Windows Event ID 4719: System audit policy was changed
Windows Security Event ID 4719 records a system audit policy change and can reveal attempts to reduce logging before malicious activity.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
Windows logs the event when one or more audit subcategories are enabled or disabled through policy or local configuration.
Key Fields
Audit Policy Changes
The subcategories and success or failure settings that changed. Disabling process, logon, or policy auditing is especially significant.
Subject
The account that changed policy. Confirm that the action matches approved administration.
Computer
The affected system. Changes on domain controllers and management servers have broad investigative impact.
Common False Positives
- Hardening projects and Group Policy deployments can legitimately change audit settings.
- Operating-system upgrades or baseline changes may modify multiple subcategories at once.
Related Events
- 1102 - The audit log was cleared
- Event ID 4902Content pending
- 4688 - A new process has been created
MITRE ATT&CK Mapping
- T1562.002Impair Defenses: Disable Windows Event Logging
Detection Notes
T1562.002 occurs when Audit Policy Changes removes Success or Failure for Audit Process Creation, Logon, or other security-critical audit subcategories. Disabling both Success and Failure is materially different from enabling a category because it removes future visibility. Use a local correlation window=60 minutes to connect the same Subject Logon ID to 4688 policy-change tooling and any following 1102 log clear.
SecurityEvent
| where EventID == 4719
| project TimeGenerated, Computer, Account, AuditPolicyChanges
| order by TimeGenerated descindex=wineventlog EventCode=4719
| table _time, host, SubjectUserName, AuditPolicyChangesSubject: Account Name: CORP\admin.ops
Audit Policy Changes: Audit Process Creation: Success removed
Computer: DC01