security log _ Audit object access_delete

purpose of the test is for obviousing the security log entry when you delete a audited file:

test approach:

1. delete an auditing file.

2. open eventvwr.msc, check security event. have 3 event about the delete audit(notice those font be highlight in red)

first event entry:

**************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Open:
     Object Server:    Security
     Object Type:    File
     Object Name:    D:\Temp\rbgwssuser.txt
     Handle ID:    2608
     Operation ID:    {0,25009233}
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Primary User Name:    dmnroyhu
     Primary Domain:    ASIA
     Primary Logon ID:    (0x0,0x13E8845)
     Client User Name:    -
     Client Domain:    -
     Client Logon ID:    -
     Accesses:        DELETE
            READ_CONTROL
            ReadAttributes
     Privileges:        -
     Restricted Sid Count: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

second event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    567
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Access Attempt:
     Object Server:    Security
     Handle ID:    2608
     Object Type:    File
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Access Mask:    DELETE

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

third event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    564
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Deleted:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

forth event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    562
Date:        2008-2-14


Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Handle Closed:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

posted on 2008-02-14 17:25 GuoMing 阅读(334) 评论(0)  编辑 收藏 引用 所属分类: Windows Applicatios

只有注册用户登录后才能发表评论。

导航

<2008年2月>
272829303112
3456789
10111213141516
17181920212223
2425262728291
2345678

统计

常用链接

留言簿(1)

随笔分类

随笔档案

Friends' Blog

搜索

最新评论

阅读排行榜

评论排行榜