MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  N`@L.rsrcPN@@( @XpFXMUINU~< F:V.aqHG MUI zh-CN  $ @(ul: AuditPol command [<sub-command><options>] %n }TN (k!kgbLNAQN*N}TN) /? .^R(N N NevsQ) /get >f:yS_MR[8hV{eu0 /set n[8hV{eu0 /list >f:yS bvV{euCQ }0 /backup \[8hV{euOX[0ReN0 /restore \[8hV{euNeN؏S0 /clear nd[8hV{eu0 /remove Rd(u7b^7bvk(u7b[8hV{eu0 /resourceSACL MnhQ@\Dn SACL %n gsQk*N}TNv~Oo` O(u AuditPol <command> /? ` (ul: AuditPol /get [/user[:<username>|<{sid}>]] [/category:*|<name>|<{guid}>[,:<name>|<{guid}>...]] [/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]] [/option:<option name>] [/sd] [/r] %n dk}TN>f:yS_MR[8hV{eu0 %n }TN /? .^R(N N NevsQ) /user :NvQgk(u7b[8hV{euv[hQ;NSO0 _{c[ /category b /subcategory y0 SN\(u7bc[:N SID b Ty0Yg*gc[ (u7b^7b Rg|~[8h V{eu0 /category GUID b Tyc[vN*NbY*N[8h{|+R0 SNO(ufS("*")h:y^g@b g [8h{|+R0 /subcategory GUID b Tyc[vN*NbY*N [8hP[{|+R0 /sd h"}(uN\Y>m0R[8hV{euv [hQc&{0 /option h"} CrashOnAuditFail0 FullPrivilegeAuditing0AuditBaseObjects b AuditBaseDirectories vs gV{eu0 /r NbJT(CSV)f:yQ0 %n :yO(ul: auditpol /get /user:domain\user /Category:"Detailed Tracking","Object Access" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:"System" auditpol /get /sd |(ul: AuditPol /set [/user[:<username>|<{sid}>][/include][/exclude]] [/category:<name>|<{guid}>[,:<name>|<{guid}>...]] [/success:<enable>|<disable>][/failure:<enable>|<disable>] [/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]] [/success:<enable>|<disable>][/failure:<enable>|<disable>] [/option:<option name> /value:<enable>|<disable>] %n dk}TNnS_MR[8hV{eu0 %n }TN /? .^R(N N NevsQ) /user :NvQn{|+R/P[{|+Rc [vk(u7b[8hV{euv[hQ;NSO0_ {c[{|+RbP[{|+R y \O:N SID b Ty0 /include N /user Nwc[h:y(u7bv k(u7bV{eu\[ub[8h sS O N1u|~[8hV{euc[0dkn /f؞n Yg*g>f_c[ /include b /exclude y RꁨR^(udkn0 /exclude N /user Nwc[h:ye| ~[8hV{euYUO (u7bvk(u7bV{ eu\[[8hSm0^\N Administrators ,g0W~bXTv(u7b NcPdkn0 /category GUID b Tyc[vN*NbY*N[8h{|+R0 Yg*gc[(u7b Rn|~V{eu0 /subcategory GUID b Tyc[vN*NbY*N[8hP[{|+R0 Yg*gc[(u7b Rn|~V{eu0 /success c[bR[8h0dkn/f؞n Yg *g>f:yc[ /success b /failure y RꁨR^(udkn0dkn_{N hf/f/T(u؏/fy(un vSpeqQ TO(u0 /failure c[1Y%[8h0dkn_{N enable b disable SpeNw O(u c[/T(uby(un0 /option n CrashOnAuditFail0FullPrivilegeAuditing0 AuditBaseObjects b AuditBaseDirectories v [8hV{eu0 /sd n(uN\Y>m0R[8hV{euv[hQ c&{0_{O(u SDDL c[[hQc &{0[hQc&{_{ wQ g DACL0 %n :yO: auditpol /set /user:domain\user /Category:"System" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) 4(ul: AuditPol /list [/user|/category|/subcategory[:<categoryname>|<{guid}>|*] [/v] [/r] %n dk}TNRQ[8hV{eu{|+R0P[{|+R bRQ:NvQ[IN k(u7b[8hV{euv(u7b0 %n }TN /? .