Configuring Hyper-V auditing

Share this:

In several occasions we protect our physical and virtual server with Windows Updates, an antivirus, access control, and so on. However, a key factor needs to be considered to address security concerns when they happen, it is to track unsolicited access or unauthorized actions on your system, or to simply monitor when and how the Hyper-V administrators are managing it, especially when you belong to a team that manage the all IT infrastructure.

The best way to get these results is by setting an audit. By default, all Hyper-V events are logged in Event Viewer and can be used to diagnose a problem or track what has been done by the other Hyper-V admins.

You can also see all Hyper-V roles and authorization rights changes with Audit File System, which is not enabled by default.

How to do it

The following steps will demonstrate how to use the default data in Event Viewer to audit Hyper-V changes and how to use Object Access Auditing to check changes in the Hyper-V permissions.

1. To see specific Hyper-V event logs, launch the Start menu and type event viewer.

From the search results, open Event Viewer.

2. In the Event Viewer console, expand Application and Service Logs > Microsoft > Windows.

3. Scroll down until you find the Hyper-V log folders, as shown in the following screenshot:


4. To use the default Event Viewer filter that shows all Hyper-V logs in a single view, click on Custom Views, expand Server Roles, and click on Hyper-V, in the Event Viewer console, as shown in the following screenshot:


5. To enable auditing for Hyper-V roles and authorization rights, launch the Start menu and type gpedit.msc. Select gpedit from the search results, to open Local Group Policy Editor.

6. In the Local Group Policy Editor console, under Computer Configuration, expand Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies, and select Object Access.

7. In the right-hand pane, double-click on Audit File System.

8. In the Audit File System Properties window, check the Configure the following audit events checkbox.

9. Check the checkboxes for Success and Failure under Configure the following audit events, as shown in the following screenshot:


10. Click on OK and close the Local Group Policy Editor console.

11. Open Windows Explorer from the taskbar.

12. In the address bar, type the path C:ProgramDataMicrosoftWindowsHyper-V and press Enter.

13. In the results pane, right-click on the file named InitialStore and click on Properties.

14. In the InitialStore Properties window, select the Security tab and click on the Advanced button.

15. In the Advanced Security Settings for InitialStore window, select the Auditing tab and click on Add.

16. In the Auditing Entry for InitialStore window, click on the hyperlink Select a principal.

17. Type Everyone in the entry box and click on OK.

18. In the drop box next to Type, select All.

19. Under Permissions, select the Full control checkbox. The Auditing Entry for InitialStore window will look similar to the following screenshot:


20. To verify the audit log entries, open Event Viewer again, expand Windows Logs, and click on the Security log.

21. The events will be listed with File System as the Task Category and with Microsoft Windows security as the Source. You also need to check under Object Name whether the file is InitialStore.xml.

22. In the following screenshot, an event shows that someone has successfully accessed the Initialstore.xml file:


Written by Marcos Nogueira

With more than 17 years’ experience in Datacenter Architectures, Marcos Nogueira is currently working as a Chief Technology Officer at NogaIT Consulting. He is an expert in Private and Hybrid Cloud, with a focus on Virtualization, System Center and Microsoft Azure. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents.

Marcos is an MVP in Hyper-V and he has +12 years as Microsoft Certified, with more than 80+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private Cloud, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd and communities events around the world.