利用 secedit.exe 配置本地审核策略

if exist samtool.sdb erase samtool.sdb /q
if exist samtool.inf erase samtool.inf /q
if exist samtool.log erase samtool.log /q

if {%1} == {-b} secedit /export /cfg %2 /log samtool.log /quiet

if {%1} == {-r} secedit /configure /db samtool.sdb /cfg %2 /log samtool.log /quiet

if {%1} == {-o} (
 if {%4} == {}       goto :help
 if not {%3} == {-p} goto :help

 echo %4 | findstr "[0-3]" >nul || goto :help

 rem pushd %windir%\system32\
 echo.[version]       >>samtool.inf
 echo.signature="$chicago$"    >>samtool.inf
 echo.[event audit]      >>samtool.inf

 echo.%2 | findstr "d" >nul && echo.auditdsaccess=%4   >>samtool.inf
 echo.%2 | findstr "e" >nul && echo.auditlogonevents=%4  >>samtool.inf
 echo.%2 | findstr "s" >nul && echo.auditsystemevents=%4  >>samtool.inf
 echo.%2 | findstr "o" >nul && echo.auditobjectaccess=%4  >>samtool.inf
 echo.%2 | findstr "u" >nul && echo.auditprivilegeuse=%4  >>samtool.inf
 echo.%2 | findstr "c" >nul && echo.auditpolicychange=%4  >>samtool.inf
 echo.%2 | findstr "l" >nul && echo.auditaccountlogon=%4  >>samtool.inf
 echo.%2 | findstr "m" >nul && echo.auditaccountmanage=%4  >>samtool.inf
 echo.%2 | findstr "p" >nul && echo.auditprocesstracking=%4 >>samtool.inf

 if {%2} == {a} (
  echo.auditdsaccess=%4     >>samtool.inf
  echo.auditlogonevents=%4    >>samtool.inf
  echo.auditsystemevents=%4    >>samtool.inf
  echo.auditobjectaccess=%4    >>samtool.inf
  echo.auditprivilegeuse=%4    >>samtool.inf
  echo.auditpolicychange=%4    >>samtool.inf
  echo.auditaccountlogon=%4    >>samtool.inf
  echo.auditaccountmanage=%4    >>samtool.inf
  echo.auditprocesstracking=%4   >>samtool.inf
 )
 secedit /configure /db samtool.sdb /cfg samtool.inf /log samtool.log /quiet
)

if {%3} == {-v} type samtool.log
if {%5} == {-v} type samtool.log

if exist samtool.sdb erase samtool.sdb /q
if exist samtool.inf erase samtool.inf /q
if exist samtool.log erase samtool.log /q

exit /b

:help
cls
echo.system audit strategy manage tool. (c) copyright 2013 enun-net.
echo.
echo.usage: samtool -b^|r [drive:][path][filename] -o options -p parameters -v
echo.        
echo.         -b backup the current configuration, specifies an inf file.
echo.         -r from an inf file recovery configuration.
echo.         -o options^(support multiple^):
echo.     d: directory service access
echo.     e: logon events
echo.     s: system events
echo.     o: object access
echo.     u: privilege use
echo.     c: policy change
echo.     l: account logon
echo.     m: account manage
echo.     p: process tracking
echo.     a: all audit
echo.         -p parameters:
echo.     0: don't audit
echo.     1: only audit successful
echo.     2: only audit failure
echo.     3: all audit ^(successful and failure^)
echo.         -v detailed results.
echo.
echo.example: samtool -o ec -p 0 -v
echo.         samtool -b c:\myconfig.inf -v
exit /b