Audit Security State Change


Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.

Changes in the security state of the operating system include:

  • System startup and shutdown.

  • Change of system time.

  • System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail.


    Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.

System startup and shutdown events are important for understanding system usage.

Event volume: Low

Default: Success

If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic in addition to Windows Server 2008 and Windows Vista.

Event ID

Event Message Summary

Minimum Requirement


Windows is starting up.

Windows Vista, Windows Server 2008


Windows is shutting down.

Windows Vista, Windows Server 2008


The system time was changed.

Windows Vista, Windows Server 2008


Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Windows Vista, Windows Server 2008

Advanced Security Audit Policy Settings