General discussion

Locked

Object Names in the Security Audit Log

By JKrowiak ·
I'm doing some auditing on our servers, and having a little trouble reading the logs. See the Object Name on line 4? I need to know what the English name is for this object. Is this a security object ID or something? Is there a way to figure out what it is? Any help would be appreciated....


Object Open:
Object Server: Security
Object Type: File
Object Name: \Users\t3vvsa8b.3
New Handle I -
Operation I {0,17765462}
Process I 2161921536
Primary User Name:SYSTEM
Primary Domain: NT AUTHORITY

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Object Names in the Security Audit Log

by Ziggy In reply to Object Names in the Secur ...

The object name is the object, in this case a file, that was opened. This excerpt tells me that the file, \Users\t3vvsa8b.3, was accessed by the Primary User, SYSTEM. As you may know, quite a few services by default run under the SYSTEM account. It is also possible that the SYSTEM account was accessing this file for a user, in which case there would be additional information which you probably let off under the Primary Domain field. Most likely, there is a Client User name field that willtell you what user was ultimetly accessing the file. There would also be more information pertaining to the type of access. One thing to remember with Object Access auditing; one action, like opening a text file in Explorer, can triger upwards of 20+ events to be written to the Security Log. With that said, following is a link to a Microsoft Technet article that further explains the NT Securit Log.

http://www.microsoft.com/TechNet/winnt/usesecur.asp

-Hope this helps

Collapse -

Object Names in the Security Audit Log

by JKrowiak In reply to Object Names in the Secur ...

Unfortunately, the object \Users\t3vvsa8b.3 does not exist. There is a \Users folder, but the t3vvsa8b.3 must be a secure name or system alias of some kind for a user folder. I need to know what folder it is, so I can tell what folder this user is trying to access. (By the way, I do have a userid, domain, etc in the error code, but decided against posting it.)

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Forums