none
Event ID 4656 - Repeatedly in Security Event log

    Pregunta

  • Hi Everybody,

    I'm investigating an issue where this event ID is being repeatedly being logged on my server 2008 r2 box. The server is running Dynamics AX 2012, SQL Server, IIS and has the latest updates installed. The server is a VM running on ESX.  The event looks like this:

    A handle to an object was requested.

    Subject:
     Security ID:  SYSTEM
     Account Name:  servername$
     Account Domain:  mydomain

     Logon ID:  0x3e7

    Object:
     Object Server:  PlugPlayManager
     Object Type:  Security
     Object Name:  PlugPlaySecurityObject
     Handle ID:  0x0

    Process Information:
     Process ID:  0x258
     Process Name:  C:\Windows\System32\svchost.exe

    Access Request Information:
     Transaction ID:  {00000000-0000-0000-0000-000000000000}
     Accesses:  Unknown specific access (bit 1)
        
     Access Reasons:  -
     Access Mask:  0x2
     Privileges Used for Access Check: -
     Restricted SID Count: 0

    What I'm wondering specifically is why is the plugplaymanager generating this event repeatedly. I do have object access auditing enabled for success and failure, but there are no other events being generated in large numbers. I know we can turn off auditing or modify auditing and the event will be suppresed. I would rather find out why the event is popping up rather than suppressing it.

    Thanks for any help!

    A handle to an object was requested.

    Subject:
     Security ID:  SYSTEM
     Account Name:  AXDEV01$
     Account Domain:  DomainName
     Logon ID:  0x3e7

    Object:
     Object Server:  PlugPlayManager
     Object Type:  Security
     Object Name:  PlugPlaySecurityObject
     Handle ID:  0x0

    Process Information:
     Process ID:  0x258
     Process Name:  C:\Windows\System32\svchost.exe

    Access Request Information:
     Transaction ID:  {00000000-0000-0000-0000-000000000000}
     Accesses:  Unknown specific access (bit 1)
        
     Access Reasons:  -
     Access Mask:  0x2
     Privileges Used for Access Check: -
     Restricted SID Count: 0


    • Editado Gary Sandhu jueves, 14 de febrero de 2013 4:32
    miércoles, 27 de junio de 2012 19:53

Todas las respuestas

  • Hi,

    Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol.

    Subcategory: Handle Manipulation

    ID Message

    4656 A handle to an object was requested.

    4658 The handle to an object was closed.

    4690 An attempt was made to duplicate a handle to an object.

    If you would like to get rid of these Audit failures 4656 then you need to run the following command:

    auditpol /set /subcategory:"Handle Manipulation" /failure:disable

    Regards,


    Arthur Li

    TechNet Community Support

    jueves, 28 de junio de 2012 6:28
  • Thanks Arthur, but I've already read the post where you got that from. I'm not trying to supress the message, I'm trying to figure out what is triggering it.
    jueves, 28 de junio de 2012 14:28
  • I'm seeing the same events logged on my r2 server in an esxi environment. any ideas on what is triggering the events?
    miércoles, 22 de agosto de 2012 19:53
  • I just found this same thing.  It flooded our security logs and our security logging appliances.  I found that 2008 servers have object level auditing turned on for the svchost.exe file where server 2003 servers do not.  I am not sure why this was changed in Server 2008 (and R2).  I am trying to figure that out now as I type this.  Does anyone have any thoughts?


    Chris Methe

    miércoles, 22 de agosto de 2012 20:37
  • I had the exact same problem--2008 box, but mine occurred on the process "scan64.exe" (mcafee). So everytime I scan anything, the scan64.exe throws this error. Any idea what the cause of security eid 4656 is? I can disable the auditpol from reporting it, but I'd like to resolve the issue (rather than turn something off and ignore it).
    miércoles, 05 de septiembre de 2012 16:06
  • I have a similar problem, 2008 r2 on vSphere 5.x, where the Kaspersky a/v appears to be causing these errors as it scans files.  I see how the event ids can be turned off, but like Jeff, I would like to stop them from happening.  Has anyone come up with a solution?


    Lance Redbourne Systems Analyst University of New Brunswick


    jueves, 27 de septiembre de 2012 14:14
  • Hi, did anyone find a resolution to this? We are experiencing similar errors and it is flooding our security appliances with intrustion detections.
    jueves, 11 de octubre de 2012 13:39
  • Same issue here!!! 2008 r2 running sharepoint 2010... started precisily at 1:30 pm... very near a policy change on the server "OU"... ill look into it
    martes, 27 de noviembre de 2012 19:54
  • Any update on this.  I have found the same thing however; one of our 2008 servers is not doing it but the other is??? 

    jueves, 06 de diciembre de 2012 22:20
  • I have nearly the same 4656 failure events on 3 different networks, all 2008R2 DCs.  Except my events are tied directly to user accounts and only seem to appear after a remote desktop session is established with the DC. 

    According to Technet, "Handle Manipulation events are only generated for object types where the corresponding File System or Registry Object Access subcategory is enabled..."

    So the event has to be tied to a SACL in either the File System or Registry.  I dont remember applying a SACL to anything PlugPlay related it might be a windows built-in SACL (if they exist) and somehow tied to RDP?  I'm reaching here... If only there was a way to list all the SACLs...cmon Google! :)

    • Propuesto como respuesta gorrisc viernes, 24 de enero de 2014 21:07
    • Votado como útil gorrisc viernes, 24 de enero de 2014 21:07
    domingo, 09 de diciembre de 2012 21:09
  • I would think that this could be related to the UAC settings on the server. I have not confirmed this for sure but I know that the plugandplaymanager for a VM is involved in mapping USB ports to a VM in VMWare and in order to allow the server to pickup the attached USB componenet you have to lower the UAC control to the lowest setting. Keep in mind that if you change this a server restart is required before it will accept the lowered setting. So, if anyone of you are willing to give it a try and respond that would be great.
    viernes, 24 de enero de 2014 21:11
  • I'm experiencing the same issue but it is on two Win 7 Ent. machines.  As soon as Power Options turn the display off it triggers the same as you posted every 5-10 sec. filling the security log.  I'm trying to figure out the source also.  I'd rather not change the auditing.  Anyone found the fix on this recently?
    miércoles, 07 de mayo de 2014 18:36
  •  I think this post hits the nail on the head! 

    http://networkadminkb.com/KB/a157/configuration-manager-access-denied-win32-access-denied.aspx

    The  post talks about the issue  being raised when a non-admin user uses the services control manager services.msc

    That is not exactly what is happening in my case, but I believe it is related - in my case "watchdog" services on multiple application servers are monitoring application service health on other servers for failover purposes - the standby server monitors the primary's services with a view to kicking in should the services on the primary service fail (this is all application based fail-over, not windows clustering)

    The services all run under the same domain account, which is not an administrator, for obvious reasons.

    From the post it appears that the error is harmless unless you really need the service dependency information. 

    I'd be interested to hear if this rings true with anyone else experiencing the issue?

    Neil

    miércoles, 11 de junio de 2014 15:23