In Windows 7 auditing, the event ID for changes to audit policy is:

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

In Windows 7 auditing, the event ID for changes to audit policy is:

Explanation:
Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy