This security policy setting determines whether the operating system audits changes in the security state of a system and reports any of the following events:

• System startup and shutdown. 
  
• Change of system time. 
  
• System recovery from CrashOnAuditFail. This event is logged after a system reboots following CrashOnAuditFail. 
  

Important: Some auditable activity may not be recorded when a system reboots due to CrashOnAuditFail.
System startup and shutdown events are important to understand system usage.
Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4608: Windows is starting up.
  
• 4609: Windows is shutting down.
  
• 4616: The system time was changed.
  
• 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.