Forum

Ultimate Windows Security Forum » Security Log » 560 - Object Open » How to manage Handle ID for event 560, 567...

How to manage Handle ID for event 560, 567... Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
AlessandroRimoldi
Posted 1/25/2010 12:22:01 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/18/2010 12:31:13 PM
Posts: 3, Visits: 2
Good evening,

i'm trying to correlate more events with ID 560, 567 and 562 using the "Handle ID" but i found that the value assigned to "Handle ID" is not unique because is unique until reboot of the server/machine.

So, after a reboot of the server/machine i can see in event viewer an operation with the same "Handle ID" used before the reboot so i can't define into a database that an operation with a particular "Handle ID" is referred to a particular Username (because the same "Handle ID" can be used for operations of another user after the reboot).

In witch way the operating system determine the "Handle ID"? I noticed that is a numeric code: after witch value it restart to count from 0?

Thanks for help!

Alessandro Rimoldi (Milan, Italy)

Post #302
RandyFranklinSmith
Posted 3/10/2010 5:31:14 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 142, Visits: 0
You are correct, it's only unique between reboots. 
Post #326
AlessandroRimoldi
Posted 3/17/2010 6:41:53 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/18/2010 12:31:13 PM
Posts: 3, Visits: 2
Thanx for your help!

Alessandro Rimoldi (KBE Srl - Milano, Italia)

Post #341
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:07am