• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 360
  • Last Modified:

Event ID 612

On a Win XP SP3 computer, in the Security log there is a record that occurs about every 17 hours.  It is "EventID 612 - Audit Policy Change".  We are not changing audit policies that frequently.

Does anyone know why we are getting this record on such a consistent and regular basis, i.e., what is running every 17 hours that causes the 612 EventID to show up in the Security log?
0
GregMani34
Asked:
GregMani34
  • 2
  • 2
1 Solution
 
AnuroopsunddCommented:
Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP

http://support.microsoft.com/kb/840633
0
 
GregMani34Author Commented:
Thanks for the response, but that does not explain why we keep getting the 612 EventID.  We get this message about every 17 hours and we do not restart our computer that often.  The computer can run days/weeks without a restart and still get this message on a regular basis.
0
 
AnuroopsunddCommented:
may be service is getting started at the specific time..

you will require to check  application security and system logs during the same time when this is getting generated to get better picture.
0
 
kanalQkoTechnical Support EngineerCommented:
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the workstation (or the containing OU/AD) via the Active Directory. When the workstation boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.

No worry about this event log, it`s only information
0
 
GregMani34Author Commented:
The comment from "Anuroopsundd" led me to what seems to be the solution.  In the Application log there were events with ID 1704 occuring and the almost identical time as the 612 event ID in the Security log.  There is a registry setting that can be made to control how often the "1704 process" takes place.  Was able to cut down on the number of 612 and 1704 occurences with this registry setting.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now