Event ID 4656 - Repeatedly in Security Event log
-
miércoles, 27 de junio de 2012 19:53
Hi Everybody,
I'm investigating an issue where this event ID is being repeatedly being logged on my server 2008 r2 box. The server is running Dynamics AX 2012, SQL Server, IIS and has the latest updates installed. The server is a VM running on ESX. The event looks like this:
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: servername$
Account Domain: mydomainLogon ID: 0x3e7
Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0Process Information:
Process ID: 0x258
Process Name: C:\Windows\System32\svchost.exeAccess Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0What I'm wondering specifically is why is the plugplaymanager generating this event repeatedly. I do have object access auditing enabled for success and failure, but there are no other events being generated in large numbers. I know we can turn off auditing or modify auditing and the event will be suppresed. I would rather find out why the event is popping up rather than suppressing it.
Thanks for any help!
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: AXDEV01$
Account Domain: DomainName
Logon ID: 0x3e7Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0Process Information:
Process ID: 0x258
Process Name: C:\Windows\System32\svchost.exeAccess Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0- Editado Gary Sandhu jueves, 14 de febrero de 2013 4:32
Todas las respuestas
-
jueves, 28 de junio de 2012 6:28Moderador
Hi,
Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol.
Subcategory: Handle Manipulation
ID Message
4656 A handle to an object was requested.
4658 The handle to an object was closed.
4690 An attempt was made to duplicate a handle to an object.
If you would like to get rid of these Audit failures 4656 then you need to run the following command:
auditpol /set /subcategory:"Handle Manipulation" /failure:disable
Regards,
Arthur Li
TechNet Community Support
-
jueves, 28 de junio de 2012 14:28Thanks Arthur, but I've already read the post where you got that from. I'm not trying to supress the message, I'm trying to figure out what is triggering it.
-
miércoles, 22 de agosto de 2012 19:53I'm seeing the same events logged on my r2 server in an esxi environment. any ideas on what is triggering the events?
-
miércoles, 22 de agosto de 2012 20:37
I just found this same thing. It flooded our security logs and our security logging appliances. I found that 2008 servers have object level auditing turned on for the svchost.exe file where server 2003 servers do not. I am not sure why this was changed in Server 2008 (and R2). I am trying to figure that out now as I type this. Does anyone have any thoughts?
Chris Methe
-
miércoles, 05 de septiembre de 2012 16:06I had the exact same problem--2008 box, but mine occurred on the process "scan64.exe" (mcafee). So everytime I scan anything, the scan64.exe throws this error. Any idea what the cause of security eid 4656 is? I can disable the auditpol from reporting it, but I'd like to resolve the issue (rather than turn something off and ignore it).
-
jueves, 27 de septiembre de 2012 14:14
I have a similar problem, 2008 r2 on vSphere 5.x, where the Kaspersky a/v appears to be causing these errors as it scans files. I see how the event ids can be turned off, but like Jeff, I would like to stop them from happening. Has anyone come up with a solution?
Lance Redbourne Systems Analyst University of New Brunswick
- Editado Lance Redbourne jueves, 27 de septiembre de 2012 14:15
-
jueves, 11 de octubre de 2012 13:39Hi, did anyone find a resolution to this? We are experiencing similar errors and it is flooding our security appliances with intrustion detections.
-
martes, 27 de noviembre de 2012 19:54Same issue here!!! 2008 r2 running sharepoint 2010... started precisily at 1:30 pm... very near a policy change on the server "OU"... ill look into it
-
jueves, 06 de diciembre de 2012 22:20
Any update on this. I have found the same thing however; one of our 2008 servers is not doing it but the other is???
-
domingo, 09 de diciembre de 2012 21:09
I have nearly the same 4656 failure events on 3 different networks, all 2008R2 DCs. Except my events are tied directly to user accounts and only seem to appear after a remote desktop session is established with the DC.
According to Technet, "Handle Manipulation events are only generated for object types where the corresponding File System or Registry Object Access subcategory is enabled..."
So the event has to be tied to a SACL in either the File System or Registry. I dont remember applying a SACL to anything PlugPlay related it might be a windows built-in SACL (if they exist) and somehow tied to RDP? I'm reaching here... If only there was a way to list all the SACLs...cmon Google! :)
.png)
