No announcement yet.

Security Event Log ID 560

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Event Log ID 560


    On our servers we are getting the following secuity events flooding in:

    Object Open:
    Object Server: SC Manager
    Object Type: SC_MANAGER OBJECT
    Object Name: ServicesActive
    Handle ID: -
    Operation ID: {0,340778646}
    Process ID: 612
    Image File Name: C:\WINDOWS\system32\services.exe
    Primary User Name: SERVER1$
    Primary Domain: DOMAIN1
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: user1
    Client Domain: DOMAIN1
    Client Logon ID: (0x0,0x144FD0AE)
    Accesses: READ_CONTROL
    Connect to service controller
    Enumerate services
    Query service database lock state

    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0x20015

    These events only happen on Windows 2003 servers (all with SP1) and only happen for two users.

    These users are using SQL Enterprise Manager and SQL Query Analyser from remote PC's at manage SQL Server 2000 SP3a they both have System Administrator rights on the databaseses.

    However when they connect using either SQL Enterprise Manager or SQL Query Amalyser these events start flooding in.

    Auditing is enabled via Group Policies and Object Access Success and Failure are enabled.

    These two users do not have local administrator rights.