312-49 Question #49: Real Exam Question with Answer & Explanation

The correct answer is A: 4902. In Windows 7 (and Windows Server 2008 R2), Event ID 4902 is logged in the Security event log whenever the per-user audit policy table is created â€” meaning changes or modifications to the audit policy are recorded under this Event ID. This is significant in forensic investigatio

Submitted by eva_at· Apr 18, 2026Computer Forensics Investigation Process

Question

When a system is compromised, attackers often try to disable auditing, in Windows 7; modifications to the audit policy are recorded as entries of Event ID____________.

Options

A4902
B3902
C4904
D3904

Explanation

In Windows 7 (and Windows Server 2008 R2), Event ID 4902 is logged in the Security event log whenever the per-user audit policy table is created â€” meaning changes or modifications to the audit policy are recorded under this Event ID. This is significant in forensic investigations because attackers who compromise a system often attempt to disable or modify auditing to cover their tracks. Monitoring Event ID 4902 allows investigators to detect tampering with the audit policy itself. The other Event IDs listed (3902, 4904, 3904) either do not exist or relate to different events.

Topics

#Windows Event IDs#Audit Policy#Security Monitoring#Post-compromise Indicators

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions