Event ID 612

On a Win XP SP3 computer, in the Security log there is a record that occurs about every 17 hours.  It is "EventID 612 - Audit Policy Change".  We are not changing audit policies that frequently.

Does anyone know why we are getting this record on such a consistent and regular basis, i.e., what is running every 17 hours that causes the 612 EventID to show up in the Security log?
GregMani34Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AnuroopsunddCommented:
Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP

http://support.microsoft.com/kb/840633
0
GregMani34Author Commented:
Thanks for the response, but that does not explain why we keep getting the 612 EventID.  We get this message about every 17 hours and we do not restart our computer that often.  The computer can run days/weeks without a restart and still get this message on a regular basis.
0
AnuroopsunddCommented:
may be service is getting started at the specific time..

you will require to check  application security and system logs during the same time when this is getting generated to get better picture.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kanalQkoTechnical Support EngineerCommented:
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the workstation (or the containing OU/AD) via the Active Directory. When the workstation boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.

No worry about this event log, it`s only information
0
GregMani34Author Commented:
The comment from "Anuroopsundd" led me to what seems to be the solution.  In the Application log there were events with ID 1704 occuring and the almost identical time as the 612 event ID in the Security log.  There is a registry setting that can be made to control how often the "1704 process" takes place.  Was able to cut down on the number of 612 and 1704 occurences with this registry setting.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.