UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 560 - Object Open

Missing Handle (-) Causing Failure Audit

mjv1975 — Fri, 05 Aug 2011 11:22:18 GMT

I need help with this please... I am trying to understand if the event is being created by there not being a Handle ID. This specific person has access to this shared folder and they were able to open the file just fine. I don't know why it is appearing in the "Failure Audit" category, or is it just "noise".

Sanitized Error:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/5/2011
Time: 11:14:20 AM
User: ACMECO\JDOE
Computer: FILESERVERNAME
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Generic\Daily\Monthly\2011\Aug 2011.xls
Handle ID: -
Operation ID: {1,1562195102}
Process ID: 4
Image File Name:
Primary User Name: FILESERVERNAME$
Primary Domain: XXXXXXCO
Primary Logon ID: (0x0,0x3E7)
Client User Name: JDOE
Client Domain: XXXXXXCO
Client Logon ID: (0x1,0x5C7E1B6D)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

What is Object Server?

pwstoecker — Mon, 23 May 2011 13:43:27 GMT

Exactly what is the Object Server in the 560 message?

Thanks,

paul

How to track user modifications and accesses to folders and files

Jer06 — Tue, 05 Oct 2010 00:44:59 GMT

Hi,
I have a task to help determine who has moved a particular folder and its subfolder/files to another location.

For example: User A has moved 'C:\folder2' to 'C:\folder1\folder2'

I've tried searching for related events on 560,567 and 562,which I understand will be generated for such cases, but however,I only see event code 560.

Unable to determine much, I searched for the last event time for C:\folder2, which is 13:00hr, and the next event at 14:00 with file location shown in the log is C:\folder1\folder2. Both of these events are code 560, and I am unable to search for a corresponding code 567,562 and handle ID.
Thus, am suspecting the movement of the folder happens between 13:00 to 14:00...

Please advise?

Wmiprvse.exe 560 Errors

kblancha82 — Mon, 15 Nov 2010 07:38:42 GMT

Hello,

I need help identifying if the following errors are harmless or not. I am getting the same error on a few different systems.

Executable: C:\WINDOWS\wbem\wmiprvse.exe

Attempts to access one of the following files:
C:\WINDOWS\repair\setup.log
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
C:\WINDOWS\system32\profmap.dll
C:\WINDOWS\system32\config\system
These errors occur as both administrator and regular user.

Any help would be greatly appreciated.

Thank you in advance,
Kyle

Root cause of 560 failed object access attempts

racjen — Thu, 26 Aug 2010 11:02:52 GMT

I have a question in regard to auditing on XP workstations. We have
object auditing enabled and get lots of 560 events for users accessing
service.exe through the SC_Manager. The problem is user's don't know what
they are doing to generate these events, many happen just logging on. The
information in the actual 560 event is somewhat useless. How can you tell
what program or service is calling SC_Manager to generate the event. I
have been trying off and on for several months and have no clue where to
look or how to find out?

From the event i know:

Object Server: SC Manager

Object Type: SC_MANAGER OBJECT

Object Name: ServicesActive

Operation ID, Process ID xxx

Image File name: path to services.exe

login ID, Domain name, User client name etc...what properties are accessed (attempted fail, only monitoring failed access)

What I don't know is what program or process is calling services.exe to cause these events. How can I investigate this to pin point the cause? Any help would be GREATLY appreciated...

Thanks,

How to manage Handle ID for event 560, 567 and 562

AlessandroRimoldi — Mon, 25 Jan 2010 12:22:01 GMT

Good evening,

i'm trying to correlate more events with ID 560, 567 and 562 using the "Handle ID" but i found that the value assigned to "Handle ID" is not unique because is unique until reboot of the server/machine.

So, after a reboot of the server/machine i can see in event viewer an operation with the same "Handle ID" used before the reboot so i can't define into a database that an operation with a particular "Handle ID" is referred to a particular Username (because the same "Handle ID" can be used for operations of another user after the reboot).

In witch way the operating system determine the "Handle ID"? I noticed that is a numeric code: after witch value it restart to count from 0?

Thanks for help!

Alessandro Rimoldi (Milan, Italy)

How to prevent activities generated by SYSTEM user in the security log?

mdong@cds.ca — Wed, 04 Aug 2010 14:37:45 GMT

My security log is full of activities generated by the user "SYSTEM". How to set this user's activites not be in the security log?

Clarification of 560

richlich — Fri, 09 Apr 2010 10:38:42 GMT

In the case we have at hand on object access failures, the Object Type is SERVICE OBJECT and the Object Name is WinHttpAutoProxySvc. Does this indicate, then, that there is a permissions access problem with the user account trying to access that service? I'm just trying to figure out what has to be changed where to resolve this. (This is the first time I've had the situation where the 560 event is logged consistently. In this case it comes in clusters of 4 events about every 50 minutes.)

How can you tell when a file was created???

mvftw — Tue, 19 May 2009 08:43:05 GMT

It seems that event 560 is given for created or modified. Is there may to tell when a file was created???