Problems with kernel device driver service

[Barry]

I'm trying to determine the cause of my event log filling up with the following:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: ***
Time: ***
User: ***
Computer: ***
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: NPF
Handle ID: -
Operation ID: {0,36095787}
Process ID: 144
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: ***
Primary Domain: ***
Primary Logon ID: (0x0,0x3E7)
Client User Name: ***
Client Domain: ***
Client Logon ID: (0x0,0x1BB1A23)
Accesses: Query status of service
Start the service

Privileges: -
Restricted Sid Count: 0

NPF is the WinPcap packet sniffer, a kernel device driver. It does not appear in
the Services mmc snap-in, but I can find it in the registry. It is set for
automatic start up.

Several dozen of these events appear when I start ethereal, a program which uses
the driver. It only seems to happen on the first run after a boot. Although I
get this slew of failure events, the program works as normal.

I am running ethereal as a limited user. As NPF is not listed in the Services
snap-in, I do not know how to determine which account it is running under. (Is
this even an option for Type 1 services?)

Thanks in advance for any assistance.

 

[Wesley Vogel]

Look in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

NPF may also appear in the Device Manager.

Open the Device Manager...
Start | Run | Type: devmgmt.msc | Click OK |
Click on View | Click on Show hidden devices |
Click on the [+] Non-Plug and Play Drivers

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Barry]

Look in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Yes, that is where I found it.

NPF may also appear in the Device Manager.

Thank you, it does. What should I do with it? I can't find any functionality in
the devmgmt to help with my troubleshooting.

Thank you for your help so far.

 

[Wesley Vogel]

What should I do with it?

I have no earthly idea. I never heard of it before.

Maybe you need to change the Audit Policy.

If XP Pro, Group Policy. I have no idea with XP Home.

Start | Run | Type: gpedit.msc | Click OK |
Local Computer Policy\Computer Configuration\Widows Settings\
Security Settings\Local Policy\Audit Policy\
Audit object access
Set to No auditing (If not set that way already)

Double click Audit object access, then...
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

Or...
Navigate to...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
Right click NPF, select Permissions, Advanced button, on the Auditing tab,
clear the Inherit from parent the auditing entries that apply to child
objects. Include these with entries explicitly defined here. check box.

Event ID: 560
Source: Security
http://www.eventid.net/display.asp?eventid=560&eventno=57&source=Security&phase=1

Event ID: 560
Source: Security
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=560&EvtSrc=Security&LCID=1033

Scroll down, a bunch of links at the bottom.

From Help:
[[Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object—for
example, a file, folder, registry key, printer, and so forth—that has its
own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security tab
in that object's Properties dialog box.

Default: No auditing. ]]

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Barry]

Maybe you need to change the Audit Policy.

The problem isn't the audit policy - this is correctly (I presume) recording
failed access attempts. I need to find out what is causing these accesses.

 

[Wesley Vogel]

Ask whoever you got NPF from.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Barry]

Ask whoever you got NPF from.

This is where my ignorance becomes a problem. Reading the event in my OP, is NPF
the subject of the failed access or it cause? What was trying to do what?

I would greatly appreciate if you could interpret the event - I couldn't find an
explanation (which I could understand) on the net.

 

[Wesley Vogel]

Basically, you're seeing a whole bunch of audit entries that you should care
less about.

Event ID: 560
Source: Security

Explanation
An object was successfully granted a handle and the listed accesses were
granted. This message corresponds to a Security 567 message, which indicates
that an object was accessed, and to a Security 562 message, which indicates
that the handle of the object was successfully closed. Associated messages
have the same Handle ID number.

User Action
No user action is required.

These events are of interest only to a system developer. You or I could
care less.

Although I get this slew of failure events, the program works as normal.

If the program works, I would ignore all of the failures.

Event IDs 560 and 562 appear many times in the security event log
http://support.microsoft.com/kb/841001

I may be all wet here, but I do not believe that these failures are any big
deal.

Read more about Audit object access and Audit: Audit the access of global
system objects...

Audit object access
Default: No auditing.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/519.mspx?mfr=true

Audit: Audit the access of global system objects
Default: Disabled.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/561.mspx?mfr=true

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Barry]

Basically, you're seeing a whole bunch of audit entries that you should care
less about.
etc.

This is all true for success events; it is the failures which concern me,
because everything should have the necessary permissions. The system is
"working" as is, but the security log is getting clogged up with these events
(switching off global failure auditing isn't an option), and I suspect that
these are related to slow performance; something is wasting a lot of time trying
to do something it can't. If I could fill in the somethings, it would be easier
to home in on the problem.

 

[Wesley Vogel]

I have both Audit object access and Audit: Audit the access of global system
objects set for No auditing. So I'm not gonna worry. You can do that if
you like.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Barry <[email protected]> hunted and pecked:

 

[Barry]

I have both Audit object access and Audit: Audit the access of global system
objects set for No auditing. So I'm not gonna worry.

I wasn't really expecting you to worry. It's me that's worried