Solved

Event ID 612

Posted on 2012-04-09
5
309 Views
Last Modified: 2012-04-13
On a Win XP SP3 computer, in the Security log there is a record that occurs about every 17 hours.  It is "EventID 612 - Audit Policy Change".  We are not changing audit policies that frequently.

Does anyone know why we are getting this record on such a consistent and regular basis, i.e., what is running every 17 hours that causes the 612 EventID to show up in the Security log?
0
Comment
Question by:GregMani34
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37824565
Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP

http://support.microsoft.com/kb/840633
0
 

Author Comment

by:GregMani34
ID: 37824672
Thanks for the response, but that does not explain why we keep getting the 612 EventID.  We get this message about every 17 hours and we do not restart our computer that often.  The computer can run days/weeks without a restart and still get this message on a regular basis.
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37824781
may be service is getting started at the specific time..

you will require to check  application security and system logs during the same time when this is getting generated to get better picture.
0
 
LVL 5

Expert Comment

by:kanalQko
ID: 37825815
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the workstation (or the containing OU/AD) via the Active Directory. When the workstation boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.

No worry about this event log, it`s only information
0
 

Author Closing Comment

by:GregMani34
ID: 37844006
The comment from "Anuroopsundd" led me to what seems to be the solution.  In the Application log there were events with ID 1704 occuring and the almost identical time as the 612 event ID in the Security log.  There is a registry setting that can be made to control how often the "1704 process" takes place.  Was able to cut down on the number of 612 and 1704 occurences with this registry setting.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now