Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 612 - Audit Policy Change
EventID 612 - Audit Policy Change
A change was successfully made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.

Note: 

This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.
Earlier versions of Windows and different service packs have a "buggy" implementation of this event logging. For example, Windows XP SP2 may log this event each time the system starts up. 

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2008
 Sample:
Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change
Event ID:       612
Date:           10/26/2009
Time:           07:31:43
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
Audit Policy Change:
New Policy:
	Success	Failure
	    +	    +	Logon/Logoff
	    +	    +	Object Access
	    +	    +	Privilege Use
	    +	    +	Account Management
	    +	    +	Policy Change
	    +	    +	System
	    +	    +	Detailed Tracking
	    +	    +	Directory Service Access
	    +	    +	Account Logon

Changed By:
	  User Name:	Alebovsky
	  Domain Name:	RESEARCH
	  Logon ID:	(0x0,0x59DF36)
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category Policy Change
Source Security
EventId 612
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
New Policy Displays new values for all policies. Plus - enabled, minus - disabled. " Success Failure %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %13 %14 Account Management %11 %12 Policy Change %1 %2 System %9 %10 Detailed Tracking %15 %16 Directory Service Access %17 %18 Account Logon" Success Failure %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %13 %14 Account Management %11 %12 Policy Change %1 %2 System %9 %10 Detailed Tracking %15 %16 Directory Service Access %17 %18 Account Logon
Changed By: User Name If the change was made locally then reflects the name of the user who made the change, if applied as a result of the Group Policy propagation then reflects the name of the computer where the event is logged InsertionString19 ALebovsky
Changed By: Domain Name Domain name of the user that made the change InsertionString20 RESEARCH
Changed By: Logon ID ID of the logon session of the user that made the change. Useful for tracking other user activity during the same logon session. InsertionString21 (0x0,0x514A6)
New Policy: Success Logon/Logoff "+" or "-" InsertionString3 +
New Policy: Failure Logon/Logoff "+" or "-" InsertionString4 +
New Policy: Success Object Access "+" or "-" InsertionString5 +
New Policy: Failure Object Access "+" or "-" InsertionString6 +
New Policy: Success Privilege Use "+" or "-" InsertionString7 +
New Policy: Failure Privilege Use "+" or "-" InsertionString8 +
New Policy: Success Account Management "+" or "-" InsertionString13 +
New Policy: Failure Account Management "+" or "-" InsertionString14 +
New Policy: Success Policy Change "+" or "-" InsertionString11 +
New Policy: Failure Policy Change "+" or "-" InsertionString12 +
New Policy: Success System "+" or "-" InsertionString1 +
New Policy: Failure System "+" or "-" InsertionString2 +
New Policy: Success Detailed Tracking "+" or "-" InsertionString9 +
New Policy: Failure Detailed Tracking "+" or "-" InsertionString10 +
New Policy: Success Directory Service Access "+" or "-" InsertionString15 +
New Policy: Failure Directory Service Access "+" or "-" InsertionString16 +
New Policy: Success Account Logon "+" or "-" InsertionString17 +
New Policy: Failure Account Logon "+" or "-" InsertionString18 +
Comments
You must be logged in to comment