Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 560 Source: Security

Object Open:
    Object Server: Security
    Object Type: File
Object Name: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786999f5617b331428135848d30802a1_95722ae1-5c2c-44ed-b461-2ffde378ef2f
    New Handle ID: -
    Operation ID: {0,1378043}
    Process ID: 848
    Primary User Name: SERVER$
    Primary Domain: @HOMENETWORK
    Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
    Client Domain: SERVER
    Client Logon ID: (0x0,0xE816)
    Accesses READ_CONTROL
        WriteData (or AddFile)
        AppendData (or AddSubdirectory or CreatePipeInstance)

When you create a new user and make this user a part of the Users group, when the new user logs on to the computer, an event ID message similar to the following message is logged in the security log. There are many Microsoft articles with information related to this event, which should help you to fix the problem: ME120600, ME149401, ME170834, ME173939, ME174074, ME245630, ME256641, ME299475, ME301037, ME305822, ME810088, ME822786, ME833001, ME841001, ME955185, and MSW2KDB.

From a newsgroup post: "I remember when I started looking into what I could audit under NT4, I turned on "file and object access" success and failure auditing and figured I wouldn't see any messages in my Security Log until I actually specified a file or directory to audit (in the object's security dialog). It turned out that my Security Log started filling up very quickly when I enabled this because certain "base system objects" would be audited whether I wanted them to be or not. I called Microsoft up and opened a support incident to find out what part of the Registry I could tweak to turn this off so I could audit only the files and objects that I specified for auditing. The answer I was given by Microsoft was that it is impossible to disable auditing of "base system objects" when "file and object access" auditing is enabled. If I opened User Manager for Domains or Server Manager, I would get tons of events 560 and 562 entries in my Security Log".

For a list of Windows 2000 Security Event Descriptions check ME299475.
This problem can occur because of an issue in the Wbemcore.dll file. See ME914463 for a hotfix applicable to Microsoft Windows Server 2003.

See ME908473 for hotfixes applicable to Microsoft Windows XP and Microsoft Windows Server 2003.

See "Cisco Support Document ID: 64609" for additional information about this event.
We were getting 4 to 8 events every 10 seconds, pointing to Object Access with "MAX_ALLOWED", referencing object name "\REGISTRY\USER\.DEFAULT". To stop these errors from occurring, ensure auditing on the registry key "HKEY_USER" is not enabled, and auditing is not inherited from parent.

The errors also occurred after upgrading to Windows 2003 Service Pack 1. The error would be generated every second continuously on the SQL server whenever a user was connected to the server via SQL Enterprise Manager, SQL Analysis Services, or when users tried to connect remotely via the Computer Management console. After following the KB article ME907460, the problem was solved.

In another case, the error was generated every 15 minutes on the server. In the event’s description, “Query status of service” was present for Accesses. Object Access, success and failure, was enabled via Group Policy and the service stated in the description, namely "Routing and Remote Access" was disabled.
In the GPO, ensure the permissions on the service "Routing and Remote Access" has at least the following accesses listed: "Administrators" - Full Control, "System" - Full Control, and "Network Service" - Read. The service can remain disabled but the permissions have to include the Network Service.
In my case, the printer drivers for HP LaserJet 1230n didn`t work with the domain guest account. When I added the Domain Guest account to the local group Users on the client computer and the printserver, I was able to use the printer.
I received this error every 4 seconds on machines where domain users were in the Power users group. The service was CiSvc, the indexing service, which we have disabled. The search window tries to query the status of the indexing service, but the Power users group does not have permission, so it generates a failure audit if audit object access is turned on. You can just turn off auditing of object access or, you can turn off auditing on that specific service. In Group policy, go to Computer Configuration -> Windows Settings -> Security Settings -> System Services. Double click the indexing service, set it to disabled, and then click Edit Security. At this point there are two options, you can give the users who this is happening to permission to the service, or you can go into auditing and remove auditing for everyone for failed events (which is on by default on all services).

When I try to connect to an Oracle database, I'm getting this event and I am not able to connect to the Database. When the domain user is made the member of Local Administrator group, I'm able to connect.
According to a Microsoft Support Professional from a newsgroup post:
"Error 560 usually refer to object access. What is  happening is that whenever a user makes a connection to something out on the network, i.e a file server, a printer, an mp3 on someones share, a  connection is made. When they log off, even 3 three hours later, the machine will  go out and attempt to close that connection. It has to contact the resource in order to close the connection and it would do this using the account that set up the initial connection. That is the object access that  you are probably recording, and it shouldnt be anything to worry about."

For Windows NT the local user having only Read and Execute (RX) permissions may cause this event when the files are being audited for Write failures. To work around this problem:
- Use File Manager instead of Explorer and these errors will not be generated.
- Do not audit write failures on files that only have Read and Execute access.
See ME172509.
Event generated by auditing "Object Open" activities.
In my case, these events were being logged on the server when a Telnet connection was attempted.  Odd, because the Telnet service was not running on the server, but easily recreatable.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.