none
Performance counter log

    Question

  • Hi all,

            I have enabled one performance counter log for Webserver. But someone disabled that recently. Where I can found the logs that who disabled the performance counter log ??

    Please help

    Monday, July 06, 2015 2:41 PM

Answers

All replies

  • Hi,

    As far as I know there's no such auditing facility in Windows.

    Here are the event/object that can be tracked:

    Category/Subcategory
    System
      Security State Change
      Security System Extension
      System Integrity
      IPsec Driver
      Other System Events
    Logon/Logoff
      Logon
      Logoff
      Account Lockout
      IPsec Main Mode
      IPsec Quick Mode
      IPsec Extended Mode
      Special Logon
      Other Logon/Logoff Events
      Network Policy Server
    Object Access
      File System
      Registry
      Kernel Object
      SAM
      Certification Services
      Application Generated
      Handle Manipulation
      File Share
      Filtering Platform Packet Drop
      Filtering Platform Connection
      Other Object Access Events
      Detailed File Share
    Privilege Use
      Sensitive Privilege Use
      Non Sensitive Privilege Use
      Other Privilege Use Events
    Detailed Tracking
      Process Creation
      Process Termination
      DPAPI Activity
      RPC Events
    Policy Change
      Audit Policy Change
      Authentication Policy Change
      Authorization Policy Change
      MPSSVC Rule-Level Policy Change
      Filtering Platform Policy Change
      Other Policy Change Events
    Account Management
      User Account Management
      Computer Account Management
      Security Group Management
      Distribution Group Management
      Application Group Management
      Other Account Management Events
    DS Access
      Directory Service Access
      Directory Service Changes
      Directory Service Replication
      Detailed Directory Service Replication
    Account Logon
      Credential Validation
      Kerberos Service Ticket Operations
      Other Account Logon Events
      Kerberos Authentication Service

    You can see this list running auditpol /list /subcategory:*


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Monday, July 06, 2015 2:50 PM
  • Hi ,

             Thank you for your reply. I will check it again

    :) Ajees

    Monday, July 06, 2015 2:53 PM
  • As suggested above, you can enable auditing that might give you some evidence to catch the culprit who is doing such changes.

    You can follow this informative PDF guide that covers almost all the required steps to enable auditing in active directory and track the critical changes into real time : http://www.lepide.com/guide/enable-active-directory-security-auditing.pdf


    Carlo

    Tuesday, July 07, 2015 9:13 AM