Audit failures from explorer.exe
From: Jan Bares (jan.bares_at_nospam.nospam)
Date: 03/06/05
- Next message: Mary S: "Re: hisecweb.inf"
- Previous message: Mary S: "hisecweb.inf"
- Next in thread: Steven L Umbach: "Re: Audit failures from explorer.exe"
- Reply: Steven L Umbach: "Re: Audit failures from explorer.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 6 Mar 2005 11:10:56 +0100
Hi,
I audit failures on files from "Program Files" because I run as member of
"Users" group and I want to identify programs trying to write there, because
they are badly written. But my Event log is full of 560 Failure Events, that
are generated by explorer.exe as I browse through the folders.
Is there any way how can I remove explorer.exe from being audited? Otr any
other solution (besides using File Manager as mentioned in Q172509)
I know the reason why Explorer does this. When explorer checks for rights
for a folder, this results in a call to NtCreateFile. This call fails and
creates the audit log. There is a function that can return rights on folder,
but that function is slow, so Explorer uses this dirty way.
Thanks, Jan
- Next message: Mary S: "Re: hisecweb.inf"
- Previous message: Mary S: "hisecweb.inf"
- Next in thread: Steven L Umbach: "Re: Audit failures from explorer.exe"
- Reply: Steven L Umbach: "Re: Audit failures from explorer.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|