Audit failures from explorer.exe

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I audit failures on files from "Program Files" because I run as member of
"Users" group and I want to identify programs trying to write there, because
they are badly written. But my Event log is full of 560 Failure Events, that
are generated by explorer.exe as I browse through the folders.
Is there any way how can I remove explorer.exe from being audited? Otr any
other solution (besides using File Manager as mentioned in Q172509)

I know the reason why Explorer does this. When explorer checks for rights
for a folder, this results in a call to NtCreateFile. This call fails and
creates the audit log. There is a function that can return rights on folder,
but that function is slow, so Explorer uses this dirty way.

Thanks, Jan
3 answers Last reply
More about audit failures explorer
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I have noticed the same thing and there is no way to selectively disable
    auditing of explorer.exe. You might find that using Event Comb can help to
    filter security log searches to find more specific information and events.
    Event Comb allows you to search based on text strings and event ID's. ---
    Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
    Comb

    "Jan Bares" <jan.bares@nospam.nospam> wrote in message
    news:eENbLTjIFHA.608@TK2MSFTNGP10.phx.gbl...
    > Hi,
    >
    > I audit failures on files from "Program Files" because I run as member of
    > "Users" group and I want to identify programs trying to write there,
    > because
    > they are badly written. But my Event log is full of 560 Failure Events,
    > that
    > are generated by explorer.exe as I browse through the folders.
    > Is there any way how can I remove explorer.exe from being audited? Otr any
    > other solution (besides using File Manager as mentioned in Q172509)
    >
    > I know the reason why Explorer does this. When explorer checks for rights
    > for a folder, this results in a call to NtCreateFile. This call fails and
    > creates the audit log. There is a function that can return rights on
    > folder,
    > but that function is slow, so Explorer uses this dirty way.
    >
    > Thanks, Jan
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank Steven,

    does Event Comb support to filter out (don't show them) events from specific
    process ID? So I can filter out 560 events created by explorer?
    The problem is, that events doesn't contain name of executable, only process
    ID, so any filtering after explorer was restarted will not help.

    Jan

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
    > I have noticed the same thing and there is no way to selectively disable
    > auditing of explorer.exe. You might find that using Event Comb can help to
    > filter security log searches to find more specific information and events.
    > Event Comb allows you to search based on text strings and event ID's.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    The best way to see if Event Comb suits your needs is to try it out as it is
    free. You can specify specific events to search for and then enter a text
    string to search for within those events. --- Steve


    "Jan Bares" <jan.bares@nospam.nospam> wrote in message
    news:OFPS2IvIFHA.4060@TK2MSFTNGP14.phx.gbl...
    > Thank Steven,
    >
    > does Event Comb support to filter out (don't show them) events from
    > specific
    > process ID? So I can filter out 560 events created by explorer?
    > The problem is, that events doesn't contain name of executable, only
    > process
    > ID, so any filtering after explorer was restarted will not help.
    >
    > Jan
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:ONjG5WnIFHA.236@TK2MSFTNGP14.phx.gbl...
    >> I have noticed the same thing and there is no way to selectively disable
    >> auditing of explorer.exe. You might find that using Event Comb can help
    >> to
    >> filter security log searches to find more specific information and
    >> events.
    >> Event Comb allows you to search based on text strings and event ID's.
    >
    >
Ask a new question

Read More

Security Explorer Microsoft Windows