In Windows 7 auditing, the event ID for changes to audit policy is:

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

In Windows 7 auditing, the event ID for changes to audit policy is:

Explanation:
Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

Changes to how auditing is configured are themselves auditable events, so Windows logs a security event whenever the audit policy is changed. On Windows 7, the event that records a change to the audit policy is 4902. This event indicates that the audit policy was modified (for example, who changed it and when), which is exactly what you’d want to detect when reviewing for tampering or misconfiguration of auditing. The other IDs correspond to different events and do not specifically indicate changes to the audit policy, so they aren’t the correct marker for this action.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy