This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. Events for this subcategory include:
? 4909: The local policy settings for the TBS were changed.
? 4910: The group policy settings for the TBS were changed.
? 5063: A cryptographic provider operation was attempted.
? 5064: A cryptographic context op ...
This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). Events for this subcategory include:
? 4665: An attempt was made to create an application client context.
? 4666: An application attempted an operation:
? 4667: An application client context was deleted.
? 4668: An application was initialized.
Refer ...
This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include:
? 4688: A new process has been created.
? 4696: A primary token was assigned to process.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this sett ...
This subcategory reports when a process terminates. Events for this subcategory include:
? 4689: A process has exited.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.
Fix:
(1) GPO: Computer Configuration\Windows Settin ...
This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account. Events for this subcategory include:
? 4769: A Kerberos service ticket was requested.
? 4770: A Kerberos service ticket was renewed.
? 4773: A Kerberos service ticket request failed.
Refer to the Microsoft Knowledgebase article ?Description of security eve ...