File reads are logged with event IDs 560 and 562 when you turn on file write auditing in Windows NT
Article ID: 120600
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q120600
SYMPTOMS
On a Microsoft Windows NT-based computer, when you turn on write auditing for a file or for a group of files, subsequent file reads of those same files produce audit entries in the security event log. Event IDs 560 and 562 are logged in the security event log every time that the files are read.
Note Event ID 560 corresponds to an "object open" audit event, and event ID 562 corresponds to a "handle closed" audit event.
CAUSE
This behavior occurs because in Windows NT, a Windows file object maps both the GENERIC_WRITE and the GENERIC_READ generic access right constants to the READ_CONTROL and the
SYNCHRONIZE standard access right constants. The READ_CONTROL standard access right constant is defined as the right to read the information in the object's security descriptor that identifies the object's owner, the object's primary group, and the discretionary access control list (DACL) for the object.
WORKAROUND
To work around this behavior, you can programmatically set the access control entries of security access control lists (SACLs) to (FILE_GENERIC_WRITE & ~(READ_CONTROL |
SYNCHRONIZE)). You must use the FILE_GENERIC_WRITE constant instead of the GENERIC_WRITE constant because you cannot combine standard access rights and generic access rights by using a bitwise AND (&) operator.
MORE INFORMATION
Event IDs 560 and 562 permit you to determine the length of time that a user had the file object open.
Additional query words: prodnt security audit event log
Keywords: kbprb kbother KB120600