Share Mind ----GuoMing's Blogs

purpose of the test is for obviousing the security log entry when you delete a audited file:

test approach:

1. delete an auditing file.

2. open eventvwr.msc, check security event. have 3 event about the delete audit(notice those font be highlight in red)

first event entry:

**************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Open:
     Object Server:    Security
     Object Type:    File
     Object Name:    D:\Temp\rbgwssuser.txt
     Handle ID:    2608
     Operation ID:    {0,25009233}
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Primary User Name:    dmnroyhu
     Primary Domain:    ASIA
     Primary Logon ID:    (0x0,0x13E8845)
     Client User Name:    -
     Client Domain:    -
     Client Logon ID:    -
     Accesses:        DELETE
            READ_CONTROL
            ReadAttributes
     Privileges:        -
     Restricted Sid Count: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

second event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    567
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Access Attempt:
     Object Server:    Security
     Handle ID:    2608
     Object Type:    File
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Access Mask:    DELETE

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

third event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    564
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Deleted:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

forth event entry:

*******************************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    562
Date:        2008-2-14

Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Handle Closed:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************