Re: Event ID 560's
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/04/05
- Previous message: Roger Abell: "Re: How to block all traffic but SQL Server"
- In reply to: Mike St.Onge: "RE: Event ID 560's"
- Next in thread: Mike St.Onge: "Re: Event ID 560's"
- Reply: Mike St.Onge: "Re: Event ID 560's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Jun 2005 23:29:45 -0700
I am not sure of the last you have displayed.
The first two may be masked if you do not enable the policy
to audit global system objects. Although this does not sound
like a good thing to do, on the other hand it is not clear how
much use most people would make of the provided info.
I have noticed that the first two are fairly commonly seen
on W2k server when one enables audit global system objects.
I have also queried internally a couple times for info on the
second (crypt32LogoffEvent) and once a year and half ago
did an exhaustive search for info and came up empty.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Mike St.Onge" <MikeStOnge@discussions.microsoft.com> wrote in message news:8FE88993-7B80-4B6D-94A3-047EC19F1CEE@microsoft.com... > Oops. Wrong button. > > Anyways, the event looks like this > Object Server: Security > Object Type: Mutant > Object Name: \BaseNamedObjects\RasPbFile > > or > > Object Server: Security > Object Type: Event > Object Name: \BaseNamedObjects\crypt32LogoffEvent > > Or lots of these when running Task Manager > Object Server: Security > Object Type: Desktop > Object Name: \\Winlogon > > > Any ideas?
- Previous message: Roger Abell: "Re: How to block all traffic but SQL Server"
- In reply to: Mike St.Onge: "RE: Event ID 560's"
- Next in thread: Mike St.Onge: "Re: Event ID 560's"
- Reply: Mike St.Onge: "Re: Event ID 560's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
