Microsoft explains that this was done to make it more difficult to enable these noisy events. Note events 46 will not appear unless the subcategory "Handle Manipulation" is enabled along with the target sub-category. If the program repeatedly exercises a permission while the object is open, Windows only logs 4663 the first time. This event, 4663, is logged the first time one or more of the requested permissions are actually exercised. While event 4656 tells you when the object is initially opened and what type of access was requested at that time 4656 doesn't give you positive confirmation any of the access permissions were actually exercised. This event is logged between the open ( 4656) and close ( 4658) events for the object being opened and can be correlated to those events via Handle ID.
This event documents actual operations performed against files and other objects. This event is logged by multiple subcategories as indicated above.
0 kommentar(er)
