NT can keep an audit trail of security-related events. As shown in Figure 2, these events can include either the successful or unsuccessful attempts (or both) to invoke selected actions. These actions include: logging on and off, file and object access, invocation of user rights, user and group management, changes to security policy, system shutdown and restarts, and process tracking (which basically records when user and application processes start and stop). The administrator establishes the audit policy by checking any or all of these actions for success and/or failure. In addition, an application running under NT can define its own auditable events. Applications can define these events in the Registry at installation time.