^R(N N NevsQ) /user h"}:NvQ[INk(u7b[8hV{euv@b g(u7b0 YgN /v yqQ TO(u R Te>f:y(u 7bv SID0 /category >f:y|~t㉄v{|+Rv Ty0 YgN /v yqQ TO(u R Te>f:y{|+R GUID0 /subcategory >f:y|~t㉄vP[{|+R Ty (uNc[{|+R-NvP[{|+R0 YgO(u /v y R Te >f:yP[{|+R GUID0 %n :yO: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:"Detailed Tracking","Object Access" (ul: AuditPol /clear [/y] dk}TN Rd@b g(u7bvk(u7b[8hV{eu ͑n @b gP[{|+Rv|~[8hV{eu v^\@b g[8h yn:Ny(u0 %n y /? .^R(N N NevsQ)0 /y Smnx/f&T^nd @b g[8hV{euvc:y0 %n :yO: auditpol /clear auditpol /clear /y (ul: AuditPol /remove [/user[:<username>|<{sid}>]] [/allusers] %n dk}TN Rdc[^7bvk(u7b[8hV{eu0 %n y /? .^R(N N NevsQ)0 /user c[:NvQ Rdk(u7b[8hV{eu v(u7bv SID b(u7b T /allusers Rd@b g(u7bvk(u7b[8hV{eu0 %n :yO: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers (ul: AuditPol /backup /file:<filename> %n dk}TN\|~[8hV{eun0@b g(u7bvk(u7b[8hV{eun T@b g[8h yYN0RN*NeN0YN\QeQ0R CSV %n dk}TN\NO(u /backup }TNR^veN-N؏S |~[8hV{eun0@b g(u7bvk(u7b[8hV{eu nT@b g[8h y0 %n y /? .^R(N N NevsQ)0 /file c[^NvQS[8hV{euveN0 eN_{]~1u /backup yR^ b_{N勇eN [/success] [/failure] /user:<user> [/access:<access flags>] [/condition:<expression>]] [/remove /type:<resource> /user:<user> [/type:<resource>]] [/clear [/type:<resource>]] [/view [/user:<user>] [/type:<resource>]] %n dk}TN:NhQ@\[a[8hMnn0 :N|~ubvNN/T(u v^v[aP[{|+R0.eQ auditpol /set /? S~Oo`0 %n }TN /? >f:y}TNv.^R0 /set (WDn|~c6RRh-N :Nc[vDn{|WmReagv bfes gagv0 /remove N cgqDn{|Wc[vhQ@\[a[8hRh-N Rd~[(u7bv@b g agv0 /clear NhQ@\[a[8hRh-N :Nc[vDn{|W Rd@b gagv0 /view [c[vDn{|WT(u7b RQhQ@\[a[8hagv0 c[(u7b/fS v0 %n Spe %n /type ck(W:NvQMn[a[8h vDn0/ecvSpee(W'YbS-N0 OY: {S-1-5-21-5624481-130208933-164394174-1001} fJT: YgO(u SID b__ R NgbLNUOhgeg dk^7bvX[(W0 /access c[S(uN N$Nyb__KNN c[vCgPcx: - {USCgP^R: N,CgP: GA - N,[hQCgP GR - N,SCgP GW - N,QeQCgP GX - N,gbLCgP eNCgP: FA - eN[hQCgP FR - eNN,SCgP FW - eNN,QeQCgP FX - eNN,gbLCgP lQhyCgP: KA - lQhy[hQCgP KR - lQhySCgP KW - lQhyQeQCgP KX - lQhygbLCgP OY: "/access:FRFW" \/T(u[8hNNv Qd\O0 - h:ycxvASmQۏ6R