Microsoft KB Archive/835398

= Event ID 560 is logged every time that you refresh the security log in Windows Server 2003 =

Article ID: 835398

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
''Event ID 560 may be logged every time that you refresh the security log in Event Viewer. This problem may occur when the &quot;Audit object access&quot; Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL). To resolve this problem, you can configure the SACL on the registry subkey that is noted in the event not to log successful attempts to gain write access by members of the Administrators group.''



SYMPTOMS
When you view the security log in Event Viewer, an event that is similar to the following may be logged every time that you refresh the log:

Event Type: Success Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

User: NT AUTHORITY\SYSTEM

Description:

Object Open:

Object Server: Security

Object Type: Key

Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security

Handle ID: 3240

Operation ID: {0,112580708}

Process ID: 768

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name:

Primary Domain:

Primary Logon ID: (0x0,0x3E7)

Client User Name:

Client Domain:

Client Logon ID: (0x0,0x3E7)

Accesses: Set key value

Privileges: -

Restricted Sid Count: 0



CAUSE
This problem may occur when the &quot;Audit object access&quot; Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL).

When Event Viewer refreshes the log view, it closes and reopens a handle to the registry subkey where the settings for the security event log are located. This handle requests SetValue access. This request triggers the audit. By default, the SACL for this registry subkey audits all write handles to the subkey that are successfully opened.



RESOLUTION
To resolve this problem, configure the SACL for the registry key not to log successful attempts to gain write access when they are made by members of the Administrators group or by other users who have permission to view the security event log. To do this, follow these steps to replace the Everyone account with an account that does not contain members of the Administrators group.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.  Start Registry Editor. Locate and then right-click the following registry subkey:

 Click Permissions. Click Advanced. In the Auditing entries list, click the group that contains members of the Administrators group. (This group is most likely the Everyone group.) Click Edit.</li> Write down which check boxes are selected in the Access box, and then click Cancel.</li> In the Auditing entries list, click Everyone, and then click Remove.

Important Everyone may not be listed in the Auditing entries list. However, it is important to make sure that the ACL does not contain a group that includes administrators.</li> Click Add.</li> In the Select User, Computer or Group box, type the name of a group that contains all users but does not include the Administrators group.

For example, type Domain Users, and then click OK.</li> Click to select the same check boxes that were selected in the Access box of the Everyone group, and then click OK.

Note These are the check boxes that you wrote down in step 6.</li> Click OK two times.</li> Quit Registry Editor.</li></ol>

<div class="workaround_section">

WORKAROUND
To work around this problem, follow these steps to configure the &quot;Audit object access&quot; Group Policy setting not to audit any successful attempts to gain write access.

Note This configuration disables all object access audits.
 * 1) Click Start, click Run, type gpedit.msc, and then click OK to start Group Policy Object Editor.
 * 2) Under Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
 * 3) In the details pane, double-click Audit object access.
 * 4) In the Audit object access Properties dialog box, click to clear the Success check box and the Failure check box.
 * 5) Click OK.
 * 6) Quit Group Policy Object Editor.

Note This workround may not work if the policy is applied on the domain.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbmgmtservices kbgrppolicyprob kbprb KB835398

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.