as title says in case i want to use any logs ( i have never use them) how do i revert this script back. Code: rem https://docs.microsoft.com/en-us/windows/win32/fwp/auditing-and-logging rem https://social.technet.microsoft.com/Forums/en-US/ec2b033f-3e9b-4727-88d2-e6e358393734/how-to-disable-stop-windows-filtering-platform-filtering-platform-packet-drop rem ALL Auditpol /set /category:* /Success:disable /failure:disable rem FIREWALL auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable rem https://thesystemengineers.wordpress.com/2014/05/08/the-best-advanced-audit-script-and-advanced-audit-policy-i-use/ rem http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008 auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable auditpol /set /subcategory:"SAM" /success:disable /failure:disable auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable rem may be enabled on failure auditpol /set /subcategory:"Other System Events" /success:disable /failure:disable rem Usually all enabled auditpol /set /subcategory:"Account Lockout" /success:disable /failure:disable auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable auditpol /set /subcategory:"Audit Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Authentication Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Authorization Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable auditpol /set /subcategory:"Computer Account Management" /success:disable /failure:disable auditpol /set /subcategory:"Credential Validation" /success:disable /failure:disable auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable auditpol /set /subcategory:"Directory Service Changes" /success:disable /failure:disable auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable auditpol /set /subcategory:"File Share" /success:disable /failure:disable auditpol /set /subcategory:"File System" /success:disable /failure:disable auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable auditpol /set /subcategory:"Logoff" /success:disable /failure:disable auditpol /set /subcategory:"Logon" /success:disable /failure:disable auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable auditpol /set /subcategory:"Other Account Logon Events" /success:disable /failure:disable auditpol /set /subcategory:"Other Account Management Events" /success:disable /failure:disable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:disable /failure:disable auditpol /set /subcategory:"Process Creation" /success:disable /failure:disable auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable auditpol /set /subcategory:"RPC Events" /success:disable /failure:disable auditpol /set /subcategory:"Registry" /success:disable /failure:disable auditpol /set /subcategory:"Security Group Management" /success:disable /failure:disable auditpol /set /subcategory:"Security State Change" /success:disable /failure:disable auditpol /set /subcategory:"Security System Extension" /success:disable /failure:disable auditpol /set /subcategory:"Special Logon" /success:disable /failure:disable auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable auditpol /set /subcategory:"User Account Management" /success:disable /failure:disable rem Apply immediatly gpupdate /force
do you want to disable all auditpolicies at once look here : Code: %SystemRoot%\System32\Auditpol /remove /allusers %SystemRoot%\System32\Auditpol /clear /y %SystemRoot%\System32\Auditpol /set /category:* /Success:Disable /failure:Disable cross check the results yourself.
sorry i do not understand run each line separately.? this will stop logs.? after a reboot it will still be stopped or back on.?
as i have already seen you wrote many script codes which disables almost audit policies thatwhy i shared single line command to disable all audit policies at once . why doing so much work when you can do it in a single command . whay taking so much pain .
ok got it now. but just in case i needed back how to revert bacl logs enabled. or it doesnt survive a restart and it needs to be done every time.? makes sense to shortened the code. thanks
no cant be reverted back no need to reboot machine [ instant applied ] one time execution | no need to execute upon every reboot. Most Welcome