Hello All, I need to enable a lot of auditing on the systems that I will soon to be managing and I need to be able to account for all commands that an elevated user can run such as and Administrator user. I hope to accomplish this with the use of Auditing File Access but I need a starting point of a list of standard Windows (XP & 2003) files or exe's that can only be ran by an Administrator. Does anyone have a list of files or know how I can compile one? Does anyone know how I can capture commands entered by an admin in their entirety including any flags? I've come from a *nix background so please forgive me if this is fairly straight forward stuff. Cheers Dan

A list of files which can only be accessed by administrators is huge and impractical. An update would make the list incomplete. If you set auditing on the files you wish to follow, like cmd.exe, plus a key logger you will be able to see what happened (exactly). You could also set an audit to display failures so an attempt by a user to access (or worse) a privileged object is also visible.Information is the most valuable commodity I know off.