsage: AuditPol /list [/user|/category|/subcategory[:<categoryname>|<{guid}>|*] [/v] [/r] %n This command lists audit policy categories, subcategories, or lists users for whom per-user audit policy is defined. %n Commands /? Help (context-sensitive) /user Retrieves all users for whom per-user audit policy has been defined. If used with the /v option, the sid of the user is also displayed. /category Displays the names of categories understood by the system. If used with the /v option, the category GUID is also displayed. /subcategory Displays the names of subcategories understood by the system, for subcategories in a specified category. The subcategory GUIDs are also displayed if the /v option is used. %n Example: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:"Detailed Tracking","Object Access" DUsage: AuditPol /clear [/y] This command deletes per-user audit policy for all users, resets system audit policy for all subcategories and sets all the auditing options to disabled. %n Options /? Help (context-sensitive). /y Suppresses the prompt to confirm if all the audit policy should be cleared. %n Example: auditpol /clear auditpol /clear /y Usage: AuditPol /remove [/user[:<username>|<{sid}>]] [/allusers] %n This command removes per-user audit policy for a specified account. %n Options /? Help (context-sensitive). /user Specifies the SID or user name for the user for whom per-user audit policy is to be deleted /allusers Deletes per-user audit policy for all users. %n Example: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers Usage: AuditPol /backup /file:<filename> %n This command backs up system audit policy settings and per-user audit policy settings for all users and all auditing options into a file. The backup will be written to a CSV-formatted text file. %n Options /? Help (context-sensitive). /file Specifies the name of the file to which the audit policy will be backed-up. %n Example: auditpol /backup /file:c:\auditpolicy.csv Usage: AuditPol /restore /file:<filename> %n This command restores system audit policy settings, per-user audit policy settings for all users and all auditing options from a file created with the /backup command. %n Options /? Help (context-sensitive). /file Specifies the file where the audit policy should be read from. The file must have been created by the /backup option or must be syntactically consistent with that file format. %n Example: auditpol /restore /file:c:\auditpolicy.csv Usage: AuditPol /resourceSACL [/set /type:<resource> [/success] [/failure] /user:<user> [/access:<access flags>] [/condition:<expression>]] [/remove /type:<resource> /user:<user> [/type:<resource>]] [/clear [/type:<resource>]] [/view [/user:<user>] [/type:<resource>]] %n This command configures settings for global object access auditing. The corresponding object access subcategory needs to be enabled for the events to be generated by the system. Type auditpol /set /? for more information. %n Commands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user from the global object access auditing list specified by the resource type. /clear Removes all entries from the global object access auditing list for the specified resource type. /view Lists the global object access auditing entries for the specified resource type and user. Specifying a user is optional. %n Arguments %n /type The resource for which object access auditing is being configured. The supported argument values are File and Key. Note that these values are case sensitive. File: Directories and files. Key: Registry keys. /success Specifies success auditing. /failure Specifies failure auditing. /user Specifies a user in one of the following forms: - DomainName\Account (such as DOM\Administrators) - StandaloneServer\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account. /access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used. /condition Appends an attribute based expression like the following: Document sensitivity is HBI ("High") "(@Resource.Sensitivity == \"High\")" %n Examples: %n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:"(@Resource.Sensitivity == \"High\")" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser Are you sure (Press %%s to cancel or any other key to continue)? Success Failure 0Success and Failure No Auditing $Not specified HError 0x%%08X occurred:%n%%s%n Enabled Disabled Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value%n Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting%n System Option Audit policy is defined for the following user accounts:%n (User Account%n SID 4Category/Subcategory GUID Option Name Value ,Inclusive Setting ,Exclusive Setting 4System audit policy%n TAudit policy for user account {%%s}%n pNo audit policy is defined for the user account.%n \The command was successfully executed.%n Setting XAudit Policy Security Descriptor: %%s%n Disabled (Only Administrators are currently allowed to log on) Currently, there is no global SACL for this resource type.%n Entry: %%lu Resource Type: %%s User: %%s Flags: %%s Condition: %%s Accesses: H[Error converting account SID] None Success Failure 0Success and failure N 4VS_VERSION_INFO@%@%?StringFileInfo040904B0LCompanyNameMicrosoft CorporationRFileDescriptionAudit Policy Programr)FileVersion6.3.9600.16384 (winblue_rtm.130821-1623)2 InternalNameauditpol.LegalCopyright Microsoft Corporation. All rights reserved.JOriginalFilenameAUDITPOL.EXE.MUIj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.16384DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD