Object access events must be enabled on a per object basis by configuring the system access control list (SACL) for that object. For information about how to configure SACLs, see Authorization and Access Control in this book.
Parameters: Object server, object type, object name, handle ID, operation ID, process ID, image file name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, access privileges, restricted SID count.
Configurable Information: Success
Formal name: SE_AUDITID_OPEN_HANDLE
Objects are accessed with handles. This event means that a handle was opened. It does not mean that the object was actually accessed.
Parameters: Object server, handle ID, process ID, image file name.
Configurable Information: Failure
Formal name: SE_AUDITID_CLOSE_HANDLE
Parameters: Object server, object type, object name, handle ID, operation ID, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_OPEN_OBJECT_FOR_DELETE
This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.
Parameters: Object server, handle ID, process ID.
Configurable Information: Success
Formal name: SE_AUDITID_DELETE_OBJECT,
Parameters: Object server, object type, object name, handle ID, operation ID, process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges, properties.
Configurable Information: Success
Formal name: SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
Parameters: Operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, properties.
Configurable Information: Success
Formal name: SE_AUDITID_OBJECT_OPERATION
This event message is also used to audit directory service access events.
Parameters: Name of the object being accessed, object server, handle ID, object type, process ID, access mask.
Configurable Information: Success
Formal name: SE_AUDITID_OBJECT_ACCESS
A handle is created with certain granted permissions (read, write, and so on). When the handle is used, one audit is generated for each of the permissions that was used.
Parameters: Primary user name, primary domain, primary logon ID, object name, link name.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_HARDLINK_CREATION