I have several 4656, 4658 and 4663 events showing up in my SIEM tool from Windows 7 workstations that we are monitoring. These logs are flooding a 45MB WAN (Network Steve Forum)

I have several 4656, 4658 and 4663 events showing up in my SIEM tool from Windows 7 workstations that we are monitoring. These logs are flooding a 45MB WAN

I am undered the impression that events 4656 and 4658 are created when the subcategory "Handle Manipulation" is enabled and that Microsoft recommends not to enabled this because these are very noisey events with very little worth. I believe that Microsoft recommends the use of the 4663 event, which shows the actual access of the object and is only recorded once during the intial opening of an object.

This leads me to three questions

1. My Active Directory administrator told me that our GPO for Windows 7 workstaions doesn't not have "Handle Manipulation" enabled. If this is the case how are these events being generated.

2.How can I review the GPO to tell if it's actually enabled or not.

3. assuming that it's enabled and I disable it, will I still get the 4663 event?

January 30th, 2015 6:58pm

Hi,

Would you tell us that where these events were logged? On Windows 7 or on a Domain Controller?

If they were logged on Domain Controller, then corresponding audit policy is configured on Domain Controller GPO.

To view audit policy settings, there is a quick way.

You can run: auditpol /get /category:*.

More information for you:

Auditpol get

https://technet.microsoft.com/en-us/library/cc772576.aspx

Best Regards,

Free Windows Admin Tool Kit Click here and download it now

February 2nd, 2015 5:18am

This topic is archived. No further replies will be accepted.