Hi,
Am trying to find information on the various stages when accessing a share and writing information to it, on my test server (2008R2) I have audit events enabled and its creating about 8 events per disk access and I would like to understand this a bit better.
Want to better understand the following sort of output
Access Request Information:
Access Mask:
0x80
Accesses:
%%4423
Access Check Results:
%%4423:
%%1801 D:(A;;FA;;;WD)
Access Request Information:
Access Mask:
0x1
Accesses:
%%4416
Access Check Results:
%%4416:
%%1801 D:(A;;FA;;;WD)
Access Request Information:
Access Mask:
0x120089
Accesses:
%%1538
%%1541
%%4416
%%4419
%%4423
Access Check Results:
%%1538:
%%1801 D:(A;;FA;;;WD)
%%1541:
%%1801 D:(A;;FA;;;WD)
%%4416:
%%1801 D:(A;;FA;;;WD)
%%4419:
%%1801 D:(A;;FA;;;WD)
%%4423:
%%1801 D:(A;;FA;;;WD)
Ultimately im trying to detect when a file is being written to a share (event id 5145) which will trigger a further action however i lack understanding on the various stages when you touch a share and the various steps in checking access, reading rights etc with the access mask.
Any pointers or direction most welcome
Cheers
Newbie