Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 3, 2017 6:17 AM
How should I configure Windows 10 to log changes made to Certificate Store to EventLog?
Till now I am only getting events with ID 1004 (certificate deleted) and nothing else. What I want to get is all events about certificate store modifications, probably the most important being certificate import to root CA list. I tried importing a certificte to root CA through MMC, and it did not produce any event at all (only removal does).
Thank you.
All replies (5)
Tuesday, July 4, 2017 2:10 AM
Hi Milhail,
You could trace this event entry:
Event Viewer\Applications and Services logs\Microsoft\Windows\CertificateServicesClient-Lifecycle-User\Operational
Event Viewer\Applications and Services logs\Microsoft\Windows\CertificateServicesClient-Lifecycle-System\Operational
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, July 4, 2017 4:55 AM
Hi Karen, and thank you for your attention.
As I initially wrote, in that log I see only events with ID 1004, corresponding to certificate removal, which is probably not so critical as new certificate installation, which goes undetected by windows logs.
On the picture attached, I added a random certificate several times to current user's store and to local computer store, and in the logs there are only events generated when I removed my certificate.
Thursday, July 6, 2017 10:01 AM
Hi,
Here is my event viewer screenshot:
As you can see, event ID 1006 is for certification installation.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 6, 2017 11:22 AM
That is exactly what I wanted to get on my system, but I could not. Please, could you briefly describe, how did you add the certificate (I tried certutil and certmgr), what is your system (I tried win8, 10 and 2012R2) and how are the corresponding audit policies set up?
Thank you.
Monday, July 10, 2017 9:33 AM
Hi Mihail,
My build is Windows 10 1703. and I have no any special configuration. Just enable above two event log.
And based on my test, not all certification installation can be recorded to this log.
No other way to trace certification store.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].