Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Your auditing logs may contain incorrect auditing event details for event 565 and event 560

Your auditing logs may contain incorrect auditing event details for event 565 and event 560

View products that this article applies to.

Symptoms

Auditing event details may be reported incorrectly in your auditing logs. This symptom may occur in one or both of the following ways:
  • The access bit is not decoded and insertion strings are displayed in event 565 for the SAM Server object:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 565
    Description:
    Object Open:
    Object Server: Security Account Manager
    Object Type: SAM_SERVER
    Object Name: CN=Server,CN=System,DC=<domain_name>
    Handle ID: 357683232
    Operation ID: {0,19736110}
    Process ID: 780
    Process Name: C:\WINDOWS\system32\lsass.exe
    Primary User Name: user_name
    Primary Domain: domain_name
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: user_name
    Client Domain: domain_name
    Client Logon ID: (0x0,0x12CEAE5)
    Accesses READ_CONTROL
    InitializeServer
    EnumerateDomains
    Undefined Access (no effect) Bit 7
    Privileges -
    Properties:
    ---
    %{bf967aad-0de6-11d0-a285-00aa003049e2}
    00x20094%20%21%22%23%24%25%26
    --------------

    Note The problem is noted on the "Undefined Access (no effect) Bit 7" line of this event.
  • Event 565 reports that handles are opened in the Directory Service Access category. However, event 560 reports that these handles are closed in the Object Access category. The following list includes samples of the event 565 report and the event 560 report.
    • Event 565:

      Event Type: Success Audit
      Event Source: Security
      Event Category: Directory Service Access
      Event ID: 565
      Description:
      Object Open:
      Object Server: Security Account Manager
      Object Type: SAM_USER
      Object Name: <SID>
      Handle ID: 357684048
      Operation ID: {0,19736100}
      Process ID: 780
      Process Name: C:\WINDOWS\system32\lsass.exe
      Primary User Name: <user_name>
      Primary Domain: <domain_name>
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: <user_name>
      Client Domain: <domain_name>
      Client Logon ID: (0x0,0x12CEAE5)
      Accesses:

    • Event 560 where the matching handle close event has a different category than Event 565:

      Event Type: Success Audit
      Event Source: Security
      Event Category: Object Access
      Event ID: 562
      Description: Handle Closed:
      Object Server: Security Account Manager
      Handle ID: 357684048
      Process ID: 780
      Image File Name: C:\WINDOWS\system32\lsass.exe

↑ Back to the top

Cause

This problem may occur if the following conditions are true:
  • You turn on auditing for the Object Access category and the Directory Service Access category.
  • The default System Access Control List (ACL) is configured on the affected objects.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: KB836419, kbbug, kbprb, kbnofix, kbaudit

↑ Back to the top

Article Info
Article ID : 836419
Revision : 3
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 271