No announcement yet.

Auditing file attribute changes

  • Filter
  • Time
  • Show
Clear All
new posts

  • Auditing file attribute changes

    Hi Guys,

    I'm a little confused about an aspect of auditing. Here's the scenario.

    Someone is changing a folder to be hidden regularly and I want to find out who is doing it so I enabled auditing. on the local group policy I enabled sucessful attempts for 'Audit object access'. Then I went to the folder in question, viewed properties -> security -> advanced -> auditing and added in the group for which the user has to be a member.

    Security on the folder has the following groups/accounts:
    -Administrators - Full control
    -CREATOR OWNER - special permissions
    -Domain Users - List folder contents
    -The group I created - Modify permissions
    -SYSTEM - full control

    In the auditing tab is the following:
    The group I created - write attributes - sucess

    When I then look in the event log at the events, its being flooded by event 560 and 562 with the user administrator. the text reads as follows:

    event ID: 560
    type: Sucess A
    Source: security
    catagory: Object access

    Object Open:
    Object Server: Security
    Object Type: Key
    Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ev entlog\Security
    Handle ID: 748
    Operation ID: {1,1346482611}
    Process ID: 2216
    Image File Name: C:\WINDOWS\system32\mmc.exe
    Primary User Name: Administrator
    Primary Domain: WATGBQ23
    Primary Logon ID: (0x1,0x4F10A1E9)
    Client User Name: -
    Client Domain: -
    Client Logon ID: -
    Accesses: Set key value

    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0x2

    Event ID 562
    Handle Closed:
    Object Server: Security
    Handle ID: 748
    Process ID: 2216
    Image File Name: C:\WINDOWS\system32\mmc.exe

    Can anyone tell me why this is happening? Any help really apreciated.