The Windows audit subsystem works in conjunction with components that make security decisions, and with the event log service, to generate security events in a trustworthy manner. Components that make security decisions—often called security reference monitors—are instrumented so that when a security decision is made or other security relevant activity takes place, these monitors notify the auditing subsystem and pass along the details of the activity. The auditing system formats these as event records, making sure that the data is presented in a consistent fashion, and discards any events that have been generated that are not supposed to be logged according to audit policy. The remaining events are sent to the event ...