Audit Restores - FullPrivilegeAuditing
If an unauthorized user can restore files to a new directory, they can
compromise those files. To catch such activity, requires full
privilege auditing . To enable, apply the following Windows NT registry
auditing will cause a very large number of event records to be generated
during backups and restores. Increase the size of the event log significantly if you need this information. Appropriate for
high security environment. In any case, if the logs are not being examined for
inappropriate access, forget it.
Frank Heyne has made available a Windows NT
Eventlog FAQ .