Enable Notifications
- Local Group Policy Editor (gpedit.msc) > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access on Failure
- Event Viewer (eventvwr.msc) > Windows Logs > Security
- Local Security Policy (secpol.msc) > Advanced Audit Policy Configuration > Object Access > Disable Audit Handle Manupulation
Protocol Numbers
- 1: ICMPv4
- 2: IGMP
- 6: TCP
- 17: UDP
- 41: IPv6
- 43: IPv6-Route
- 44: IPv6-Frag
- 47: GRE
- 58: ICMPv6
- 59: IPv6-NoNxt
- 60: IPv6-Opts
- 112: VRRP
- 113: PGM
- 115: L2TP
Before Win 7 this was needed:
- auditpol /set /SubCategory:"MPSSVC Rule-Level Policy Change","Filtering Platform Policy Change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:enable
- net stop MPSSVC
- net start MPSVC