Event ID 560 is logged every time that you refresh the security log in Windows Server 2003 (835398)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

Event ID 560 may be logged every time that you refresh the security log in Event Viewer. This problem may occur when the "Audit object access" Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL). To resolve this problem, you can configure the SACL on the registry subkey that is noted in the event not to log successful attempts to gain write access by members of the Administrators group.

SYMPTOMS

When you view the security log in Event Viewer, an event that is similar to the following may be logged every time that you refresh the log:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: NT AUTHORITY\SYSTEM
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security
Handle ID: 3240
Operation ID: {0,112580708}
Process ID: 768
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: UserName
Primary Domain: DomainName
Primary Logon ID: (0x0,0x3E7)
Client User Name: UserName
Client Domain: DomainName
Client Logon ID: (0x0,0x3E7)
Accesses: Set key value
Privileges: -
Restricted Sid Count: 0

CAUSE

This problem may occur when the "Audit object access" Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL).

When Event Viewer refreshes the log view, it closes and reopens a handle to the registry subkey where the settings for the security event log are located. This handle requests SetValue access. This request triggers the audit. By default, the SACL for this registry subkey audits all write handles to the subkey that are successfully opened.

RESOLUTION

To resolve this problem, configure the SACL for the registry key not to log successful attempts to gain write access when they are made by members of the Administrators group or by other users who have permission to view the security event log. To do this, follow these steps to replace the Everyone account with an account that does not contain members of the Administrators group.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor.
  2. Locate and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

  3. Click Permissions.
  4. Click Advanced.
  5. In the Auditing entries list, click the group that contains members of the Administrators group. (This group is most likely the Everyone group.) Click Edit.
  6. Write down which check boxes are selected in the Access box, and then click Cancel.
  7. In the Auditing entries list, click Everyone, and then click Remove.

    Important Everyone may not be listed in the Auditing entries list. However, it is important to make sure that the ACL does not contain a group that includes administrators.
  8. Click Add.
  9. In the Select User, Computer or Group box, type the name of a group that contains all users but does not include the Administrators group.

    For example, type Domain Users, and then click OK.
  10. Click to select the same check boxes that were selected in the Access box of the Everyone group, and then click OK.

    Note These are the check boxes that you wrote down in step 6.
  11. Click OK two times.
  12. Quit Registry Editor.

WORKAROUND

To work around this problem, follow these steps to configure the "Audit object access" Group Policy setting not to audit any successful attempts to gain write access.

Note This configuration disables all object access audits.
  1. Click Start, click Run, type gpedit.msc, and then click OK to start Group Policy Object Editor.
  2. Under Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
  3. In the details pane, double-click Audit object access.
  4. In the Audit object access Properties dialog box, click to clear the Success check box and the Failure check box.
  5. Click OK.
  6. Quit Group Policy Object Editor.
Note This workround may not work if the policy is applied on the domain.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type:MinorLast Reviewed:8/6/2004
Keywords:kbMgmtServices kbGRPPOLICYprob kbprb KB835398
©2004 Microsoft Corporation. All rights reserved.