Is there a way to do a manual audit on a device so that it can happen immediately? I know there's a registry key tied to a file called "userin32.exe" that's in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run folder which is tied to the auditing. That's where it's at for the 64bit version of Windows (slightly different locations with 32bit OS's) ... it's physical location on the HDD is under a hidden folder C:\Discovery\User Input\ ... I've gone to that folder and tried launching that file to see if it would allow an immediate audit to occur on individual machines that didn't pickup the GPO that we have for school dude but that doesn't seem to work.
... we'd like to have a bit more control over the auditing of what's on the domain since it doesn't seem to be capturing everything that goes on in a way that's useful.