xaudit Command Modify System Access Control List

The xaudit command adds entries in the system access control list (SACL). Each entry in this list causes an audit message to be logged when a specified user or group attempts to gain access to the resource. The xaudit- command removes entries from the SACL, and is valid for resource types FILE, PRINTER, REGKEY, DISK, COM, or SHARE.
capamsc141
The xaudit command adds entries in the system access control list (SACL). Each entry in this list causes an audit message to be logged when a specified user or group attempts to gain access to the resource. The xaudit- command removes entries from the SACL, and is valid for resource types FILE, PRINTER, REGKEY, DISK, COM, or SHARE.
This command has the following format:
xaudit classNameresourceName \
[failure(auditMode)] \ [gid(groupName)] \ [success(auditMode)] \ [uid(userName)]
  • className
    Specifies the name of the resource type to which the resource belongs.
  • failure(
    auditMode
    )
    Logs unauthorized access attempts to the resource.
    Valid values for
    auditmode
    depend on the resource type to which it belongs:
    Only NTFS files can have audit modes
    • DISK
      and
      COM
      : changePermissions, delete, modify, query, read, synchronize, takeOwnership.
    • FILE
      : changePermissions, delete, execute, read, takeOwnership, and write.
    • PRINTER
      : changePermissions, delete, print, and takeOwnership.
    • REGKEY
      : delete, enumerate, link, notify, queryValue, readControl, setValue, subkey, and write.
    For all resource types:
    none
    and
    all
    .
  • gid(
    groupName
    )
    Specifies the groups whose access to the resource is being audited. When specifying more than one group, separate the names with spaces or commas.
  • resourceName
    Specifies the name of the resource record whose system access control list (SACL) is being modified.
  • success(
    auditMode
    )
    Logs authorized accesses to the resource.
    Valid values for
    auditmode
    depend on the resource type to which it belongs:
    Only NTFS files can have audit modes
    • DISK
      and
      COM
      : changepermissions, delete, modify, query, read, synchronize, takeownership.
    • FILE
      : changePermissions, delete, execute, read, takeOwnership, and write.
    • PRINTER
      : changePermissions, delete, print, and takeOwnership.
    • REGKEY
      : delete, enumerate, link, notify, queryValue, readControl, setValue, subkey, and write.
    For all resource types:
    none
    and
    all
    .
  • uid(
    userName
    )
    Specifies the user whose access to the resource is being audited. When specifying more than one user, separate the user names with spaces or commas. To specify all users who are defined in the Windows NT database, specify an asterisk (*) for
    userName
    .