Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Audit failures from explorer.exe

Audit failures from explorer.exe

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Audit failures from explorer.exe

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   03-06-2005 at 05:10:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

 

Hi,

I audit failures on files from "Program Files" because I run as member of
"Users" group and I want to identify programs trying to write there, because
they are badly written. But my Event log is full of 560 Failure Events, that
are generated by explorer.exe as I browse through the folders.
Is there any way how can I remove explorer.exe from being audited? Otr any
other solution (besides using File Manager as mentioned in Q172509)

I know the reason why Explorer does this. When explorer checks for rights
for a folder, this results in a call to NtCreateFile. This call fails and
creates the audit log. There is a function that can return rights on folder,
but that function is slow, so Explorer uses this dirty way.

Thanks, Jan

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   03-06-2005 at 05:56:39 PM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

I have noticed the same thing and there is no way to selectively disable
auditing of explorer.exe. You might find that using Event Comb can help to
filter security log searches to find more specific information and events.
Event Comb allows you to search based on text strings and event ID's. ---
Steve

http://support.microsoft.com/defau [...] -us;308471 --- Event
Comb

"Jan Bares" <jan.bares@nospam.nospam> wrote in message
news:eENbLTjIFHA.608@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I audit failures on files from "Program Files" because I run as member of
> "Users" group and I want to identify programs trying to write there,
> because
> they are badly written. But my Event log is full of 560 Failure Events,
> that
> are generated by explorer.exe as I browse through the folders.
> Is there any way how can I remove explorer.exe from being audited? Otr any
> other solution (besides using File Manager as mentioned in Q172509)
>
> I know the reason why Explorer does this. When explorer checks for rights
> for a folder, this results in a call to NtCreateFile. This call fails and
> creates the audit log. There is a function that can return rights on
> folder,
> but that function is slow, so Explorer uses this dirty way.
>
> Thanks, Jan
>
>

Reply to Anonymous
Anonymous   03-07-2005 at 03:46:42 PM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

Thank Steven,

does Event Comb support to filter out (don't show them) events from specific
process ID? So I can filter out 560 events created by explorer?
The problem is, that events doesn't contain name of executable, only process
ID, so any filtering after explorer was restarted will not help.

Jan

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
> I have noticed the same thing and there is no way to selectively disable
> auditing of explorer.exe. You might find that using Event Comb can help to
> filter security log searches to find more specific information and events.
> Event Comb allows you to search based on text strings and event ID's.

Reply to Anonymous
Anonymous   03-08-2005 at 03:00:46 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

The best way to see if Event Comb suits your needs is to try it out as it is
free. You can specify specific events to search for and then enter a text
string to search for within those events. --- Steve


"Jan Bares" <jan.bares@nospam.nospam> wrote in message
news:OFPS2IvIFHA.4060@TK2MSFTNGP14.phx.gbl...
> Thank Steven,
>
> does Event Comb support to filter out (don't show them) events from
> specific
> process ID? So I can filter out 560 events created by explorer?
> The problem is, that events doesn't contain name of executable, only
> process
> ID, so any filtering after explorer was restarted will not help.
>
> Jan
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
>> I have noticed the same thing and there is no way to selectively disable
>> auditing of explorer.exe. You might find that using Event Comb can help
>> to
>> filter security log searches to find more specific information and
>> events.
>> Event Comb allows you to search based on text strings and event ID's.
>
>

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Audit failures from explorer.exe
Go to:

There are 1122 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.340 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
  • 01:00 vianescute won the Freshman badge
  • 01:00 meywd won the Freshman badge
  • 01:00 nayega won the Freshman badge
  • 01:00 gpfear won the Freshman badge
  • 01:00 Conrad925 won the Freshman badge
  • 01:00 skythra won the Freshman badge
  • 01:00 Ckaz won the Freshman badge
  • 01:00 james59 won the Uniformed badge
  • 01:00 snarl won the Uniformed badge
  • 01:00 patlabor44 won the Uniformed badge