ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying audit policy change events on a cybersecurity monitoring dashboard
Event ID 4719InformationMicrosoft-Windows-Security-AuditingWindows Security

Windows Event ID 4719 – Microsoft-Windows-Security-Auditing: System Audit Policy Changed

Event ID 4719 fires when Windows audit policy settings are modified, indicating changes to security auditing configuration that affect what events get logged.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4719Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4719 represents one of the most important security audit events in Windows logging. When this event appears in your Security log, it indicates that someone or something has modified the system's audit policy configuration. The audit policy controls which types of security events Windows will log, making changes to these settings potentially significant from a security perspective.

The event contains comprehensive details about the modification, including the user account that made the change, the process that initiated the change, and the specific audit categories that were affected. Each audit category can be configured for success events, failure events, both, or neither. The event shows both the previous configuration and the new configuration for each modified category.

From a security standpoint, this event is particularly valuable because disabling audit logging is a common technique used by attackers to hide their activities. By monitoring Event ID 4719, security teams can detect when audit policies are being modified and investigate whether these changes are legitimate administrative actions or potential indicators of compromise. The event also plays a crucial role in compliance frameworks that require organizations to maintain audit trails and detect unauthorized changes to security configurations.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually changing audit policy through Local Security Policy console
  • Group Policy updates modifying audit policy settings across domain systems
  • Command-line modifications using auditpol.exe or similar tools
  • PowerShell scripts or automation tools adjusting audit configurations
  • Third-party security software modifying audit settings during installation or operation
  • Malware or attackers attempting to disable audit logging to hide activities
  • System restore operations that revert audit policy settings to previous states
  • Software installations that modify security policies as part of their setup process
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4719 to understand what changed and who initiated the modification.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4719 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4719 in the Event IDs field and click OK
  5. Double-click on the most recent Event ID 4719 to view details
  6. Review the General tab for basic information including timestamp and user account
  7. Check the Details tab for comprehensive information about the audit policy changes
  8. Note the Subject section showing who made the change and the Audit Policy Change section showing what was modified
Pro tip: Pay special attention to the Category and Subcategory fields to understand exactly which audit settings were changed and whether they were enabled or disabled.
02

Query Events with PowerShell

Use PowerShell to programmatically analyze Event ID 4719 occurrences and extract detailed information about audit policy changes.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4719 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Get detailed information about specific events:
    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 5
foreach ($event in $events) {
    $xml = [xml]$event.ToXml()
    Write-Host "Time: $($event.TimeCreated)"
    Write-Host "User: $($xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Category: $($xml.Event.EventData.Data | Where-Object {$_.Name -eq 'CategoryId'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}
  4. Filter events by specific time range:
    $startTime = (Get-Date).AddDays(-7)
$endTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=$startTime; EndTime=$endTime}
Warning: Large Security logs can make these queries slow. Consider using -MaxEvents parameter to limit results for initial analysis.
03

Check Current Audit Policy Configuration

Verify the current audit policy settings to understand what logging is currently enabled and compare against your security requirements.

  1. Open Command Prompt as Administrator
  2. Display current audit policy settings:
    auditpol /get /category:*
  3. Get detailed subcategory information:
    auditpol /get /subcategory:*
  4. Check specific audit categories that are commonly targeted:
    auditpol /get /subcategory:"Logon" /subcategory:"Account Logon" /subcategory:"Object Access" /subcategory:"Policy Change"
  5. Export current audit policy for backup:
    auditpol /backup /file:C:\temp\current_audit_policy.csv
  6. Compare with Group Policy settings by opening Group Policy Management Console and navigating to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
Pro tip: Document your baseline audit policy configuration so you can quickly identify unauthorized changes when Event ID 4719 appears.
04

Investigate Process and User Context

Analyze the context around Event ID 4719 to determine if the audit policy change was legitimate or potentially malicious.

  1. Correlate with other security events around the same timeframe:
    $auditChangeTime = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 1).TimeCreated
$startTime = $auditChangeTime.AddMinutes(-10)
$endTime = $auditChangeTime.AddMinutes(10)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$startTime; EndTime=$endTime} | Where-Object {$_.Id -in @(4624,4625,4648,4672)} | Format-Table TimeCreated, Id, Message -Wrap
  2. Check for process creation events (Event ID 4688) around the same time:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$startTime; EndTime=$endTime} | Where-Object {$_.Message -like '*auditpol*' -or $_.Message -like '*secpol*'}
  3. Review logon events for the user who made the change:
    $userSID = "S-1-5-21-..." # Extract from Event ID 4719 details
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -like "*$userSID*"} | Select-Object -First 5
  4. Check system event log for related service or application events:
    Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$startTime; EndTime=$endTime} | Where-Object {$_.Message -like '*policy*' -or $_.Message -like '*audit*'}
05

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on Event ID 4719 occurrences for enhanced security posture.

