Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 560 Source: Security

Source
Description
Object Open:
Object Server: Security
Object Type: <keye>
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security
Handle ID: <ID>
Operation ID: {0,112580708}
Process ID: <PID>
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <username>
Primary Domain: <domain name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <username>
Client Domain: <domain name>
Client Logon ID: (0x0,0x3E7)
Accesses: Set key value
Privileges: -
Restricted Sid Count: 0
Comments
 
This problem occurs because an 8.3 file name string is incorrectly passed as a parameter when the command prompt program (Cmd.exe) deletes a file. See ME940526 for hotfixes applicable to Microsoft Windows Server 2003, Microsoft Windows XP and Windows Vista.

This event will occur when you try to audit the success or failure access of the Enumerate Subkeys on the "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" registry key. See ME810088 for a hotfix applicable to Microsoft Windows 2000.

See ME827818, ME837454 and WITP71581 for additional information about this event.
As per Microsoft: "Event ID 560 may be logged every time that you update the security log in Event Viewer. This problem may occur when the "Audit object access" Group Policy setting is configured to audit successful attempts to gain write access to an object that has a system access control list (SACL). To resolve this problem, you can configure the SACL on the registry subkey that is noted in the event not to log successful attempts to gain write access by members of the Administrators group". See ME835398 and ME841001 for more details.

Auditing event details may be reported incorrectly in your auditing logs. See ME836419 for details on this problem.

As per Microsoft: "An object was successfully granted a handle and the listed accesses were granted. This message corresponds to a Security 567 message, which indicates that an object was accessed, and to a Security 562 message, which indicates that the handle of the object was successfully closed. Associated messages have the same Handle ID number". See MSW2KDB for more details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...