1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

windows xp pro auditing object access

Discussion in 'Windows XP' started by m0rg4n, Aug 19, 2010.

  1. m0rg4n

    m0rg4n Flightless Bird

    hi from Spain,

    I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
    policies so i decided to enable auditing object access (successfull and
    failed) over "My Documents" to list every "List Folder/ Read data" access.
    What happens is that only a few seconds later and after i made a single
    access to the folder the list of items under event viewer is really huge. I
    remember from another occasion that that's not the way it should be, it
    should only list a few access items.
    What am I doing wrong?

    Thanks.
     
  2. MowGreen

    MowGreen Flightless Bird

    m0rg4n wrote:
    > hi from Spain,
    >
    > I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
    > policies so i decided to enable auditing object access (successfull and
    > failed) over "My Documents" to list every "List Folder/ Read data" access.
    > What happens is that only a few seconds later and after i made a single
    > access to the folder the list of items under event viewer is really huge. I
    > remember from another occasion that that's not the way it should be, it
    > should only list a few access items.
    > What am I doing wrong?
    >
    > Thanks.
    >
    >



    70-270 Windows XP TechNotes - Auditing
    http://www.techexams.net/technotes/xp/auditing.shtml

    It appears that by auditing My Documents you are also auditing all of
    it's subfolders, too, hence the large size of the log.
    Not sure if you can change the Auditing permissions to just monitor My
    Docs.
    What you could do is to set the auditing of My Docs to Failure instead
    of Success or Both or audit the My Docs subfolders individually.




    MowGreen
    ================
    *-343-* FDNY
    Never Forgotten
    ================

    "Security updates should *never* have *non-security content* prechecked
     

Share This Page