In Windows 7 auditing, the event ID for changes to audit policy is:

Study for the Computer Hacking Forensic Investigator (CHFI) v11 Test with flashcards and multiple choice questions. Each question comes with hints and explanations. Get ready to excel!

Multiple Choice

In Windows 7 auditing, the event ID for changes to audit policy is:

Explanation:
Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy