Missing Handle (-) Causing Failure Audit Expand / Collapse
Author
Message
Posted 8/5/2011 11:22:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2011 11:00:46 AM
Posts: 2, Visits: 0
I need help with this please...  I am trying to understand if the event is being created by there not being a Handle ID.  This specific person has access to this shared folder and they were able to open the file just fine.  I don't know why it is appearing in the "Failure Audit" category, or is it just "noise". 

Sanitized Error:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  8/5/2011
Time:  11:14:20 AM
User:  ACMECO\JDOE
Computer: FILESERVERNAME
Description:
Object Open:
  Object Server: Security
  Object Type: File
  Object Name: F:\Generic\Daily\Monthly\2011\Aug 2011.xls
  Handle ID: -
  Operation ID: {1,1562195102}
  Process ID: 4
  Image File Name:
  Primary User Name: FILESERVERNAME$
  Primary Domain: XXXXXXCO
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: JDOE
  Client Domain: XXXXXXCO
  Client Logon ID: (0x1,0x5C7E1B6D)
  Accesses: DELETE
   READ_CONTROL
   ACCESS_SYS_SEC
   ReadData (or ListDirectory)
   ReadEA
   ReadAttributes
  
  Privileges: -
  Restricted Sid Count: 0
  Access Mask: 0x1030089


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Post #779
Posted 8/10/2011 9:25:59 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
nothing to do with the missing handle id.  Handle ID is only filled in on succesful open events.  The problem is with ACCESS_SYS_SECURITY.  For some reason that permission is being requested which controls access to the audit settings for the file.  See http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx 
Post #782
Posted 8/11/2011 11:21:25 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2011 11:00:46 AM
Posts: 2, Visits: 0
Wow - thank you for the information.  It is GREATLY appreciated. 
Post #786
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:16am