Windows Vista provides the ability to audit security events by recording attempts to access system resources. No events are written to the Security log until you enable auditing, which you do via Local Security Policy. Even if you set up auditing for files, folders, or printers, those events aren’t recorded unless you also enable auditing in Local Security Policy.
To enable auditing, follow these steps:
1. In the Control Panel, open Administrative Tools, Local Security Policy. Alternatively, you can type secpol.msc at a command prompt, or simply begin typing local security in the Start menu Search box. Give your consent to the User Account Control (UAC) prompt that appears.
2. Expand Local Policies and then click Audit Policy to display the list of activities you can audit.
3. Double-click each policy for which you want to enable auditing, and then select Success, Failure, or both.
Some activities, such as account management and policy change, can provide an audit trail for administrative changes. Others, such as logon events and object access, can help you discover how to better secure your system. Still others, including system events and process tracking, can assist you in locating problems with your system.