Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Comments for event ID 560 currently in the processing queue.

Note: We have not reviewed this information yet so it is unfiltered, exactly how it was submitted by our contributors.

Event ID: 560
Event Source: Security
Event Type: Failure Audit
Event Description: Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {01568217308}
Process ID: 1128
Image File Name: D:\WINDOWS\system32\services.exe
Primary User Name: APPSERVER01'''$
Primary Domain: DOMAIN
Primary Logon ID: (0x00x3E7)
Client User Name: PerformanceMonitorUser
Client Domain: DOMAIN
Client Logon ID: (0x00x3F05FEB3)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
Comment: This error is due to a remote system using Performance Monitor with the credentials of PerformanceMonitorUser (domain account) to gather a few statistics from APPSERVER01.  However the Performance Monitor is successfully obtaining all information requested.  I am unsure what is specifically failing.
Event ID: 560
Event Source: Security
Event Type: Success Audit
Event Description: Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security
Handle ID: 836
Operation ID: {03064200704}
Process ID: 4764
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: <username>
Primary Domain: <domain name>
Primary Logon ID: (0x00xB6852F75)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Set key value

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2


Comment:
Event ID: 560
Event Source: Security
Event Type: Failure Audit
Event Description: Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: WinHttpAutoProxySvc
Handle ID: -
Operation ID: {0311041218}
Process ID: 536
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: SERVER10'''$
Primary Domain: DOMAIN
Primary Logon ID: (0x00x3E7)
Client User Name: LOCAL SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x00x3E5)
Accesses: Query status of service
Start the service
Query information from service

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x94


Comment:
Event ID: 560
Event Source: Security
Event Type: Success Audit
Event Description: Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 745592
Operation ID: {0239165195}
Process ID: 276
Primary User Name: LGPXLW'''$
Primary Domain: GRUPOWEB
Primary Logon ID: (0x00x3E7)
Client User Name: LGPXLW'''$
Client Domain: GRUPOWEB
Client Logon ID: (0x00x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain

Privileges -

Comment: This appers after a 577 ID and before other 560 562 562 627 and 562
Event ID: 560
Event Source: Security
Event Type: Failure Audit
Event Description:
Event Type: Failure Audit

Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/24/2010
Time: 9:09:17 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: My File Server
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: WinHttpAutoProxySvc
Handle ID: -
Operation ID: {0363841}
Process ID: 432
Image File Name: G:\WINDOWS\system32\services.exe
Primary User Name: ZFERRINIDC2'''$
Primary Domain: ZFERRINIS
Primary Logon ID: (0x00x3E7)
Client User Name: LOCAL SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x00x3E5)
Accesses: Query status of service
Start the service
Query information from service

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x94


For more information see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Comment:
Event ID: 560
Event Source: object access
Event Type: Error
Event Description: a multitude of failed 560 object access messages for the regedit.exe when folks login
Comment: can you please respond to [email protected]
Event ID: 560
Event Source: security
Event Type: Failure Audit
Event Description: object open
Comment:

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...