Address review feedback

MahmoudGSaleh · MahmoudGSaleh · commit f5d57bf6f5fb · 2024-12-09T14:50:34.000-08:00
diff --git a/docs/windows/redist-version-auditing.md b/docs/windows/redist-version-auditing.md
@@ -1,5 +1,5 @@
 ---
-title: "How To Audit Visual C++ Runtime Version Usage"
+title: "cpp-redist-version-auditing"
 description: "This article provides a detailed guide for auditing usage of Visual C++ Runtime versions within your organization."
 ms.date: 12/2/2024
 helpviewer_keywords:
@@ -15,13 +15,13 @@ ms.author: msaleh
 
 The Microsoft Visual C++ Redistributable and the Visual C++ Studio Runtime (collectively, "VC Runtime") is a critical component to thousands of applications. Across your enterprise network, machines may still be running applications that install and use an out-of-support version of the VC Runtime. NTFS File Auditing can be used to identify such usage as a step towards helping you replace these applications with ones that take a dependency on a supported version of the VC Runtime. This guide will walk you through setting up NTFS File Auditing, provide troubleshooting tips, and highlight the benefits of regular audits.
 
-For details on the versions of VC Runtime no longer supported, see [Microsoft Visual C++ Redistributable latest supported downloads](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist).
+For details on the versions of VC Runtime no longer supported, see [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).
 
 ## Enabling NTFS File Auditing to determine usage of VC Runtime
 
 NTFS File Auditing can be used to determine which process is calling VC Runtime files. You can use this information on machines with legacy versions of the VC Runtime already installed to determine which applications are calling the unsupported versions of the VC Runtime.
 
-This guide will first provide steps to manually enable NTFS File Auditing and review logs. Because there are several component files that can be used by an application, this guide also provides and recommends that you use PowerShell's [Get-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-5.1) and [Set-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1) cmdlets to update Auditing permissions. For details on how to configure the audit policies on a file, see [Apply a basic audit policy on a file or folder.](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder)
+This guide will first provide steps to manually enable NTFS File Auditing and review logs. Because there are several component files that can be used by an application, this guide also provides and recommends that you use PowerShell's [Get-Acl](/powershell/module/microsoft.powershell.security/get-acl) and [Set-Acl](/powershell/module/microsoft.powershell.security/set-acl) cmdlets to update Auditing permissions. For details on how to configure the audit policies on a file, see [Apply a basic audit policy on a file or folder.](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder)
 
 ### Manually enable object access auditing on the system
 
@@ -34,8 +34,8 @@ Object access must be enabled before you enable file level auditing.
 
 Alternatively, you may use auditpol.exe to enable object access.
 
-1. List the current settings with AuditPol.exe /get /category:"Object Access".
-2. Enable/Disable with AuditPol.exe /set /category:"Object Access" /subcategory:"File System" /success:enable.
+1. List the current settings with `AuditPol.exe /get /category:"Object Access"`.
+2. Enable/Disable with `AuditPol.exe /set /category:"Object Access" /subcategory:"File System" /success:enable`.
 
 ### Manually enable auditing on a file
 
@@ -63,78 +63,78 @@ The audit rule is enabled now.
 
 ### Manually review audit logs
 
-NTFS File Auditing will generate [_Event 4663: An attempt was made to access an object_](https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663) for each file that includes + audit permission and the+ process accessing process namethe file.
+NTFS File Auditing will generate ["Event 4663: An attempt was made to access an object"](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663) for each file that includes + audit permission and the+ process accessing process namethe file.
 
-1. Open Event Viewer: Press Windows + R, type eventvwr.msc, and press Enter.
+1. Open Event Viewer: Press Windows + R, type `eventvwr.msc`, and press Enter.
 
 2. Navigate to Security Logs: In the Event Viewer, expand Windows Logs and select Security. The results pane lists individual security events.
 
 3. Filter and Analyze the Logs: Use the Filter Current Log option to narrow down the events to Event ID 4663 (Audit Success for the File System Category).
 
-For an example of a File Access Auditing Event 4663, see [4663(S): An attempt was made to access an object.](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663)
+For an example of a File Access Auditing Event 4663, see ["4663(S): An attempt was made to access an object."](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663)
 
 ![Event Viewer showing security logs](media/windows-events.png)
 
 ### Using PowerShell to enable auditing of VC Runtime usage
 
 The general workflow for updating the File Auditing Permissions with PowerShell is as follows:
 
-1. Define the [file system audit rule](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemauditrule.-ctor) to be applied to the file(s).
+1. Define the [file system audit rule](/dotnet/api/system.security.accesscontrol.filesystemauditrule.-ctor) to be applied to the file(s).
 
