Event 560 Failures Appears When File and Object Auditing Is Enabled (245630)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
This article was previously published under Q245630

SYMPTOMS

When File and Object auditing is enabled in Windows NT 4.0, you may receive Event 560 failures in the event log.

CAUSE

This behavior can occur when the task manager is polling, or is going out through the computer and reading objects.

This error also occurs on computers running Windows 2000. The registry key is set to 1 by enabling the group policy item. Audit access to global system objects and auditing on object access. Disabling this setting the group policy requires a reboot of the machine after the group policy item is updated.

STATUS

Microsoft has confirmed that this is a problem in Windows NT 4.0.

MORE INFORMATION

The audit failure occurs when the AuditBaseObjects value is enabled in the following registry key:

HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Lsa

The event log that appears during each polling interval of Task Manager appears like this:
User = cso_admin
Event ID = 560
Source = Security
Type = Failure Audit
Category = Object Access
Description:
Object Open:
Object Server: Security
Object Type: Desktop
Object Name: \Winlogon
New Handle ID: -
Operation ID: {0,57614}
Process ID: 2157796800
Primary User Name: cso_admin
Primary Domain: BNTEMP
Primary Logon ID: (0x0,0x5ED9)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses MAX_ALLOWED
Read Objects
Write objects
Modification Type:MajorLast Reviewed:2/12/2002
Keywords:kberrmsg kbprb KB245630
©2002 Microsoft Corporation. All rights reserved.