Windows 10: Event Log showing wrongly created documents with auditing.

Hello all, I am having an issue with my event logs showing wrong information when documents are created for auditing whats been deleted and modified in my content. Example:



I will create a document in my shared drive which power-shell will eventually document when running a Powershell script and porting it into an html file like this... Very basic view below

An attempt was made to access an object. Subject: Security ID: S-1-5-21-1098493710-3710303698-3917163380-500 Account Name: administrator Account Domain: NTL Logon ID: 0x42F96 Object: Object Server: Security Object Type: File Object Name: E:\Shares\Users\New Text Document.txt Handle ID: 0x3174 Resource Attributes: S:AI Process Information: Process ID: 0x1034 Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: DELETE Access Mask: 0x10000 FILES-RDS.ntechlife.local 4663 12/25/2019 2:40:00 PM Information File System An attempt was made to access an object. Subject: Security ID: S-1-5-21-1098493710-3710303698-3917163380-500 Account Name: administrator Account Domain: NTL Logon ID: 0x42F96 Object: Object Server: Security Object Type: File Object Name: E:\Shares\Users\New Text Document.txt Handle ID: 0x38f0 Resource Attributes: S:AI Process Information: Process ID: 0x1034 Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: WriteData (or AddFile) Access Mask: 0x2

First off no document named New Text Document.txt was created. I will the new document something like "testing.txt".... I am curious as to why this "New Text Document" would show up and immediately delete itself.



Side note: When I append data to said document or delete the document it will show the true name of the document in my event logs.

submitted by /u/Limestone5000
[link] [comments]

:)

 

Q about audit logs

When setting up audit logging under Computer Configuration -> Windows Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout, if I enable the Success option, how does this log get triggered? When
an account is locked out, a failure event is fired under the Account Locked category. But when an account is unlocked, an event is fired under the User Account Management category. How would a successful account lockout event get fired? What would that even
be?

 

Event ID 7036 not showing in Windows Event Log on Win10

It looks like 7036 event is missing from Windows desktop OS (starting from 8).
However you can monitor process termination:

1. Enable Audit Policy to audit process tracking:
   

1. Check for event 4689 in Security Event Log
   

Alternatively you may try this solution.

But in this case, you will get event 4546 not only when the service starts or stops, but whenever something is trying to access it (e.g. when Services applet is open).

 

Security Event Log flooded with 4656 Events

We are having issues with our Security event log within Event Viewer. It is my understanding when you perform Object Access auditing and enable it within Group Policy, you still need to enable auditing on the Objects (to be audited) themselves. We just enabled
Object Access auditing and are already seeing Handle Manipulation events (i.e. event id 4656) flooding our Security log even though we have not configured auditing at the file level for ANY of the files in question.
A lot of forums mention disabling Audit File System and Audit Handle Manipulation events to ensure the 4656 events do not flood the Security log; however, we want to be able to see these events for the files that we configure auditing for (at the
file level), but not for any other files which were not configured for auditing at the file level.
We do not have Global Object Access Auditing configured.