Object Access Events


Object access events must be enabled on a per object basis by configuring the system access control list (SACL) for that object. For information about how to configure SACLs, see Authorization and Access Control in this book.

560 Access was granted to an already existing object.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, image file name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, access privileges, restricted SID count.

Configurable Information: Success

Formal name: SE_AUDITID_OPEN_HANDLE

Objects are accessed with handles. This event means that a handle was opened. It does not mean that the object was actually accessed.

562 A handle to an object was closed.

Parameters: Object server, handle ID, process ID, image file name.

Configurable Information: Failure

Formal name: SE_AUDITID_CLOSE_HANDLE

563 An attempt was made to open an object with the intent to delete it.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_OPEN_OBJECT_FOR_DELETE

This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.

564 A protected object was deleted.

Parameters: Object server, handle ID, process ID.

Configurable Information: Success

Formal name: SE_AUDITID_DELETE_OBJECT,

565 Access was granted to an already existing object type.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges, properties.

Configurable Information: Success

Formal name: SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE

566 A generic object operation took place.

Parameters: Operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, properties.

Configurable Information: Success

Formal name: SE_AUDITID_OBJECT_OPERATION

This event message is also used to audit directory service access events.

567 A permission associated with a handle was used.

Parameters: Name of the object being accessed, object server, handle ID, object type, process ID, access mask.

Configurable Information: Success

Formal name: SE_AUDITID_OBJECT_ACCESS

A handle is created with certain granted permissions (read, write, and so on). When the handle is used, one audit is generated for each of the permissions that was used.

568 An attempt was made to create a hard link to a file that is being audited.

Parameters: Primary user name, primary domain, primary logon ID, object name, link name.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_HARDLINK_CREATION




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net