  1. Create a custom Windows Event Forwarding subscription for centralized monitoring:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>AuditPolicyChanges</SubscriptionId>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4719]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  2. Configure a scheduled task to run PowerShell monitoring script:
    $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\Monitor-AuditPolicyChanges.ps1'
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount
Register-ScheduledTask -TaskName 'Monitor-Event4719' -Action $action -Trigger $trigger -Principal $principal
  3. Create monitoring script content:
    # Monitor-AuditPolicyChanges.ps1
$lastCheck = (Get-Date).AddMinutes(-20)
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=$lastCheck} -ErrorAction SilentlyContinue
if ($events) {
    $events | ForEach-Object {
        $message = "ALERT: Audit policy changed at $($_.TimeCreated) by user in event details"
        Write-EventLog -LogName Application -Source "Custom Security Monitor" -EventId 9999 -Message $message -EntryType Warning
    }
}
  4. Set up Windows Performance Toolkit (WPT) for advanced analysis if needed
  5. Configure SIEM integration to forward Event ID 4719 to your security operations center
Warning: Ensure monitoring scripts have appropriate permissions and error handling to prevent service disruption.

Overview

Event ID 4719 is a critical security audit event that fires whenever Windows audit policy settings are modified on a system. This event appears in the Security log and tracks changes to the audit configuration that determines which security events Windows will log. The event captures who made the change, when it occurred, and which specific audit categories were modified.

This event is essential for security monitoring because audit policy changes can hide malicious activity by disabling logging for specific event categories. Attackers often modify audit policies to cover their tracks, making this event a key indicator for security teams. The event fires immediately when audit policies are changed through Group Policy, local security policy, or command-line tools like auditpol.exe.

The event provides detailed information about the previous and new audit policy settings, allowing administrators to track exactly what changed. This granular detail makes it invaluable for compliance auditing and forensic investigations where understanding the audit trail is crucial.

Frequently Asked Questions

What does Event ID 4719 mean and why is it important?+
Event ID 4719 indicates that Windows audit policy settings have been changed on the system. This event is critically important for security monitoring because audit policies control which security events get logged. Attackers often modify audit policies to disable logging and hide their malicious activities. The event provides detailed information about what audit categories were changed, who made the changes, and when they occurred, making it essential for detecting unauthorized modifications to security configurations.
How can I tell if Event ID 4719 represents a security threat?+
To determine if Event ID 4719 represents a threat, examine the context around the event. Check if the user who made the change is authorized to modify audit policies, whether the timing aligns with scheduled maintenance, and if the changes disable critical security logging. Look for correlating events like unusual logons, privilege escalations, or suspicious process executions around the same timeframe. Legitimate changes typically occur during business hours by known administrators, while malicious changes often happen outside normal hours or by compromised accounts.
Which audit policy changes should I be most concerned about?+
Be particularly concerned about changes that disable logging for critical security categories including Account Logon Events, Logon/Logoff Events, Object Access, Policy Change, Privilege Use, and Process Tracking. Disabling success auditing for logon events can hide successful attacks, while disabling failure auditing can prevent detection of brute force attempts. Any change that reduces the overall security logging posture should be investigated, especially if it affects categories that your organization relies on for compliance or security monitoring.
Can Event ID 4719 be generated by legitimate system processes?+
Yes, Event ID 4719 can be generated by legitimate processes including Group Policy updates, system administrators using Local Security Policy console, automated scripts running auditpol.exe commands, and some software installations that modify security settings. Windows Update installations and system restore operations can also trigger this event. The key is to verify that these changes align with your organization's change management processes and that they're performed by authorized personnel or systems.
How should I respond when I detect Event ID 4719 in my environment?+
When you detect Event ID 4719, immediately verify the legitimacy of the change by checking if it was authorized through your change management process. Review the current audit policy configuration using auditpol /get /category:* to understand what's currently enabled. If the change appears unauthorized, restore the audit policy from a known good backup, investigate the user account that made the change for signs of compromise, and review security logs for any suspicious activities that might have occurred while logging was disabled. Document the incident and consider implementing additional monitoring for future audit policy changes.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4719 and audit policy configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring and managing Windows audit policies and understanding audit eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4719#security-auditing#audit-policy

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...