Audit failures from explorer.exe

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I audit failures on files from "Program Files" because I run as member of
"Users" group and I want to identify programs trying to write there, because
they are badly written. But my Event log is full of 560 Failure Events, that
are generated by explorer.exe as I browse through the folders.
Is there any way how can I remove explorer.exe from being audited? Otr any
other solution (besides using File Manager as mentioned in Q172509)

I know the reason why Explorer does this. When explorer checks for rights
for a folder, this results in a call to NtCreateFile. This call fails and
creates the audit log. There is a function that can return rights on folder,
but that function is slow, so Explorer uses this dirty way.

Thanks, Jan

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I have noticed the same thing and there is no way to selectively disable
auditing of explorer.exe. You might find that using Event Comb can help to
filter security log searches to find more specific information and events.
Event Comb allows you to search based on text strings and event ID's. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb

"Jan Bares" <jan.bares@nospam.nospam> wrote in message
news:eENbLTjIFHA.608@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I audit failures on files from "Program Files" because I run as member of
> "Users" group and I want to identify programs trying to write there,
> because
> they are badly written. But my Event log is full of 560 Failure Events,
> that
> are generated by explorer.exe as I browse through the folders.
> Is there any way how can I remove explorer.exe from being audited? Otr any
> other solution (besides using File Manager as mentioned in Q172509)
>
> I know the reason why Explorer does this. When explorer checks for rights
> for a folder, this results in a call to NtCreateFile. This call fails and
> creates the audit log. There is a function that can return rights on
> folder,
> but that function is slow, so Explorer uses this dirty way.
>
> Thanks, Jan
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thank Steven,

does Event Comb support to filter out (don't show them) events from specific
process ID? So I can filter out 560 events created by explorer?
The problem is, that events doesn't contain name of executable, only process
ID, so any filtering after explorer was restarted will not help.

Jan

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
> I have noticed the same thing and there is no way to selectively disable
> auditing of explorer.exe. You might find that using Event Comb can help to
> filter security log searches to find more specific information and events.
> Event Comb allows you to search based on text strings and event ID's.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The best way to see if Event Comb suits your needs is to try it out as it is
free. You can specify specific events to search for and then enter a text
string to search for within those events. --- Steve


"Jan Bares" <jan.bares@nospam.nospam> wrote in message
news:OFPS2IvIFHA.4060@TK2MSFTNGP14.phx.gbl...
> Thank Steven,
>
> does Event Comb support to filter out (don't show them) events from
> specific
> process ID? So I can filter out 560 events created by explorer?
> The problem is, that events doesn't contain name of executable, only
> process
> ID, so any filtering after explorer was restarted will not help.
>
> Jan
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
>> I have noticed the same thing and there is no way to selectively disable
>> auditing of explorer.exe. You might find that using Event Comb can help
>> to
>> filter security log searches to find more specific information and
>> events.
>> Event Comb allows you to search based on text strings and event ID's.
>
>