Why fresh installed Windows 10 VM generates 4624/4625 whereas Audit account logon events is set to "No auditing" in Audit Policy

user888017

2/20/23, 3:01 PM

All is in the title. By the way, each policies are set to "No auditing" in Audit Policy by default but we still get events in the Event Viewer. I don't understand how.

0 + 0

windows

Score:0

Server

Greg Askew

2/20/23, 3:45 PM

You may have configured legacy audit policies. Those are not used by default. The audit policies are configured under Windows Settings\Security Settings\Advanced Audit Policy configuration.

0 + 0

user888017

2/20/23, 4:42 PM

Thank you for your feedback. I did not configure anything. I just installed a Win10 VM and realized that a lot of events are enabled by default and it does not match what I see in the Audit Policy. If I open "Local Security Policy" and go to "Security Settings \ Advanced Audit Policy\System Audit Policies - Local Group Policy Object\Logon/Logoff", I get all subcategory to "Not Configured"

user888017

2/20/23, 4:46 PM

But in the "Explain" tab from "Properties" its says "Default on Client editions: Success." So maybe that means that if you do not configure anything, it put this value by default. It would explain 4624 but not 4625 :/

Greg Askew

2/20/23, 4:47 PM

If `auditpol /get /category:*` shows it enabled, it would need to be configured in the policy to change it.

user888017

2/20/23, 4:50 PM

I executed your command. I got "No Auditing" for all "Logon/Logoff" category

user888017

2/20/23, 4:58 PM

Oops now I don't get any 462[4|5] anymore. Maybe I've changed something during my manipulations. Thank you for your clarifications though.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why fresh installed Windows 10 VM generates 4624/4625 whereas Audit account logon events is set to "No auditing" in Audit Policy

TH: เหตุใด Windows 10 VM ที่ติดตั้งใหม่จึงสร้าง 4624/4625 ในขณะที่เหตุการณ์การเข้าสู่ระบบบัญชีการตรวจสอบถูกตั้งค่าเป็น "ไม่มีการตรวจสอบ" ในนโยบายการตรวจสอบ

RO: De ce mașina virtuală Windows 10 proaspătă instalată generează 4624/4625, în timp ce evenimentele de conectare a contului de auditare sunt setate la „Fără auditare” în Politica de audit

RU: Почему только что установленная виртуальная машина Windows 10 генерирует 4624/4625, тогда как для событий входа в учетную запись аудита в политике аудита установлено значение «Нет аудита»

VI: Tại sao máy ảo Windows 10 được cài đặt mới tạo ra 4624/4625 trong khi các sự kiện đăng nhập tài khoản Kiểm tra được đặt thành "Không kiểm tra" trong Chính sách kiểm tra

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.