Update Visual C++ Runtime auditing guide

Author: TylerMSFT

docs/windows/redist-version-auditing.md

@@ -1,6 +1,6 @@
 ---
-title: "cpp-redist-version-auditing"
-description: "This article provides a detailed guide for auditing usage of Visual C++ Runtime versions within your organization."
+title: "How to audit Visual C++ Runtime version usage"
+description: "A detailed guide for auditing Visual C++ Runtime file usage."
 ms.date: 12/2/2024
 helpviewer_keywords:
   [
@@ -11,89 +11,74 @@ author: MahmoudGSaleh
 ms.author: msaleh
 ---
 
-# How to audit Visual C++ Runtime version usage within your organization
+# How to audit Visual C++ Runtime version usage
 
-The Microsoft Visual C++ Redistributable and the Visual Studio C++ Runtime (collectively, "VC Runtime") are critical components to thousands of applications. Across your enterprise network, machines may still be running applications that install and use an out-of-support version of the VC Runtime. NTFS File Auditing can be used to identify such usage as a step towards helping you replace these applications with ones that take a dependency on a supported version of the VC Runtime. This guide will walk you through setting up NTFS File Auditing, provide troubleshooting tips, and highlight the benefits of regular audits.
+The Microsoft Visual C++ Redistributable and the Visual Studio C++ Runtime (collectively, "VC Runtime") are critical components of many applications. Across your network, machines may still be running applications that install and use an out-of-support version of the VC Runtime. You can use NTFS File Auditing to identify such usage as a step towards helping you replace these applications with ones that take a dependency on a supported version of the VC Runtime. This guide walks you through setting up NTFS File Auditing, provided troubleshooting tips, and highlights the benefits of regular audits.
 
-For details on the versions of VC Runtime no longer supported, see [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).
+For more information about the versions of VC Runtime that are no longer supported, see [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).
 
-## Enabling NTFS File Auditing to determine usage of VC Runtime
+## Enable NTFS file auditing to determine VC Runtime usage
 
-NTFS File Auditing can be used to determine which process is calling VC Runtime files. You can use this information on machines with legacy versions of the VC Runtime already installed to determine which applications are calling the unsupported versions of the VC Runtime.
+You can use NTFS file auditing to determine which applications are calling the unsupported versions of the VC Runtime.
 
-This guide will first provide steps to manually enable NTFS File Auditing and review logs. Because there are several component files that can be used by an application, this guide also shows how to use PowerShell's [Get-Acl](/powershell/module/microsoft.powershell.security/get-acl) and [Set-Acl](/powershell/module/microsoft.powershell.security/set-acl) cmdlets to update Auditing permissions. For details on how to configure the audit policies on a file, see [Apply a basic audit policy on a file or folder.](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder)
+This guide provides the steps to manually enable NTFS file auditing and review audit events. Because there are several files that can be used by an application, this guide also shows how to use PowerShell's [`Get-Acl`](/powershell/module/microsoft.powershell.security/get-acl) and [`Set-Acl`](/powershell/module/microsoft.powershell.security/set-acl) cmdlets to update auditing permissions. For more information about how to configure audit policies for a file, see [Apply a basic audit policy on a file or folder.](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder)
 
 ### Manually enable object access auditing on the system
 
-Object access must be enabled before you enable file level auditing.
+Object access must be enabled before you enable file level auditing:
 
-1. Open Group Policy: Press Windows + R to open the **Run** dialog , type `gpedit.msc`, and press Enter.
-2. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **System Audit Policies** > **Object Access**.
-3. Double-click on **Audit File System**. In the **Audit File System Properties** dialog, select **Configure the following audit events**, select **Success** and then select **OK**.
-4. Close the Group Policy Editor app
+1. Open Group Policy by pressing Windows + R to open the **Run** dialog, then type `gpedit.msc`, and press Enter.
+1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **System Audit Policies** > **Object Access**.
+1. Double-click **Audit File System**. In the **Audit File System Properties** dialog, select **Configure the following audit events** > **Success** > **OK**.
+1. Close the Group Policy Editor.
 
-Alternatively, you may use auditpol.exe to enable object access.
+Alternatively, you may use `auditpol.exe` to enable object access:
 
 1. List the current settings with `AuditPol.exe /get /category:"Object Access"`.
-2. Enable/Disable with `AuditPol.exe /set /category:"Object Access" /subcategory:"File System" /success:enable`.
+1. Enable access with `AuditPol.exe /set /category:"Object Access" /subcategory:"File System" /success:enable`.
 
 ### Manually enable auditing on a file
 
-To monitor which process is accessing a VC Runtime file, enable auditing on the file.
+To monitor which process accesses a VC Runtime file, enable auditing on the file:
 
-1. Right-click on the file that you want to audit, select **Properties**, and then select **Security** tab.
+1. Right-click on the file that you want to audit, select **Properties**, and then select the **Security** tab. For more information about finding installed VC Runtime files, see [VC Runtime installed locations](#vcruntime_install_location).
+1. Select **Advanced**.
+1. In the **Advanced Security Settings** dialog box, select the **Auditing** tab and then select **Continue**.
+1. To add a new auditing rule, select **Add**. In the **Auditing Entry** dialog, select a principal, then type the name of the user or group you want to add such as **(Everyone)**, and then select **OK**.
+1. In **Type**, select ensure that **Success** is selected.
+1. Select **Show advance permissions** > **Clear all** > **Traverse folder / execute file** > **OK**.
+1. There should now be a new row in the **Auditing** entries matching what you have selected. Select **OK**.
+1. In the **Properties** Dialog, select **OK**.
 
