Hi @davinardian ,
To pull back the setting, I believe these are stored in the PolAdtEv registry key on the machine. This is a binary value store and the setting is a hexadecimal value at a specific index within the value.
Using the following relevance, substituting the word OFFSET with how many bytes precede the value you are interested in, should give you the set value:
item 1 of (("00", "No auditing");("01", "Success");("02", "Failure");("03", "Success and Failure")) whose (item 0 of it = (parenthesized part 2 of matches (regex "^([0-9a-fA-F]{2}){OFFSET}([0-9a-fA-F]{2})") of (default value of it as string) of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry) | "00") | "Unknown"
To set the value to “Success and Failure” using actionscript, you can use the following:
waithidden C:\Windows\System32\auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
I don’t know the specific offset to use for this particular audit setting so you will need to discover it yourself. Basically run the following relevance in the fixlet debugger under client context (you must be using System to read this key) and save the result:
default value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry
Next run the auditpol.exe command and change the value:
C:\Windows\System32\auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
Now re-run the relevance query to pull the values again:
default value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry
Now just compare the 2 results, counting in chunks of 2 until you reach where the value has changed from a 00 to 03. The number of chunks you counted is your byte offset.
For example (not the actual value):
000100000900000084000000000001000300…
000100000900000084000000030001000300…
The change from 00 to 03 occured at offset 12
Hope this helps!