Code:
eventvwr
In the (TFM) Trusted Facility Manual as stated:

Event Viewer is used to view and manage event logs, including the security log. It allows for viewing, sorting, filtering, and searching the event logs. The user must have access to the event log file in order to successfully view it. To view the contents of the security log, the user must be logged on as a member of the Administrators group. No special privilege isrequired to use Event Viewer itself. Security is enforced by the ACL on the log and certain registry settings.

Using Windows NT, an administrator can audit all security events and user actions. User Manager enables you to specify which events (such as logon or file access) will be monitored. All audited information is stored in the Event Log, which can be viewed in Event Viewer.
In addition to listing events by event ID, the security log in Event Viewer lists them by category. The following categories of events are displayed in the Security Log. (Those in parentheses are found in the Audit Policy dialog box of User Manager.)
Event Viewer provides two sorting options: newest events first or the oldest events first. To filter events, there is a predefined set of options available. Some of the filter options are: from date, through date, warnings, errors, success or failure audit, source of logging events, user, and event category (e.g., policy changes). Event Viewer also provides for the saving of audit data in a number of formats, including comma-delimited ASCII.
For user documentation about Event Viewer, see "Using Event Viewer" in Chapter 9, "Monitoring Events," of Microsoft« Windows NT« Server Version 4.0 Concepts and Planning.
Enable auditing for successful object writes in the entire system directory and all subdirectories. After installing a new application, use Event Viewer to examine the security log for object access events. For each object access event, read the event detail. If the path portion of the object name indicates that the object is a system file and the type of access audited is WriteData, then a system file has been overwritten.