Auditpol Command: Comprehensive Guide to Windows Audit Policies

The auditpol command is an advanced Windows command-line utility that allows administrators to display, set, clear, back up, and restore local security audit policies. Unlike the graphical Local Security Policy tool, auditpol supports granular auditing of over 50 specific subcategories, enabling precise control over what Windows logs in the Security Event Viewer.

Whether you're investigating unauthorized access, complying with strict security frameworks like CIS or NIST, or simply attempting to reduce the noise generated by Windows event logs, mastering auditpol gives you granular, programmatic control. IT professionals, system administrators, and security analysts rely on this command for automated security baseline enforcement and rapid incident response data gathering.

This comprehensive guide covers auditpol syntax, all major operations (get, set, list, backup), practical examples for common scenarios, troubleshooting tips, and frequently asked questions. By the end, you'll confidently manage file and system audit policies from the command line.

What Is the Auditpol Command?

The auditpol command is a built-in Windows utility available in Command Prompt and PowerShell that manipulates the system's audit policy. It bridges the gap between the Group Policy Editor (secpol.msc) and the actual auditing capabilities of the Windows operating system. While older group policies only allow configuring 9 broad auditing categories, auditpol permits configuration of over 50 distinct subcategories (like "File System", "Registry", "Logon", "Special Logon").

Auditing is critical for system security. When an audit policy is enabled for a specific action (such as a successful logon or a failed attempt to read a file), Windows generates an Event ID in the Security log. auditpol is the most direct way to configure exactly which events are captured and which are ignored.

It runs primarily in the Windows Command Prompt (cmd.exe) or PowerShell and requires administrative privileges to execute operations that alter or query the active system policy.

Syntax

The basic syntax for the auditpol command involves invoking the main command followed by a sub-command (such as /get, /set, /list, etc.) and relevant parameters.

auditpol <command> [<args>]

Sub-commands and Options Table

Parameter	Purpose
/?	Displays help at the command prompt.
/get	Displays the current audit policy for categories, subcategories, or specific users.
/set	Sets the audit policy for categories, subcategories, or specific users.
/list	Displays selectable policy elements (categories, subcategories, users).
/backup	Saves the audit policy to a comma-separated values (CSV) file.
/restore	Restores the audit policy from a CSV file created using the /backup command.
/clear	Clears all the audit policies on the machine.
/remove	Removes all per-user audit policies and disables per-user auditing.

Parameters and Options Explored

The /get Option

The /get command displays the current status of audit policies. You can retrieve statuses for entire categories or specific subcategories. Use /category:* to list everything.

The /set Option

The /set command applies a new configuration. You must specify whether you want to audit success, failure, or both (using Enable or Disable). It is the most frequently used sub-command for locking down a system.

The /list Option

Before setting a policy, you might need to know the exact names of categories and subcategories on your Windows version. The /list command enumerates them. Use /list /category or /list /subcategory:*.

The /backup and /restore Options

These commands provide a quick way to export the current configuration to a textual format (CSV) and re-apply it later. This is invaluable for migrating settings or restoring known-good baselines after testing.

Examples

In this section, we will look at various practical, copy-pasteable examples of using the auditpol command. Note that you must open your Command Prompt or PowerShell as Administrator to successfully run these commands.

1. View All Current Audit Policies

To see how the current system is configured for auditing, you can retrieve the status of all categories and subcategories.

auditpol /get /category:*

Output:

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
...

Explanation: This command pulls the current configuration for all auditing categories. "Success and Failure" means that both successful and failed attempts are recorded in the Event Logs. "No Auditing" means the system does not record events for that specific subcategory.

2. Enable Auditing for File Systems (Success and Failure)

If you need to track who is accessing, modifying, or deleting files, you must enable File System auditing.

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Output:

The command was successfully executed.

Explanation: This turns on auditing for the "File System" subcategory. To actually generate logs, you must also configure the NTFS SACL (System Access Control List) on the specific files or folders you want to monitor, primarily using the icacls command or the Windows GUI.

3. Disable Auditing for a Specific Subcategory

Sometimes, auditing generates too much noise, filling up the Security log with useless events (like Filtering Platform packet drops). You can disable auditing for noisy subcategories.

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

Output:

The command was successfully executed.

Explanation: This tells Windows to stop recording successful or failed events related to the Windows Filtering Platform dropping packets, preventing your Event Viewer from being flooded.

4. Back Up the Audit Policy to a File

Before making massive changes to the audit policy, take a backup so you can quickly restore it if something breaks.

auditpol /backup /file:"C:\AuditBackup\auditpolicy.csv"

Output:

The command was successfully executed.