-2. Obtain a file's security descriptor with [Get-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-5.1).
+2. Obtain a file's security descriptor with [Get-Acl](/powershell/module/microsoft.powershell.security/get-acl).
 
-3. [Apply the audit rule](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemsecurity.setaccessrule) to the security descriptor.
+3. [Apply the audit rule](/dotnet/api/system.security.accesscontrol.filesystemsecurity.setaccessrule) to the security descriptor.
 
-4. Apply the updated security descriptor on the original file with [Set-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1).
+4. Apply the updated security descriptor on the original file with [Set-Acl](/powershell/module/microsoft.powershell.security/set-acl).
 
-5. View File Access Auditing Event 4663 records with [Get-WinEvent](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-5.1).
+5. View File Access Auditing Event 4663 records with [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent).
 
 ### PowerShell: Enable auditing on out-of-support VC Runtime files
 
 The following PowerShell section of code will enable usage auditing of the currently installed out-of-support VC Runtime files.
 
 ```sh
-function Get-AuditRuleForFile { 
-    $auditRuleArguments =   'Everyone'              <# identity #>, 
-                            'ExecuteFile, Traverse' <# fileSystemRights #>, 
-                            'Success'               <# flags #> 
-    $auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule($auditRuleArguments) 
-
-    return $auditRule 
-} 
-
-function Set-FileAuditRule { 
-    param ( 
-        [Parameter(Mandatory = $true)] 
-        [ValidateNotNullOrEmpty()] 
-        [string]$file, 
-        [Parameter(Mandatory = $true)] 
-        [ValidateNotNullOrEmpty()] 
-        [System.Security.AccessControl.FileSystemAuditRule]$auditRule 
-    ) 
-
-    $existingAcl = Get-Acl -Path $file 
-    $existingAcl.AddAuditRule($auditRule) | Out-Null 
-    Set-Acl -Path $file -AclObject $existingAcl 
-} 
-
-$newAuditRule = Get-AuditRuleForFile 
-
-# Visual Studio Redistributable for 2005 (VC++ 8.0) and 2008 (VC++ 9.0) 
-Get-ChildItem "$ENV:SystemRoot\WinSxS\Fusion" -filter '*.dll' -ErrorAction SilentlyContinue -Recurse | 
-Where-Object FullName -IMatch 'microsoft\.vc[89]0' | 
-ForEach-Object { 
-    Set-FileAuditRule $_.FullName $newAuditRule 
-} 
-
-# Visual Studio Redistributable for 2010 (VC++ 10.0), 2012 (VC++ 11.0) and 2013 (VC++ 12.0)  
-$languageCodes = 'chs|cht|deu|enu|esn|fra|ita|jpn|kor|rus' 
-$versions = '(1[012]0)' 
-$regex = "^((atl|msvc[pr]|vcamp|vccorlib|vcomp)$versions|mfc$versions(u|$languageCodes)?|mfcm$versions(u)?)\.dll$" 
-Get-ChildItem "$ENV:SystemRoot\SysWOW64","$ENV:SystemRoot\System32" -filter '*.dll' |  
-Where-Object Name -imatch $regex |  
-ForEach-Object {  
-    Set-FileAuditRule $_.FullName $newAuditRule  
+function Get-AuditRuleForFile {
+    $auditRuleArguments =   'Everyone'              <# identity #>,
+                            'ExecuteFile, Traverse' <# fileSystemRights #>,
+                            'Success'               <# flags #>
+    $auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule($auditRuleArguments)
+
+    return $auditRule
+}
+
+function Set-FileAuditRule {
+    param (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$file,
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Security.AccessControl.FileSystemAuditRule]$auditRule
+    )
+
+    $existingAcl = Get-Acl -Path $file
+    $existingAcl.AddAuditRule($auditRule) | Out-Null
+    Set-Acl -Path $file -AclObject $existingAcl
+}
+
+$newAuditRule = Get-AuditRuleForFile
+
+# Visual Studio Redistributable for 2005 (VC++ 8.0) and 2008 (VC++ 9.0)
+Get-ChildItem "$ENV:SystemRoot\WinSxS\Fusion" -filter '*.dll' -ErrorAction SilentlyContinue -Recurse |
+Where-Object FullName -IMatch 'microsoft\.vc[89]0' |
+ForEach-Object {
+    Set-FileAuditRule $_.FullName $newAuditRule
+}
+
+# Visual Studio Redistributable for 2010 (VC++ 10.0), 2012 (VC++ 11.0) and 2013 (VC++ 12.0)
+$languageCodes = 'chs|cht|deu|enu|esn|fra|ita|jpn|kor|rus'
+$versions = '(1[012]0)'
+$regex = "^((atl|msvc[pr]|vcamp|vccorlib|vcomp)$versions|mfc$versions(u|$languageCodes)?|mfcm$versions(u)?)\.dll$"
+Get-ChildItem "$ENV:SystemRoot\SysWOW64","$ENV:SystemRoot\System32" -filter '*.dll' |
+Where-Object Name -imatch $regex |
+ForEach-Object {
+    Set-FileAuditRule $_.FullName $newAuditRule
 }
 ```
 
