Re: Audit failures from explorer.exe

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/06/05

• Next message: Steven L Umbach: "Re: hisecweb.inf"
• Previous message: Steven L Umbach: "Re: unable to perform "perfmon" on a remote Windows XP Pro"
• In reply to: Jan Bares: "Audit failures from explorer.exe"
• Next in thread: Jan Bares: "Re: Audit failures from explorer.exe"
• Reply: Jan Bares: "Re: Audit failures from explorer.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 6 Mar 2005 11:56:39 -0600

I have noticed the same thing and there is no way to selectively disable
auditing of explorer.exe. You might find that using Event Comb can help to
filter security log searches to find more specific information and events.
Event Comb allows you to search based on text strings and event ID's. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb

"Jan Bares" <jan.bares@nospam.nospam> wrote in message
news:eENbLTjIFHA.608@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I audit failures on files from "Program Files" because I run as member of
> "Users" group and I want to identify programs trying to write there,
> because
> they are badly written. But my Event log is full of 560 Failure Events,
> that
> are generated by explorer.exe as I browse through the folders.
> Is there any way how can I remove explorer.exe from being audited? Otr any
> other solution (besides using File Manager as mentioned in Q172509)
>
> I know the reason why Explorer does this. When explorer checks for rights
> for a folder, this results in a call to NtCreateFile. This call fails and
> creates the audit log. There is a function that can return rights on
> folder,
> but that function is slow, so Explorer uses this dirty way.
>
> Thanks, Jan
>
>

• Next message: Steven L Umbach: "Re: hisecweb.inf"
• Previous message: Steven L Umbach: "Re: unable to perform "perfmon" on a remote Windows XP Pro"
• In reply to: Jan Bares: "Audit failures from explorer.exe"
• Next in thread: Jan Bares: "Re: Audit failures from explorer.exe"
• Reply: Jan Bares: "Re: Audit failures from explorer.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: RUNAS when a user is just in the user group ... Login as a local administrator or user with admin rights that you will use then to run-as explorer. ... The open Explorer goto Tools - Folder Options - View and select 'Launch folder windows in a seperate process'. ... (microsoft.public.windowsxp.general) Preventing deletion of Forms folder in SharePoint Document Library ... Is there a way to prevent people with add, update, delete rights from ... Deleting the Forms folder in the explorer view of a document library? ... (microsoft.public.sharepoint.portalserver.development) NetShareAdd API function ... I use NetShareAdd API function to share a folder. ... No problem in a first time. ... When I open the explorer on my computer I see ... I have rights to open others shared folder ... (microsoft.public.vb.winapi) Re: How reduce number items listed start menu ... is Explorer the only way, ... If you create a folder in the All Users\Start Menu with the same name as one ... Create and Configure User Accounts in Windows XP ... application, Disk copier, etc.) You'll be glad to know that if you have ... (microsoft.public.windowsxp.basics) RE: IE Explorer error when viewing jpg ... "nass" wrote: ... Explorer begins to open the folder then shuts down with the message explorer ... Possible Virus Infection (I'm running McAfee and a scan of the drive did not ... (microsoft.public.windowsxp.help_and_support)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint