Tyler Montney Tyler Montney - 4 years ago 283
Vb.net Question

Modify audit policy (group policy)

I'd like to change object audit policy with vb.net. Like enabling Object Access auditing. Is that possible? If not, is powershell an option? I know I can get gpedit running on any version of Windows, but I want to be able to change the setting programmatically.

Also, I do know some settings can be changed by Registry, but I haven't seen one for audit policy.

http://www.lshift.net/blog/2013/03/25/programmatically-updating-local-policy-in-windows/

I found this, but will give it a try in a little while.

Answer Source

I realized all the links I thought were the answer, were not. They all change the Audit Policy tab, and I can already do that programmatically. What I want to change is the global audit policy, which is only available in Group Policy (gpedit.msc). Of course, you can "install" it on any version of Windows, but I want a solution that doesn't require the end user to have to set it (aka not use gpedit.msc).

I knew that Process Monitor could monitor virtually anything going on in the background, and one link in my comments also was using Process Monitor (comments of my OP). So, I figured that was really my only way. Naturally, you'd think mmc.exe is the one to look for, but it's not. It does a TON of registry open/query/enum/closes. However, no setting or deleting. I decided to look a little before and after the large block of mmc operations (well and of course anywhere in between). Anything that wasn't mmc but happened in the exact timeframe. I found lsass had done some setting and deleting. It was changing the value of a Registry key that is owned by System. I used PSTools to run regedit as System, so I could access the key. I then used gpedit to switch back and forth (from No Auditing to Success), and found it always set the same values (something like 0 for off and 1 for on). I exported the keys when I changed the values in gpedit, and then imported them to test. I can confirm it works by reopening gpedit after importing, and the value changes. I can also confirm simply by enabling Auditing on a folder, and seeing logs in Event Viewer.

tl;dr

  1. HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv\(Default) is the you want.
  2. Download the .reg files here
  3. Run this in an elevated command prompt: psexec -i -s regedit
  4. Import the .reg file you need.
  5. Confirm by reopening gpedit.msc and checking Event Viewer (Security)

Don't trust the .reg files? Here are the values you if you'd rather create them yourself. Value type is REG_NONE, so @=hex(0).

No Audit: 00010000090000007e00000001000000030000000300010001000100000001000000000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

Success: 00010000090000007e00000001000000030000000300010001000100000001000000000000000300000001000100010001000100010001000100010001000100010001000100000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

This doesn't include executing it with VB.NET, but it comes close enough. My question was "is it possible to do it without using gpedit", and indeed I can.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download