-    * See the section below [VC Runtime installed locations](#vcruntime_install_location) to find the VC Runtime files installed on a machine.
-
-2. Select **Advanced**.
-
-3. In the **Advanced Security Settings** dialog box, select **Auditing** tab and then select **Continue**.
-
-4. To add a new auditing rule, select **Add**. In the **Auditing Entry** dialog, select a principal, then type the name of the user or group you want to add (Everyone) and then select OK.
-
-5. In the Type box, use the default of **Success**.
-
-6. Select **Show advance permissions**, select **Clear all** and then select **Traverse folder / execute file**, and select **OK**.
-
-7. At this point there should be a new row in the **Auditing** entries matching what you have selected. Select **OK**.
-
-8. In the **Properties** Dialog, select **OK**.
-
-The audit rule is enabled now.
+The audit rule is now enabled.
 
 ### Manually review audit logs
 
-NTFS File Auditing will generate ["Event 4663: An attempt was made to access an object"](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663) for each file that includes + audit permission and the+ process accessing process namethe file.
+NTFS file auditing generates ["Event 4663: An attempt was made to access an object"](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663) for each file that includes the audit permission and that is accessed by a process.
 
-1. Open Event Viewer: Press Windows + R to open the **Run** dialog , type `eventvwr.msc`, and press Enter.
-
-2. Navigate to Security Logs: In the Event Viewer, expand Windows Logs and select **Security**. The results pane lists individual security events.
-
-3. Filter and Analyze the Logs: Use the **Filter Current Log** option to narrow down the events to Event ID 4663 (Audit Success for the File System Category).
+1. Open the Event Viewer by pressing `Windows` + `R` to open the **Run** dialog. Then type `eventvwr.msc`, and press Enter.
+1. Navigate to the **Security** logs in the Event Viewer by expanding **Windows Logs** > **Security**. The results pane lists security events.
+1. Filter and Analyze the logs by choosing **Filter Current Log...** in the **Actions** pane. Narrow down the events to **Event ID 4663 (Audit Success for the File System Category)** by entering **4663 into the Includes/Excludes Event IDs** text box.
 
 For an example of a File Access Auditing Event 4663, see ["4663(S): An attempt was made to access an object."](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663)
 
 ![Event Viewer showing security logs](media/windows-events.png)
 
-### Using PowerShell to enable auditing of VC Runtime usage
-
-The general workflow for updating the File Auditing Permissions with PowerShell is as follows:
-
-1. Define the [file system audit rule](/dotnet/api/system.security.accesscontrol.filesystemauditrule.-ctor) to be applied to the file(s).
+### Use PowerShell to audit VC Runtime usage
 
-2. Obtain a file's security descriptor with [Get-Acl](/powershell/module/microsoft.powershell.security/get-acl).
+To update File Auditing Permissions with PowerShell:
 
-3. [Apply the audit rule](/dotnet/api/system.security.accesscontrol.filesystemsecurity.setaccessrule) to the security descriptor.
+1. Define the [file system audit rule](/dotnet/api/system.security.accesscontrol.filesystemauditrule.-ctor) to apply to the file(s).
+1. Obtain a file's security descriptor with [`Get-Acl`](/powershell/module/microsoft.powershell.security/get-acl).
+1. [Apply the audit rule](/dotnet/api/system.security.accesscontrol.filesystemsecurity.setaccessrule) to the security descriptor.
+1. Apply the updated security descriptor on the original file with [`Set-Acl`](/powershell/module/microsoft.powershell.security/set-acl).
+1. View File Access Auditing Event 4663 records with [`Get-WinEvent`](/powershell/module/microsoft.powershell.diagnostics/get-winevent).
 
-4. Apply the updated security descriptor on the original file with [Set-Acl](/powershell/module/microsoft.powershell.security/set-acl).
+### PowerShell: Audit out-of-support VC Runtime files
 
-5. View File Access Auditing Event 4663 records with [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent).
+The following PowerShell code enables you to audit installed VC Runtime files that are no longer supported.
 
-### PowerShell: Enable auditing on out-of-support VC Runtime files
-
-The following PowerShell section of code will enable usage auditing of the currently installed out-of-support VC Runtime files.
-
-```sh
+```powershell
 function Get-AuditRuleForFile {
     $auditRuleArguments =   'Everyone'              <# identity #>,
                             'ExecuteFile, Traverse' <# fileSystemRights #>,
@@ -138,13 +123,13 @@ ForEach-Object {
 }
 ```
 
-### PowerShell: Viewing file auditing events
+### PowerShell: View file audit events
 
 PowerShell provides `Get-WinEvent` to obtain event records for various event logs.
 
-The following PowerShell section of code will list all of the Auditing Event 4663 records over the past 24 hours.
+The following PowerShell code lists all of the Auditing Event 4663 records over the past 24 hours:
 
-```sh
+```powershell
 function Get-AuditEntries {
     param (
         [Parameter(Mandatory = $true)]
@@ -171,9 +156,9 @@ function Get-AuditEntries {
 Get-AuditEntries -oldestTime (Get-Date).AddHours(-24)
 ```
 
-Example output from the above block of code is as follows:
+Example output from the previous code:
 
-```
+```output
 TimeCreated : 11/20/2024 5:00:11 AM
 Accesses : Execute/Traverse
 SubjectUserSid : \*\*\*\*\*