Just thought I'd try once more to see if anyone has any information about this.
Thanks! -Aakash Shah From: Aakash Shah Sent: Thursday, September 10, 2015 9:27 PM To: '[email protected]' <[email protected]> Subject: File Server Auditing Question - Help Eliminating Events Produced From Windows Folders With Default Auditing Enabled I am setting up file server auditing on a Server 2012r2 system for the first time and I had a question about reducing/eliminating the events produced from Windows folders that automatically have auditing defined on them. Current Setup I enabled file server auditing by setting Audit File System to Success under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Configuration | Object Access. Behavior After enabling file system auditing, I noticed that the Security log started to log several events periodically. I've pasted some of the relevant details below. If the entire event entry is needed, please let me know. Event ID: 4656 Security ID: SYSTEM Description: A handle to an object was requested Process Name: C:\Windows\CCM\CcmExec.exe Object Name: C:\Windows\servicing Frequency: 3 events every 10 minutes Event ID: 4656 Security ID: SYSTEM Description: A handle to an object was requested Process Name: C:\Windows\System32\rundll32.exe Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> Event ID: 4663 Security ID: SYSTEM Description: An attempt was made to access an object Process Name: C:\Windows\System32\rundll32.exe Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> Frequency: The above 2 events produce about 650 events within about 1 second. So far I have noticed it occurring in the early morning on 2 of the days since I've enabled this. Upon checking the C:\Windows\servicing and C:\Windows\WinSxS\FileMaps folders, I see that they have Auditing enabled by default. Goal I'd like to minimize the event logs produced since these events are not something that I am interested in auditing. Questions 1. Has anyone attempted to remove auditing from the Windows folders C:\Windows\servicing or C:\Windows\WinSxS\FileMaps? 2. Is there a cleaner way to not log these default audit defined folders (the auditing I will be doing will be on a separate data volume on the server and not on the C drive)? Or is the general approach to allow the events to be logged and then use the filter option (or a log management tool) to ignore these entries? Thanks! -Aakash Shah
