I have 2 PCs, one is XP Pro and the other is XP Home and noticed that the
Event Viewer for the XP Pro machine never shows anything while on the XP
Home machine it only shows success audits. Neither machine shows anything
for Internet Explorer. Both show events for Application, System, MSFWSVC,
and Windows Onecare. Just curious as to how event logging can be started or
stopped and whether or not which events are logged can be controlled.
Thanks,
Al

Event Viewer Group Policy Audit logon events

Right click Application | Properties | Filter tab |
Make sure that all Event types are selected.

Right click Security | Properties | Filter tab |
Make sure that all Event types are selected.

Right click System | Properties | Filter tab |
Make sure that all Event types are selected.

If XP Pro, Group Policy. I have no idea with XP Home.

Open Group Policy Editor...
Start | Run | Type: gpedit.msc | Click OK |

Set both Audit account logon events & Audit logon events for Success &
Failure

From Group Policy HELP...

[[Audit account logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on to or logging
off from another computer in which this computer is used to validate the
account.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when an account logon attempt succeeds.
Failure audits generate an audit entry when an account logon attempt fails.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

If success auditing for account logon events is enabled on a domain
controller, an entry is logged for each user who is validated against that
domain controller, even though the user is actually logging on to a
workstation that is joined to the domain.

Default:
No auditing for domain controllers.
Undefined for a member computer. ]]

[[Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on to, logging
off from, or making a network connection to this computer.

If you are logging successful Audit account logon events on a domain
controller, workstation logon attempts do not generate logon audits. Only
interactive and network logon attempts to the domain controller itself
generate logon events. In short, "account logon events" are generated where
the account lives; "logon events" are generated where the logon attempt
occurs.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a logon attempt succeeds. Failure audits
generate an audit entry when a logon attempt fails. To set this value to no
auditing, in the Properties dialog box for this policy setting, select the
Define these policy settings check box and clear the Success and Failure
check boxes.

Default: No auditing.]]

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Alton Davis <xxx.xxx> hunted and pecked:
> I have 2 PCs, one is XP Pro and the other is XP Home and noticed that the
> Event Viewer for the XP Pro machine never shows anything while on the XP
> Home machine it only shows success audits. Neither machine shows anything
> for Internet Explorer. Both show events for Application, System, MSFWSVC,
> and Windows Onecare. Just curious as to how event logging can be started
> or stopped and whether or not which events are logged can be controlled.
> Thanks,
> Al

Thanks Wes,
That works for Pro but Home has no group policy editor. I guess I don't
really need to change anything, just curious as to how those logs worked.
Al


"Wesley Vogel" > wrote in message
...
> Event Viewer Group Policy Audit logon events
>
> Right click Application | Properties | Filter tab |
> Make sure that all Event types are selected.
>
> Right click Security | Properties | Filter tab |
> Make sure that all Event types are selected.
>
> Right click System | Properties | Filter tab |
> Make sure that all Event types are selected.
>
> If XP Pro, Group Policy. I have no idea with XP Home.
>
> Open Group Policy Editor...
> Start | Run | Type: gpedit.msc | Click OK |
>
> Set both Audit account logon events & Audit logon events for Success &
> Failure
>
> From Group Policy HELP...
>
> [[Audit account logon events
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Audit Policy
>
> Description
> Determines whether to audit each instance of a user logging on to or
> logging
> off from another computer in which this computer is used to validate the
> account.
>
> If you define this policy setting, you can specify whether to audit
> successes, audit failures, or not audit the event type at all. Success
> audits generate an audit entry when an account logon attempt succeeds.
> Failure audits generate an audit entry when an account logon attempt
> fails.
> To set this value to no auditing, in the Properties dialog box for this
> policy setting, select the Define these policy settings check box and
> clear
> the Success and Failure check boxes.
>
> If success auditing for account logon events is enabled on a domain
> controller, an entry is logged for each user who is validated against that
> domain controller, even though the user is actually logging on to a
> workstation that is joined to the domain.
>
> Default:
> No auditing for domain controllers.
> Undefined for a member computer. ]]
>
> [[Audit logon events
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Audit Policy
>
> Description
> Determines whether to audit each instance of a user logging on to, logging
> off from, or making a network connection to this computer.
>
> If you are logging successful Audit account logon events on a domain
> controller, workstation logon attempts do not generate logon audits. Only
> interactive and network logon attempts to the domain controller itself
> generate logon events. In short, "account logon events" are generated
> where
> the account lives; "logon events" are generated where the logon attempt
> occurs.
>
> If you define this policy setting, you can specify whether to audit
> successes, audit failures, or not audit the event type at all. Success
> audits generate an audit entry when a logon attempt succeeds. Failure
> audits
> generate an audit entry when a logon attempt fails. To set this value to
> no
> auditing, in the Properties dialog box for this policy setting, select the
> Define these policy settings check box and clear the Success and Failure
> check boxes.
>
> Default: No auditing.]]
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In ,
> Alton Davis <xxx.xxx> hunted and pecked:
>> I have 2 PCs, one is XP Pro and the other is XP Home and noticed that the
>> Event Viewer for the XP Pro machine never shows anything while on the XP
>> Home machine it only shows success audits. Neither machine shows
>> anything
>> for Internet Explorer. Both show events for Application, System,
>> MSFWSVC,
>> and Windows Onecare. Just curious as to how event logging can be started
>> or stopped and whether or not which events are logged can be controlled.
>> Thanks,
>> Al
>

