Re: Audit Failures/READ_CONTROL SYNCHRONIZE

From: Binesh Bannerjee (binesh-dated-1017745245.ab1b1d@hex21.com)
Date: 03/26/02 

From: Binesh Bannerjee <binesh-dated-1017745245.ab1b1d@hex21.com>
Date: 26 Mar 2002 11:00:48 GMT

OK, in further trying to isolate the problem, here's what I've come with.

I set in user manager Audit these events has ONLY File and Object access
failure.

ALL permissions on ALL files are defaults, (meaning Everyone still exists on
everything, everything is as it is after a normal install of WinNT 4.0 server)

I've added Auditing on ONE file: C:\WINNT\Explorer.exe to audit ONLY
        Write failures.

This generates the following set of failures in the event log. (I've appended
it to this post)

Why? Why should anything want to write to Explorer, first off,
and then, what is this attempt to connect to a service controller
that's failing?

Thanks,
Binesh Bannerjee

(The event log follows)

        3/26/02 5:49:48 AM Security Failure Audit Object Access 560 user VMWARE Object Open:
                Object Server: Security
                Object Type: File
                Object Name: C:\WINNT\EXPLORER.EXE
                New Handle ID: -
                Operation ID: {0,342032}
                Process ID: 2154198752
                Primary User Name: user
                Primary Domain: VMWARE
                Primary Logon ID: (0x0,0x5324B)
                Client User Name: -
                Client Domain: -
                Client Logon ID: -
                Accesses READ_CONTROL
                        SYNCHRONIZE
                        ReadData (or ListDirectory)
                        ReadEA
                        ReadAttributes
                        WriteAttributes
                        
                Privileges -
         
        3/26/02 5:49:49 AM Security Failure Audit Object Access 560 user VMWARE Object Open:
                Object Server: Security
                Object Type: File
                Object Name: C:\WINNT\EXPLORER.EXE
                New Handle ID: -
                Operation ID: {0,344370}
                Process ID: 2154198752
                Primary User Name: user
                Primary Domain: VMWARE
                Primary Logon ID: (0x0,0x5324B)
                Client User Name: -
                Client Domain: -
                Client Logon ID: -
                Accesses READ_CONTROL
                        SYNCHRONIZE
                        ReadData (or ListDirectory)
                        ReadEA
                        ReadAttributes
                        WriteAttributes
                        
                Privileges -
         
        3/26/02 5:49:51 AM Security Failure Audit Object Access 560 user VMWARE Object Open:
                Object Server: SC Manager
                Object Type: SC_MANAGER OBJECT
                Object Name: ServicesActive
                New Handle ID: -
                Operation ID: {0,354711}
                Process ID: 2154290528
                Primary User Name: SYSTEM
                Primary Domain: NT AUTHORITY
                Primary Logon ID: (0x0,0x3E7)
                Client User Name: user
                Client Domain: VMWARE
                Client Logon ID: (0x0,0x5324B)
                Accesses Connect to service controller
                        Create a new service
                        
                Privileges -