How to Audit Local Admin Use With a Built-In Audit Policy on Windows 11
🔍 WiseChecker

How to Audit Local Admin Use With a Built-In Audit Policy on Windows 11

by

When a local administrator account runs a command, installs software, or changes system settings, Windows 11 does not log that activity by default. Without auditing, you cannot tell whether the admin performed a legitimate task or a malicious action. Windows 11 includes a built-in audit policy that tracks every action taken by a local admin account. This article explains how to enable that policy and review the resulting logs.

Key Takeaways: Enable Local Admin Auditing on Windows 11

  • Local Security Policy > Local Policies > Audit Policy > Audit account logon events: Tracks when a local admin account logs on or off the system.
  • Local Security Policy > Local Policies > Audit Policy > Audit process tracking: Logs every program or command the admin launches.
  • Event Viewer > Windows Logs > Security: Displays all audit events with Event IDs 4624 logon, 4688 process creation, and 4672 special privileges assigned.

ADVERTISEMENT

What the Built-In Audit Policy Tracks for Local Admin Accounts

The built-in audit policy in Windows 11 uses several subcategories to record local admin activity. The key categories are account logon events, logon events, process creation, and privilege use. When you enable these audit policies, Windows writes events to the Security log in Event Viewer. Each event contains the account name, the time of the action, and details about what was executed. No third-party software is required. The policy applies to all local accounts, including the built-in Administrator account and any account in the Administrators group.

Audit Account Logon Events

This category records when a local admin account authenticates to the system. For local accounts, the event is written on the machine where the logon occurs. Event ID 4624 indicates a successful logon. Event ID 4625 indicates a failed logon attempt. The logon type tells you whether the admin logged on interactively, via Remote Desktop, or over the network.

Audit Process Tracking

Process tracking logs every executable that an admin runs. Event ID 4688 records the process name, the command line arguments, the creator process, and the user account. This is the most detailed category for understanding exactly what the admin did. You can see whether they launched PowerShell, regedit, msiexec, or an unknown binary.

Audit Privilege Use

When an admin uses a special privilege such as SeTakeOwnershipPrivilege or SeBackupPrivilege, Event ID 4672 is generated. This event indicates that the account was assigned elevated rights during logon. It does not log every use of the privilege, but it confirms that the account had elevated access at that moment.

Steps to Enable Local Admin Auditing on Windows 11

You must be signed in as a member of the Administrators group to change audit policies. The following steps use the Local Security Policy snap-in, which is available on Windows 11 Pro, Enterprise, and Education editions. Windows 11 Home does not include this snap-in. For Home edition, you can use the auditpol command-line tool instead.

Method 1: Using Local Security Policy

  1. Open Local Security Policy
    Press Win + R, type secpol.msc, and press Enter. If prompted by User Account Control, click Yes.
  2. Navigate to Audit Policy
    In the left pane, expand Local Policies and select Audit Policy.
  3. Enable Audit account logon events
    Double-click Audit account logon events. Check the Success box. Optionally check Failure to log failed logon attempts. Click OK.
  4. Enable Audit process tracking
    Double-click Audit process tracking. Check Success. Click OK.
  5. Enable Audit privilege use
    Double-click Audit privilege use. Check Success. Click OK.
  6. Close the snap-in
    The policy takes effect immediately. No reboot is required.

Method 2: Using Command-Line auditpol

  1. Open an elevated Command Prompt
    Press Win + S, type cmd, right-click Command Prompt, and select Run as administrator. Click Yes.
  2. Enable account logon audit
    Type the following command and press Enter:
    auditpol /set /subcategory:"Account Logon" /success:enable
  3. Enable process creation audit
    Type the following command and press Enter:
    auditpol /set /subcategory:"Process Creation" /success:enable
  4. Enable sensitive privilege use audit
    Type the following command and press Enter:
    auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable
  5. Verify the settings
    Type auditpol /get /category: and press Enter. Confirm that the subcategories show Success enabled.

ADVERTISEMENT

How to View and Filter the Audit Logs

After enabling the audit policies, events appear in Event Viewer. To review them efficiently, use the Filter Current Log feature with the relevant Event IDs.

  1. Open Event Viewer
    Press Win + R, type eventvwr.msc, and press Enter.
  2. Navigate to the Security log
    In the left pane, expand Windows Logs and select Security.
  3. Filter for admin logon events
    In the right pane, click Filter Current Log. In the Event IDs field, type 4624,4625. Click OK. Review each event. Look for a Logon Type of 2 interactive or 10 Remote Desktop.
  4. Filter for process creation events
    Click Filter Current Log again. Change the Event IDs field to 4688. Click OK. Examine the Process Name and Command Line fields to see what the admin ran.
  5. Filter for privilege assignment
    Click Filter Current Log. Enter 4672 in the Event IDs field. Click OK. This shows when an account was assigned special privileges during logon.

Common Issues When Auditing Local Admin Use on Windows 11

Audit Logs Are Too Large and Fill the Disk

The Security log has a default maximum size of 20 MB. On a busy system, this fills quickly. To prevent data loss, increase the log size. In Event Viewer, right-click Security under Windows Logs, select Properties, and set the Maximum log size to 102400 KB or higher. Also select Overwrite events as needed to avoid archiving old events.

No Events Appear After Enabling the Policy

If no audit events appear, confirm that the policy is applied. Run auditpol /get /category: in an elevated Command Prompt. Verify that the subcategories show Success enabled. If the policy was configured via Group Policy, a domain-level policy may override local settings. Run gpresult /h gp.html and open the HTML file to check which audit policy is applied.

Cannot Distinguish Local Admin Actions from Standard User Actions

Audit policies apply to all accounts, not only local admins. To isolate admin activity, filter the Security log by the SID or account name of the local admin. In Event Viewer, click Filter Current Log. Go to the XML tab and paste a query that includes the admin’s security identifier. Alternatively, export the log to CSV and filter by the SubjectUserName column in Excel.

Item Local Security Policy auditpol Command Line
Edition support Windows 11 Pro, Enterprise, Education All editions including Windows 11 Home
Interface Graphical snap-in secpol.msc Command prompt or script
Change takes effect Immediately after clicking OK Immediately after pressing Enter
Ease of bulk configuration Manual per category Can be scripted for multiple machines
Granular subcategory control Uses older nine-category system Supports all 60+ advanced subcategories

With the audit policy enabled, you can now track every command and logon from a local admin account on Windows 11. Review the Security log daily or forward events to a central collector for long-term analysis. For advanced filtering, create a custom XML query in Event Viewer that targets only the local Administrators group SID. This approach avoids noise from standard user activity and gives you a clear record of admin behavior.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You