windows 7 creates false positive 4663 access... Expand / Collapse
Author
Message
Posted 8/18/2011 2:54:32 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/18/2011 3:39:20 AM
Posts: 1, Visits: 2
Hi, consider the following scenario. With auditing enabled on a 2008 x64 std server, when a audit enabled file share is accessed from a remote Windows 7 client and the files (including excel, word, powerpoint, msg) are NOT opened but are only clicked on (or keyboard arrow down) a 4663 event is created on the 2008 server with the real users Account Name by Process ID 0x4 (system). I have disabled the creation of thumbs.db on network shares. In addition the above holds true when using windows search on a audited file share (soon to be disabled). I am currently trying to determine what exactly is opening the file in the background? AV or other windows seven tasks ?
Post #791
Posted 8/23/2011 3:51:26 PM
Expert from Quest Software

Expert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest Software

Group: Forum Members
Last Login: 2/11/2012 12:15:37 AM
Posts: 18, Visits: 8
Hmmmm... this may be due to explorer reading the file headers for extended information.  What file accesses did you see?
Post #792
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:43pm