@@ -145,30 +145,30 @@ PowerShell provides Get-WinEvent to obtain event records for various event logs.
 The following PowerShell section of code will list all of the Auditing Event 4663 records over the past 24 hours.
 
 ```sh
-function Get-AuditEntries {  
-    param (  
-        [Parameter(Mandatory = $true)]  
-        [ValidateNotNullOrEmpty()]  
-        [System.DateTime]$oldestTime  
-    )  
-    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4663;StartTime=(Get-Date $oldestTime)} |  
-    ForEach-Object {  
-        $record = [ordered]@{}  
-        $record['TimeCreated'] = $_.TimeCreated  
-        $accessName = ($_.Message |  
-            Select-String -Pattern "Accesses:[\t\s]+(?<Accesses>.+)").Matches.Groups[1]  
-        ([xml]$_.ToXML()).Event.EventData.ChildNodes |  
-        ForEach-Object -Begin {  
-            $record[$accessName.Name]=$accessName.Value.Trim()  
-        } -Process {  
-            $record[$_.Name] = $_.'#text'  
-        }  
-        [PSCustomObject]$record  
-    } | 
-    Where-Object { $_.ObjectName -imatch '\.dll$'}  
+function Get-AuditEntries {
+    param (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.DateTime]$oldestTime
+    )
+    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4663;StartTime=(Get-Date $oldestTime)} |
+    ForEach-Object {
+        $record = [ordered]@{}
+        $record['TimeCreated'] = $_.TimeCreated
+        $accessName = ($_.Message |
+            Select-String -Pattern "Accesses:[\t\s]+(?<Accesses>.+)").Matches.Groups[1]
+        ([xml]$_.ToXML()).Event.EventData.ChildNodes |
+        ForEach-Object -Begin {
+            $record[$accessName.Name]=$accessName.Value.Trim()
+        } -Process {
+            $record[$_.Name] = $_.'#text'
+        }
+        [PSCustomObject]$record
+    } |
+    Where-Object { $_.ObjectName -imatch '\.dll$'}
 }
 
-Get-AuditEntries -oldestTime (Get-Date).AddHours(-24) 
+Get-AuditEntries -oldestTime (Get-Date).AddHours(-24)
 ```
 
 Example output from the above block of code is as follows:
@@ -195,7 +195,7 @@ ResourceAttributes : S:AI
 
 After you have determined which processes are using the VC Runtime files or installing the VC Redistributable, uninstall those applications or upgrade them to newer versions that do not depend on unsupported VC Runtimes.
 
-Note that some Microsoft applications do require legacy versions of the VC Runtime. For details, see [Visual C++ Redistributable and runtime libraries FAQ | Microsoft Learn](https://learn.microsoft.com/lifecycle/faq/visual-c-faq).
+Note that some Microsoft applications do require legacy versions of the VC Runtime. For details, see [Visual C++ Redistributable and runtime libraries FAQ | Microsoft Learn](/lifecycle/faq/visual-c-faq).
 
 <a id="vcruntime_install_location"></a>
 
@@ -215,4 +215,4 @@ The following section lists where each version of the VC Runtime component files
 
 * [Redistributing Visual C++ Files](redistributing-visual-cpp-files.md)
 * [The latest supported Visual C++ downloads](latest-supported-vc-redist.md)
-* [Lifecycle FAQ - Visual C++ Redistributable and runtime libraries](https://learn.microsoft.com/en-us/lifecycle/faq/visual-c-faq)
+* [Lifecycle FAQ - Visual C++ Redistributable and runtime libraries](/lifecycle/faq/visual-c-faq)
