windows xp pro auditing object access

[m0rg4n]

hi from Spain,

I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
policies so i decided to enable auditing object access (successfull and
failed) over "My Documents" to list every "List Folder/ Read data" access.
What happens is that only a few seconds later and after i made a single
access to the folder the list of items under event viewer is really huge. I
remember from another occasion that that's not the way it should be, it
should only list a few access items.
What am I doing wrong?

Thanks.

 

[MowGreen]

m0rg4n wrote:
> hi from Spain,
>
> I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
> policies so i decided to enable auditing object access (successfull and
> failed) over "My Documents" to list every "List Folder/ Read data" access.
> What happens is that only a few seconds later and after i made a single
> access to the folder the list of items under event viewer is really huge. I
> remember from another occasion that that's not the way it should be, it
> should only list a few access items.
> What am I doing wrong?
>
> Thanks.
>
>


70-270 Windows XP TechNotes - Auditing
http://www.techexams.net/technotes/xp/auditing.shtml

It appears that by auditing My Documents you are also auditing all of
it's subfolders, too, hence the large size of the log.
Not sure if you can change the Auditing permissions to just monitor My
Docs.
What you could do is to set the auditing of My Docs to Failure instead
of Success or Both or audit the My Docs subfolders individually.




MowGreen
================
*-343-* FDNY
Never Forgotten
================

"Security updates should *never* have *non-security content* prechecked