Dear Jeff,
I cannot send the MSCONFIG utility (as a zip file) to you. The e-mail was
returned.
If you do not have this utility, please send me a note
(
[email protected]) with your frequently used e-mail and I will resend it.
Thank you!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! -
www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|X-Tomcat-ID: 378950584
|References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain
|Content-Transfer-Encoding: 7bit
|From: (e-mail address removed) (Joe Wu [MSFT])
|Organization: Microsoft
|Date: Tue, 28 Oct 2003 11:55:36 GMT
|Subject: Re: Event 560 Audit Errors
|X-Tomcat-NG: microsoft.public.win2000.general
|Message-ID: <
[email protected]>
|Newsgroups: microsoft.public.win2000.general
|Lines: 214
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.general:90573
|NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
|
|Dear Jeff,
|
|Thank you for your prompt response.
|
|Please restart the system in Safe Mode, record the startup time (or get it
|from the System event log), and then check if the problem occurs in Safe
|Mode.
|
|If the problem does not occur in Safe Mode, I suggest we perform a clean
|boot to narrow down the root cause.
|
|To do so, we need the MSCONFIG utility, which I have sent to your e-mail
|box. Here are the detailed steps:
|
|1) Unzip and run the tool, msconfig.exe, in your computer.
|2) In the Services tab, click "Hide All Microsoft Services" and click
|"Disable All".
|3) In the Startup tab, click "Disable All". Click OK. (This will
|temporarily prevent third-party programs from running automatically during
|start-up.)
|4) Restart the computer and check the event logs. Does the problem still
|exist?
|5) If it doesn't occur, please run msconfig.exe again.
|6) In the startup and Services tabs, check the items one by one and
restart
|your computer to identify which item is the cause of this issue.
|
|(NOTE: To turn these services/programs back on, just run "msconfig.exe"
|again and click "Enable All" in the Services tab and the Startup tab.)
|
|I hope the above information helps. Thank you for your continued
|cooperation!
|
|Regards,
|Joe Wu
|Product Support Services
|Microsoft Corporation
|
|Get Secure! -
www.microsoft.com/security
|
|====================================================
|When responding to posts, please "Reply to Group" via your newsreader so
|that others may learn and benefit from your issue.
|====================================================
|This posting is provided "AS IS" with no warranties, and confers no rights.
|
|--------------------
||From: "Jeff Smyrski" <
[email protected]>
||References: <
[email protected]>
|<
[email protected]>
|<
[email protected]>
|<
[email protected]>
||Subject: Re: Event 560 Audit Errors
||Date: Mon, 27 Oct 2003 16:51:52 -0500
||Lines: 181
||X-Priority: 3
||X-MSMail-Priority: Normal
||X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
||X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
||Message-ID: <
[email protected]>
||Newsgroups: microsoft.public.win2000.general
||NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com 216.230.225.242
||Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
||Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.general:90421
||X-Tomcat-NG: microsoft.public.win2000.general
||
||I looked at the key you have mentioned below, the value is set to 0 zero.
||This machine is a Windows 2000 Pro workstation that serves no special
role.
||The log file is being overwritten as it needs to so the latest data that
is
||in the log is back to September 25, but I know that it has been going on
|for
||much longer.
||
||To give you an idea of how much this error is occurring, there are 15,857
||events logged in security log.
||
||Any help would be appreciated.
||
||Jeff
||
||||> Dear Jeff,
||>
||> Thank you for your post.
||>
||> First of all, I apologize for the delay.
||>
||> I have reviewed the history of this issue and based on Knowledge Base
||> article (245630), I suggest that you check the following registry key
||first:
||>
||> [HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Lsa]
||>
||> AuditBaseObjects
||>
||> If its value is "1", please restore it to "0" (default value). Then
||restart
||> the system to see if the problem is resolved.
||>
||> If the problem persists, please let me know the following:
||>
||> 1. When did the problem begin to occur?
||> 2. Please let me know more about the problem system. Is it a server or a
||> client? Also, what is its role?
||>
||> Thanks!
||>
||> Regards,
||> Joe Wu
||> Product Support Services
||> Microsoft Corporation
||>
||> Get Secure! -
www.microsoft.com/security
||>
||> ====================================================
||> When responding to posts, please "Reply to Group" via your newsreader so
||> that others may learn and benefit from your issue.