Al,

> That works for Pro but Home has no group policy editor

That is why I stated that I have no idea with XP Home.

Paste the following line into Start | Run and click OK...

hh EVconcepts.chm::/nt_filteringevents_how_ev.htm

Double click the books in the left hand pane to expand the listings.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Alton Davis <xxx.xxx> hunted and pecked:
> Thanks Wes,
> That works for Pro but Home has no group policy editor. I guess I don't
> really need to change anything, just curious as to how those logs worked.
> Al
>
>
> "Wesley Vogel" > wrote in message
> ...
>> Event Viewer Group Policy Audit logon events
>>
>> Right click Application | Properties | Filter tab |
>> Make sure that all Event types are selected.
>>
>> Right click Security | Properties | Filter tab |
>> Make sure that all Event types are selected.
>>
>> Right click System | Properties | Filter tab |
>> Make sure that all Event types are selected.
>>
>> If XP Pro, Group Policy. I have no idea with XP Home.
>>
>> Open Group Policy Editor...
>> Start | Run | Type: gpedit.msc | Click OK |
>>
>> Set both Audit account logon events & Audit logon events for Success &
>> Failure
>>
>> From Group Policy HELP...
>>
>> [[Audit account logon events
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\Audit Policy
>>
>> Description
>> Determines whether to audit each instance of a user logging on to or
>> logging
>> off from another computer in which this computer is used to validate the
>> account.
>>
>> If you define this policy setting, you can specify whether to audit
>> successes, audit failures, or not audit the event type at all. Success
>> audits generate an audit entry when an account logon attempt succeeds.
>> Failure audits generate an audit entry when an account logon attempt
>> fails.
>> To set this value to no auditing, in the Properties dialog box for this
>> policy setting, select the Define these policy settings check box and
>> clear
>> the Success and Failure check boxes.
>>
>> If success auditing for account logon events is enabled on a domain
>> controller, an entry is logged for each user who is validated against
>> that domain controller, even though the user is actually logging on to a
>> workstation that is joined to the domain.
>>
>> Default:
>> No auditing for domain controllers.
>> Undefined for a member computer. ]]
>>
>> [[Audit logon events
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\Audit Policy
>>
>> Description
>> Determines whether to audit each instance of a user logging on to,
>> logging off from, or making a network connection to this computer.
>>
>> If you are logging successful Audit account logon events on a domain
>> controller, workstation logon attempts do not generate logon audits. Only
>> interactive and network logon attempts to the domain controller itself
>> generate logon events. In short, "account logon events" are generated
>> where
>> the account lives; "logon events" are generated where the logon attempt
>> occurs.
>>
>> If you define this policy setting, you can specify whether to audit
>> successes, audit failures, or not audit the event type at all. Success
>> audits generate an audit entry when a logon attempt succeeds. Failure
>> audits
>> generate an audit entry when a logon attempt fails. To set this value to
>> no
>> auditing, in the Properties dialog box for this policy setting, select
>> the Define these policy settings check box and clear the Success and
>> Failure check boxes.
>>
>> Default: No auditing.]]
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In ,
>> Alton Davis <xxx.xxx> hunted and pecked:
>>> I have 2 PCs, one is XP Pro and the other is XP Home and noticed that
>>> the Event Viewer for the XP Pro machine never shows anything while on
>>> the XP Home machine it only shows success audits. Neither machine shows
>>> anything
>>> for Internet Explorer. Both show events for Application, System,
>>> MSFWSVC,
>>> and Windows Onecare. Just curious as to how event logging can be
>>> started or stopped and whether or not which events are logged can be
>>> controlled. Thanks,
>>> Al