File reads are logged with event IDs 560 and 562 when you turn on file write auditing in Windows NT (120600)
The information in this article applies to:
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
This article was previously published under Q120600 SYMPTOMSOn a Microsoft Windows NT-based computer, when you turn on write auditing for a file or for a group of files, subsequent file reads of those same files produce audit entries in the security event log. Event IDs 560 and 562 are logged in the security event log every time that the files are read.
Note Event ID 560 corresponds to an "object open" audit event, and event ID 562 corresponds to a "handle closed" audit event.CAUSEThis behavior occurs because in Windows NT, a Windows file object maps both the GENERIC_WRITE and the GENERIC_READ generic access right constants to the READ_CONTROL and the
SYNCHRONIZE standard access right constants. The READ_CONTROL standard access right constant is defined as the right to read the information in the object's security descriptor that identifies the object's owner, the object's primary group, and the discretionary access control list (DACL) for the object. WORKAROUNDTo work around this behavior, you can programmatically set the access control entries of security access control lists (SACLs) to (FILE_GENERIC_WRITE & ~(READ_CONTROL |
SYNCHRONIZE)). You must use the FILE_GENERIC_WRITE constant instead of the GENERIC_WRITE constant because you cannot combine standard access rights and generic access rights by using a bitwise AND (&) operator.
| Modification Type: | Major | Last Reviewed: | 3/26/2004 |
|---|
| Keywords: | kbprb kbother KB120600 kbAudITPRO |
|---|
|