||> ====================================================
||> This posting is provided "AS IS" with no warranties, and confers no
||rights.
||>
||> --------------------
||> |From: "Jeff Smyrski" <
[email protected]>
||> |References: <
[email protected]>
||> <
[email protected]>
||> |Subject: Re: Event 560 Audit Errors
||> |Date: Wed, 15 Oct 2003 09:49:25 -0400
||> |Lines: 96
||> |X-Priority: 3
||> |X-MSMail-Priority: Normal
||> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
||> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
||> |Message-ID: <
[email protected]>
||> |Newsgroups: microsoft.public.win2000.general
||> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
||216.230.225.242
||> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
||> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.general:86758
||> |X-Tomcat-NG: microsoft.public.win2000.general
||> |
||> |So..what you are saying is that if I have auditing for failure turned
on
||> for
||> |the HKLM\system\CurrentControlSet\Control\Lsa this will generate errors
||> evey
||> |so many seconds?
||> |
||> |Or is this related to the second Cause as outlined in the KB, that
there
||is
||> |a registry setting that is set to 1, which I am not sure what the key
is
||> the
||> |value is, or if it is supposed to be set this way...please advise.
||> |
||> |Thanks
||> |Jeff Smyrski
||> |
||> |||> |> Hi Jeff,
||> |>
||> |> This behavior can occur when the task manager is polling, or is going
||out
||> |> through the computer and reading objects. For more information, you
|can
||> |> refer to this article:
||> |>
||> |> Event 560 Failures Appears When File and Object Auditing Is Enabled
||> |WGID:191
||> |> ID: 245630.KB.EN-US
||> |>
http://support.microsoft.com/default.aspx?scid=KB;EN-US;245630
||> |>
||> |> Ivan Sheng
||> |> Microsoft Online Partner Support
||> |> MCSD,MCSE4,2000,MCDBA,CCNA,ASE
||> |> Get Secure! ¨C
www.microsoft.com/security
||> |>
||> |> This posting is provided ¡°as is¡± with no warranties and confers no
||> |rights.
||> |>
||> |>
||> |>
||> |>
||> |>
||> |> --------------------
||> |> | From: "Jeff Smyrski" <
[email protected]>
||> |> | Subject: Event 560 Audit Errors
||> |> | Date: Tue, 14 Oct 2003 16:30:40 -0400
||> |> | Lines: 35
||> |> | X-Priority: 3
||> |> | X-MSMail-Priority: Normal
||> |> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
||> |> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
||> |> | Message-ID: <
[email protected]>
||> |> | Newsgroups: microsoft.public.win2000.general
||> |> | NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
||> |216.230.225.242
||> |> | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
||> |> | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.general:86567
||> |> | X-Tomcat-NG: microsoft.public.win2000.general
||> |> |
||> |> | I am receiving thousands of these type errors about 6 every
||> |second...they
||> |> | begin at various times...but here is the event detail...I think my
||> |> question
||> |> | will focus on the line that reads MAX_ALLOWED
||> |> | Thanks.
||> |> | Jeff Smyrski
||> |> |
||> |> | Event Type: Failure Audit
||> |> | Event Source: Security
||> |> | Event Category: Object Access
||> |> | Event ID: 560
||> |> | Date: 10/14/2003
||> |> | Time: 4:20:06 PM
||> |> | User: DOMAINNAME\USER NAME
||> |> | Computer: STATION_225
||> |> | Description:
||> |> | Object Open:
||> |> | Object Server: Security
||> |> | Object Type: Key
||> |> | Object Name:
||> |> |
||> |>
||>
|||\REGISTRY\MACHINE\SOFTWARE\CLASSES\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C
0
|5
||> B
||> |> | AE0B}
||> |> | New Handle ID: -
||> |> | Operation ID: {0,2567026}
||> |> | Process ID: 624
||> |> | Primary User Name: USERNAME
||> |> | Primary Domain: DOMAINNAME
||> |> | Primary Logon ID: (0x0,0x2546A7)
||> |> | Client User Name: -
||> |> | Client Domain: -
||> |> | Client Logon ID: -
||> |> | Accesses MAX_ALLOWED
||> |> |
||> |> | Privileges -
||> |> |
||> |> |
||> |> |
||> |>
||> |
||> |
||> |
||>
||
||
||
|
|