How to determine WHICH process made the... Expand / Collapse
Author
Message
Posted 3/12/2016 3:30:14 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/12/2016 3:22:24 PM
Posts: 1, Visits: 0
I am trying to determine which process modified a file on a Windows 2012 share.
I have turned on SECURITY AUDITING and I have captured the following event, but I am unsure how to track down the process ID. Help!


A handle to an object was requested.

Subject:
Security ID: PURCELLINTL\fpurcell
Account Name: fpurcell
Account Domain: PURCELLINTL
Logon ID: 0xA9D7868

Object:
Object Server: Security
Object Type: File
Object Name: C:\SharedData\Resumes\cpurcell\M\Marc A. Feeser.doc
Handle ID: 0x1454
Resource Attributes: -

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by DA;ID;0x1200a9;;;DU)
SYNCHRONIZE: Granted by DA;ID;0x1200a9;;;DU)
ReadData (or ListDirectory): Granted by DA;ID;0x1200a9;;;DU)
WriteData (or AddFile): Granted by DA;ID;0x1301bf;;;S-1-5-21-845596306-1813120476-2465087145-1138)
AppendData (or AddSubdirectory or CreatePipeInstance): Granted by DA;ID;0x1301bf;;;S-1-5-21-845596306-1813120476-2465087145-1138)
ReadEA: Granted by DA;ID;0x1200a9;;;DU)
WriteEA: Granted by DA;ID;0x1301bf;;;S-1-5-21-845596306-1813120476-2465087145-1138)
ReadAttributes: Granted by DA;ID;0x1200a9;;;DU)
WriteAttributes: Granted by DA;ID;0x1301bf;;;S-1-5-21-845596306-1813120476-2465087145-1138)

Access Mask: 0x12019F
Privileges Used for Access Check: -
Restricted SID Count: 0
Post #5173
Posted 3/28/2016 9:24:41 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 183, Visits: 0
Correlate the process ID in this event with the process ID in the event "A new process has been created". This event should have the same process ID.
Post #5176
Posted 3/31/2016 2:16:12 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2016 2:43:05 AM
Posts: 4, Visits: 4
i open a file via network file share,but 4688 event log can not be generated.
Post #5180
Posted 4/7/2016 7:53:35 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 183, Visits: 0
4688 corresponds to process creation. Is that what you are looking for?
Post #5187
Posted 6/21/2016 8:22:59 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/21/2016 8:11:16 PM
Posts: 1, Visits: 1
It was system.exe. Process id 4 is always system.
Post #5224
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:04am