New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

GAQM CFA-001 Exam - Topic 4 Question 109 Discussion

Actual exam question for GAQM's CFA-001 exam
Question #: 109
Topic #: 4
[All CFA-001 Questions]

When a system is compromised, attackers often try to disable auditing, in Windows 7; modifications to the audit policy are recorded as entries of Event ID____________.

Show Suggested Answer Hide Answer
Suggested Answer: A

by Gianna at Jul 10, 2025, 01:00 AM

Limited Time Offer

25%

Off

Get Premium CFA-001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
In
2 months ago
Wait, are you sure? I always mix those up!
upvoted 0 times
...
Major
2 months ago
Agreed, 4902 is the right one!
upvoted 0 times
...
Elin
3 months ago
I thought it was 4904 for some reason.
upvoted 0 times
...
Vincenza
3 months ago
Nah, it's 4902. No doubt about it.
upvoted 0 times
...
Vicente
3 months ago
It's definitely Event ID 4902.
upvoted 0 times
...
Micaela
3 months ago
I definitely recall 4902 being tied to audit policy modifications. It’s one of those key IDs we went over in class.
upvoted 0 times
...
Lucina
4 months ago
I’m a bit confused. I thought it was 3902, but now that I think about it, that might be related to something else.
upvoted 0 times
...
Erinn
4 months ago
I remember practicing a question about Windows event logs, and I feel like 4904 was mentioned a lot. Maybe that's it?
upvoted 0 times
...
Louvenia
4 months ago
I think the Event ID for audit policy changes is 4902, but I'm not completely sure. It sounds familiar from the study materials.
upvoted 0 times
...
Willodean
4 months ago
I'm a little confused by this question. I know it's related to auditing in Windows 7, but I'm not sure which specific Event ID is used to record audit policy modifications. I'll have to review my study materials and try to eliminate the incorrect options.
upvoted 0 times
...
Jutta
4 months ago
Okay, let me think this through step-by-step. When a system is compromised, attackers often try to disable auditing to cover their tracks. In Windows 7, the audit policy changes are recorded as Event IDs. I believe the correct answer is Event ID 4902, but I'll double-check my notes to be sure.
upvoted 0 times
...
Johnna
4 months ago
Hmm, I'm a bit unsure about this. I know it has to do with auditing in Windows 7, but I'm not completely sure which Event ID is used to record audit policy changes. I'll have to think this through carefully.
upvoted 0 times
...
Julieta
5 months ago
I'm pretty confident on this one. The question is asking about the Event ID that records audit policy modifications in Windows 7, and the answer is clearly Event ID 4904.
upvoted 0 times
...
Earleen
6 months ago
Ah, the age-old battle between hackers and security nerds. I bet the right answer is 'Ctrl + Alt + Delete' - that's the universal fix-all, right?
upvoted 0 times
...
Milly
6 months ago
Wait, is this a trick question? What if the right answer is something totally unexpected, like 'All of the above'? Hmm, I'm going with B) 3902 just to be safe.
upvoted 0 times
Leatha
5 months ago
I'm going with D) 3904.
upvoted 0 times
...
Hannah
5 months ago
I'm pretty sure it's A) 4902.
upvoted 0 times
...
Benedict
5 months ago
I think it's C) 4904, actually.
upvoted 0 times
...
...
Brandon
7 months ago
Disabling auditing, huh? That's like trying to hide your tracks after robbing a bank. The answer's gotta be D) 3904 - it's just too perfect.
upvoted 0 times
...
Kayleigh
7 months ago
Oh man, I bet the hackers are hoping we'll all get this one wrong! But not on my watch. The answer is A) 4902, I'm certain of it.
upvoted 0 times
Gearldine
5 months ago
Thanks for the tip, I'll go with A) 4902 as well.
upvoted 0 times
...
Tonette
5 months ago
I agree, A) 4902 is the correct Event ID for modifications to the audit policy.
upvoted 0 times
...
Sherita
7 months ago
I think you're right, A) 4902 sounds like the correct answer.
upvoted 0 times
...
...
Ernie
7 months ago
Actually, Dyan, the correct answer is A) 4902 because that's the Event ID for modifications to the audit policy in Windows 7.
upvoted 0 times
...
Dyan
7 months ago
I'm not sure, but I think it might be C) 4904.
upvoted 0 times
...
Shawn
8 months ago
Hmm, this is a tricky one. Disabling auditing is a classic move by attackers, so we need to know the right Event ID to look for. I'm going with C) 4904 - it just sounds right to me.
upvoted 0 times
Lorrie
5 months ago
I agree with you, I'll keep an eye out for Event ID 4902 as well.
upvoted 0 times
...
Kip
7 months ago
I agree with you, C) 4904 seems like the right choice to track modifications to the audit policy.
upvoted 0 times
...
Tracey
7 months ago
I think it's A) 4902, that's the one to watch out for.
upvoted 0 times
...
Ty
7 months ago
I'm going with D) 3904, I have a feeling that's the correct Event ID.
upvoted 0 times
...
Helene
7 months ago
I think it's A) 4902, that's the one to watch out for.
upvoted 0 times
...
...
Erinn
8 months ago
I agree with Brandon, because modifications to the audit policy are recorded as entries of Event ID 4902.
upvoted 0 times
...
Brandon
8 months ago
I think the answer is A) 4902.
upvoted 0 times
...

Save Cancel