title: "How to audit Visual C++ Runtime version usage"

description: "A detailed guide for auditing Visual C++ Runtime file usage."

The Microsoft Visual C++ Redistributable and the Visual Studio C++ Runtime (collectively, "VC Runtime") are critical components of many applications. Across your network, machines may still be running applications that install and use an out-of-support version of the VC Runtime. You can use NTFS file auditing to identify such usage as a step towards replacing those applications with ones that use a supported version of the VC Runtime. This guide walks you through setting up NTFS file auditing, provides troubleshooting tips, and highlights the benefits of regular audits.

This guide provides the steps to manually enable NTFS file auditing and review audit events to determine which applications are calling the unsupported versions of the VC Runtime. Because there are several files that can be used by an application, this guide also shows how to use PowerShell's [`Get-Acl`](/powershell/module/microsoft.powershell.security/get-acl) and [`Set-Acl`](/powershell/module/microsoft.powershell.security/set-acl) cmdlets to update auditing permissions. For more information about how to configure audit policies for a file, see [Apply a basic audit policy on a file or folder](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).

Object access must be enabled before you enable file level auditing:

1. Open the **Local Group Policy Editor** by pressing `Windows` + `R` to open the **Run** dialog. Then type `gpedit.msc` and press **Enter**.

1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **System Audit Policies** > **Object Access**.

1. Close the **Local Group Policy Editor**.

Alternatively, you may use `auditpol.exe` to enable object access:

1. In the **Advanced Security Settings** dialog box, select the **Auditing** tab and then select **Continue**.

1. To add a new auditing rule, select **Add**. In the **Auditing Entry** dialog, select a principal, then type the name of the user or group you want to add such as **(Everyone)**, and then select **OK**.

1. In **Type**, select ensure that **Success** is selected.

1. There should now be a new row in the **Auditing** entries matching what you have selected. Select **OK**.

1. In the **Properties** Dialog, select **OK**.

NTFS file auditing generates ["Event 4663: An attempt was made to access an object"](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663) for each file that includes the audit permission and is accessed by a process.

1. Open the **Event Viewer** by pressing `Windows` + `R` to open the **Run** dialog. Then type `eventvwr.msc`, and press **Enter**.

1. Navigate to the **Security** logs in the **Event Viewer** by expanding **Windows Logs** > **Security**. The results pane lists security events.

1. Find the audit events by choosing **Filter Current Log...** in the **Actions** pane. Narrow down the events to **Event ID 4663 (Audit Success for the File System Category)** by entering **4663 into the Includes/Excludes Event IDs** text box.

For an example of a File Access Auditing Event 4663, see ["4663(S): An attempt was made to access an object."](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663)

As an overview, updating File Auditing Permissions with PowerShell follows these steps:

1. Define the [file system audit rule](/dotnet/api/system.security.accesscontrol.filesystemauditrule.-ctor) to apply to the file(s).

PowerShell provides `Get-WinEvent` to get event records for various event logs as shown in the following PowerShell code that lists all of the Auditing Event 4663 records over the past 24 hours:

After you have determined which processes are using the VC Runtime files, or which applications have installed the VC Redistributable, uninstall those applications or upgrade them to newer versions that don't depend on unsupported VC Runtimes.

Some Microsoft applications require legacy versions of the VC Runtime. For details, see [Visual C++ Redistributable and runtime libraries FAQ | Microsoft Learn](/lifecycle/faq/visual-c-faq).

Here is where each version of the VC Runtime is installed:

| **Visual Studio Version**| **Installed Location(s)**|

[Redistributing Visual C++ Files](redistributing-visual-cpp-files.md)\

[The latest supported Visual C++ downloads](latest-supported-vc-redist.md)\

[Lifecycle FAQ - Visual C++ Redistributable and runtime libraries](/lifecycle/faq/visual-c-faq)\

[C++ binary compatibility between Visual Studio versions](../porting/binary-compat-2015-2017.md)

Starting in Visual Studio 2012, Active Template Library (ATL) is a header-only library. ATL projects do not have a Dynamic Link to ATL option. No redistributable ATL library is required.

If you redistribute an ATL executable application, you must register the .exe file (and any controls inside it) by issuing the following command:

where `filename` is the name of the executable file.

In Visual Studio 2010, an ATL project can be built for a MinDependency or a MinSize configuration. A MinDependency configuration is what you get when you set the **Use of ATL** property to **Static Link to ATL** on the **General** property page and set the **Runtime Library** property to **Multi-threaded (/MT)** on the **Code Generation** property page (C/C++ folder).

A MinSize configuration is what you get when you set the **Use of ATL** property to **Dynamic Link to ATL** on the **General** property page, or set the **Runtime Library** property to **Multi-threaded DLL (/MD)** on the **Code Generation** property page (C/C++ folder).

MinSize makes the output file as small as possible but requires that ATL100.dll and Msvcr100.dll (if you selected the **Multi-threaded DLL (/MD)** option) are on the target computer. ATL100.dll should be registered on the target computer to ensure that all ATL functionality is present. ATL100.dll contains ANSI and Unicode exports.

If you build your ATL or OLE DB Templates project for a MinDependency target, you do not need to install and register ATL100.dll on the target computer, although you might get a larger program image.

If you redistribute an ATL executable application, you must register the .exe file (and any controls inside it) by issuing the following command:

where `filename` is the name of the executable file.

[Redistributing Visual C++ Files](redistributing-visual-cpp-files.md)