Explanation: This exports the active audit configuration to a CSV file. The file maps the GUIDs of the subcategories to their current settings. Keep this file secure, as it contains information about your security monitoring.

5. Restore Audit Policy from a Backup

To revert to a previous state using the backup you took earlier, simply run the /restore command.

auditpol /restore /file:"C:\AuditBackup\auditpolicy.csv"

Output:

The command was successfully executed.

Explanation: The command parses the provided CSV file and reapplies every setting. This is useful for deploying a standard baseline across multiple machines by copying the CSV file and running this command via a script.

6. List All Available Subcategories

If you don't know the exact name of a subcategory to use with the /get or /set commands, you can list them all.

auditpol /list /subcategory:*

Explanation: This outputs a long list of all subcategories supported by your version of Windows, such as "Process Creation", "Logon", "Special Logon", "SAM", and more.

7. Enable Detailed Process Tracking

Detailed process tracking records an event whenever a new process is created, which is vital for hunting malware.

auditpol /set /subcategory:"Process Creation" /success:enable

Explanation: By enabling this, Event ID 4688 will be generated every time an application or process is launched. This helps you figure out exactly what programs are running on your server.

8. Clear the Entire Audit Policy

If you need to reset the system's auditing back to zero (turning all auditing off), use the /clear command.

auditpol /clear /y

Explanation: The /clear parameter removes all policies. The /y switch automatically answers 'Yes' to the confirmation prompt. Use this with extreme caution!

Common Use Cases

Here are the most common scenarios where IT professionals use the auditpol command.

1. System Baselines: Applying a standardized corporate security policy (such as a Center for Internet Security baseline) across new servers using /restore.
2. File Server Monitoring: Enabling File System auditing to track exactly which users are deleting or modifying critical documents.
3. Malware Hunting: Enabling Process Creation auditing to see the exact sequence of processes launched by localized threats.
4. Log Volume Reduction: Disabling noisy subcategories (like Registry auditing or Object Access) to save disk space and reduce noise for SIEM ingestion.
5. Auditing Specific Users: Setting up per-user auditing so that only a specific, highly privileged account is monitored for specific actions.
6. Regulatory Compliance: Generating proof that essential auditing functions (like Logon/Logoff tracking) are enabled to satisfy compliance auditors.
7. Troubleshooting Overwrites: Discovering why certain events aren't logging when Advanced Audit Policies conflict with older Group Policies.
8. Automated Incident Response: Automatically turning up the auditing verbosity via a script if suspicious activity is detected on a host.

Tips and Best Practices

To get the most out of auditpol while maintaining a stable and secure system, follow these proven best practices:

• Always test before deploying: Changing audit policies can drastically increase the volume of event logs, potentially overwriting older logs or flooding your SIEM. Test in a staging environment first.
• Combine with Advanced Audit Configuration: Remember that auditpol only configures the system policy. For File System or Registry auditing to work, you must also apply SACLs to the target files/keys.
• Avoid Basic Audit Policies: Do not mix basic audit policies (the 9 categories in secpol) with advanced audit policies (the 50+ subcategories in auditpol). Mixing them can lead to unpredictable behavior.
• Use Group Policy over Local Auditpol when possible: While auditpol is fantastic for scripting and instant, localized changes, Group Policy instances (GPOs) are the preferred centralized method for managing configurations in an Active Directory environment.
• Force Advanced Auditing: Ensure the policy "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" is enabled in your environment.
• Combine with Sysmon: While auditpol is built-in and powerful, pairing it with Microsoft Sysinternals Sysmon provides even deeper visibility.
• Check Log Sizes: If you increase logging verbosity with auditpol, make sure you increase the maximum security log size in the Event Viewer to prevent critical events from being overwritten.
• Run as Administrator: auditpol commands will silently fail or return explicit "Access Denied" errors if not executed in an elevated command prompt.

Troubleshooting Common Issues

Even experienced administrators can run into hiccups when working with audit policies.

"Access is denied" Error

Problem: When running the command, you receive an "Access is denied" message. Solution: auditpol requires administrative privileges to query or set policies. Right-click your Command Prompt or PowerShell and select "Run as administrator." Prevention tip: Always make sure your script checks for elevated privileges before running auditpol.

Settings Revert After Reboot

Problem: You use auditpol /set to change the policy, but a few hours later or after a reboot, the settings revert to their previous state. Solution: The machine is likely receiving an overriding configuration via Active Directory Group Policy. You must update the Advanced Audit Policy Configuration within Group Policy instead of using local auditpol commands. Prevention tip: Use gpresult /r to verify which GPOs are applying security settings to the host.

