The Netwrix Auditor file server we have installed has been working without major problems and has been a very useful and efficient auditing tool. However, at the end of September, we detected an inconsistency that we couldn’t understand.
Point 1: Files are occasionally being changed, for example, by the “System” user, but we know that in the folders where these files are located, it wasn’t the “System” entity that changed them, but rather a user on our network.
Point 2: Furthermore, the health log displays the message “Audit policies could not be verified for the ‘appsrv01’ server: The registry value for audit policy data has unknown format.” Error ID: 6106
Can you give us any help on these two points?
Netwrix Auditor Version: 9.5
Server: Windows 2016
Thanks.
Welcome to the Netwrix Community, and thank you for sharing the details of what you’re seeing. I’ll do my best to explain what’s happening with both points you mentioned.
About the “System” User Entries
When you see a change attributed to the “System” user, it usually means one of two things:
The change was truly performed by the operating system (for example, when deleting a folder that contains subfolders—Windows itself deletes the nested items).
Or, Netwrix Auditor was unable to retrieve the user name from the Event Log.
Here’s how that happens: Netwrix Auditor collects data from your file server by taking an internal snapshot of its state. It then compares that snapshot to the current state and looks in the Event Log to determine who, when, and where changes occurred. If the related event is missing—perhaps because it was overwritten before collection—Auditor still reports the change but substitutes “System” as the user name.
In your case, since you know the activity came from a specific user, it’s likely that the event was either not captured or overwritten before Netwrix Auditor collected it. This is more common when working with large file servers or when collections take longer than expected.
About the “Audit policies could not be verified” Error (ID 6106)
This particular message indicates that Windows changed how audit policy data is stored in the registry. As a result, older Auditor versions (like 9.5) can no longer interpret the registry format correctly. The good news is that this does not usually affect auditing itself—unless you’ve recently modified audit policies—but it does cause that warning to appear in the health log.
This issue was resolved in Netwrix Auditor 10.7 and later (we’re currently on 10.8).
Recommended Next Steps
Because you’re running version 9.5, which is now end-of-support, the best next step would be to upgrade to the latest release. The upgrade provides:
Full compatibility with current Windows registry formats.
Improved snapshot performance (so collections don’t pause other activities and reduce the risk of missing events).
General stability and accuracy improvements.
If you have an active support and maintenance agreement, our Support team can help guide you through the upgrade process.
Would you like me to arrange for a support engineer to reach out and assist you with that?
Thank you in advance for your explanation.
I’d like to take this opportunity to ask a question regarding the upgrade to version 10.7…
Is it possible to do so directly on top of 9.5, or does it involve cumulative upgrades of previous versions until I reach 10.7?
Or do I have to uninstall version 9.5 and then install 10.7…in this case, the 9.5 licensing works on 10.7, and will I lose the information regarding the version 9.5 database?
Best regards
You have two main options for moving to a newer version of Netwrix Auditor:
Option 1 – Fresh Installation (Recommended if starting clean)
You can set up a new server and install the latest version (currently 10.8).
This approach gives you a clean environment and avoids any upgrade dependencies.
You would need an updated license key from us, since licenses from 9.5 are not compatible with 10.x.
If your current deployment uses a full SQL Server, you would also need a dedicated SQL instance for the new installation.
Option 2 – In-Place Upgrade (Recommended if you want to keep data and configuration)
If you prefer to retain your existing configuration and database, you can perform a series of incremental upgrades.
Because there were major architecture changes between versions, it’s not possible to upgrade directly from 9.5 to 10.8 — it must be done in stages. You can safely perform one upgrade per day.
Your existing license will continue to work through the upgrade chain. In some cases, you may need to run the License Cleanup Tool afterward to remove any expired or duplicate licenses, but no new license key is required.
If you’d like, our Support team can assist you throughout this process — either by joining you for each step or being on standby in case you encounter issues.
Would you like me to have a support engineer contact you to schedule the upgrade assistance?
Regarding the update, our IT department would proceed with the respective cumulative upgrade, but versions 9.7/9.9/9.96 and 10.5 are not available for download from the link that you sent me…
About the “System” User Entries
About the “Audit policies could not be verified” Error (ID 6106)
Recommended Next Steps