Events Keep Logging Despite Disabling

Problem: You disabled auditing for a subcategory, but related events are still populating the Security log. Solution: Legacy basic audit policies might be active. Ensure that the "Audit: Force audit policy subcategory settings... to override audit policy category settings" policy is enabled. Also, check for third-party auditing software. Prevention tip: Clear out all local basic audit policies if you plan heavily rely on advanced subcategories.

The /backup Command Fails

Problem: The /backup configuration throws an error. Solution: Ensure the target directory physically exists. auditpol will not create directories for you. For instance, if you run auditpol /backup /file:C:\logs\back.csv, the C:\logs folder must already be there.

Related Commands

Here are some commands closely related to auditpol that you should also master:

icacls – Advanced NTFS Permissions

While auditpol turns on the global capability for File System auditing, you must use icacls to attach SACLs to specific files and folders so you know exactly what is being audited.

wevtutil – Windows Event Command Line Utility

Once you have generated events using your auditpol configurations, wevtutil helps you query, list, and clear the Windows event logs directly from the command line.

secpol.msc – Local Security Policy

This is the graphical interface for managing local security policies, though it doesn't provide the same exact flexibility from a pure command-line perspective.

gpresult – Group Policy Results

If your auditpol settings mysteriously revert, gpresult helps you identify if an Active Directory Group Policy is overwriting your localized changes.

Frequently Asked Questions

What does the auditpol command do?

The auditpol command allows you to view, set, backup, and restore system audit policies in Windows. It provides deeper and more granular control over what gets logged in the Security log by supporting over 50 specific auditing subcategories.

Is auditpol available on all Windows versions?

auditpol is available natively on modern versions of Windows, including Windows 10, Windows 11, Windows Server 2012, 2016, 2019, and 2022.

Why should I use auditpol instead of secpol.msc?

secpol.msc provides basic auditing options (only 9 broad categories). auditpol allows manipulating Advanced Audit Policies, offering access to 50+ very specific subcategories. This granularity helps reduce the "noise" (unnecessary logs) and only tracks exactly what's required for security.

How do I undo changes made by auditpol?

The safest way is to take a backup using auditpol /backup /file:backup.csv before making changes. To undo, use auditpol /restore /file:backup.csv. Alternatively, you can use auditpol /clear to wipe everything, but this leaves the system with no auditing configured.

Can I audit specific network shares with auditpol?

auditpol enables the broader "File Share" auditing capability (auditpol /set /subcategory:"File Share" /success:enable), which will then generate events whenever any share is accessed on that server.

Where do the audited events appear?

Events triggered by configurations set via auditpol are recorded as Windows Event Logs. They are specifically routed to the "Security" log, viewable in the Windows Event Viewer (eventvwr.msc).

Do I need to be an administrator to run auditpol?

Yes. Modifying or viewing the security configuration of the operating system requires elevation. You must run the command prompt as an Administrator.

What is the difference between Success and Failure auditing?

Success auditing generates a log when an operation completely manages to finish (e.g., a file is opened successfully). Failure auditing generates a log when an action is blocked (e.g., a user mistypes their password or attempts to open a file they lack permission for).

Can I script auditpol configurations?

Yes, auditpol is highly scriptable. You can place commands in .bat or .ps1 files to systematically apply security configurations to newly scaled environments without manual UI interventions.

Quick Reference Card

Here is a quick reference table of vital auditpol commands that busy administrators frequently use.

Command	Purpose	Example
auditpol /get /category:*	View all active policies	Check current system security baseline
auditpol /set /subcategory:"Process Creation" /success:enable	Enable process tracking	Hunt for malware executions
auditpol /set /subcategory:"File System" /failure:enable	Track failed file access	Monitor for unauthorized data scraping
auditpol /backup /file:C:\pol.csv	Export current policy	Backup before making sweeping changes
auditpol /list /subcategory:*	List all subcategory names	Find exact names to configure via arguments

Summary

The auditpol command is a crucial piece of the Windows security puzzle. It grants system administrators granular control over what the operating system records in the Security Activity logs, ranging from logon attempts and file accesses to process creations and system changes.

We covered the core syntax and the essential sub-commands such as /get, /set, and /backup. Through practical examples, we looked at how to configure Success and Failure logging strategically to ensure no unauthorized activities slip through the cracks without generating so much log noise that real threats are hidden.

Whether you're baselining a new corporate server, hunting for sophisticated malware, or working to pass a tight regulatory compliance audit, a strong functional knowledge of auditpol is mandatory. Properly configured audit policies tell the accurate story of what practically happened on a machine.

Ready to test your auditpol skills? Try using the interactive simulator on our platform to build muscle memory without risking a production web server. You can also explore our Commands Reference for deeper dives into related administrative utilities, or check out our guide on the icacls command to round out your file security expertise.