locked
Event ID 4656 'A handle to an object was requested.' with SharePoint 2010 RRS feed

  • Question

  • Hi,

     

    I'm running Windows Server 2008 R2 SP1 and SharePoint 2010. I've noticed this error message in my Security event log.

    I already had a quick look on the Net but wasn't able to find something relevant.

    Would you guys have an idea what this means and how I can solve this problem?

     

    Thanks

     

    ***

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          10/26/2011 4:17:32 PM
    Event ID:      4656
    Task Category: Other Object Access Events
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      SERVER.domain.com
    Description:
    A handle to an object was requested.

    Subject:
        Security ID:        DOMAIN\MyServiceAccount
        Account Name:        MyServiceAccount
        Account Domain:        DOMAIN
        Logon ID:        0x6536e97

    Object:
        Object Server:        SC Manager
        Object Type:        SERVICE OBJECT
        Object Name:        WinHttpAutoProxySvc
        Handle ID:        0x0

    Process Information:
        Process ID:        0x260
        Process Name:        C:\Windows\System32\services.exe

    Access Request Information:
        Transaction ID:        {00000000-0000-0000-0000-000000000000}
        Accesses:        Query status of service
                    Start the service
                    Query information from service
                   
        Access Reasons:        -
        Access Mask:        0x94
        Privileges Used for Access Check:    -
        Restricted SID Count:    0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4656</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12804</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-10-26T14:17:32.437381000Z" />
        <EventRecordID>15422034</EventRecordID>
        <Correlation />
        <Execution ProcessID="616" ThreadID="632" />
        <Channel>Security</Channel>
        <Computer>SERVER.domain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-1757981266-1645522239-839522115-66481</Data>
        <Data Name="SubjectUserName">SrvSP2010L_SupportKB</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="SubjectLogonId">0x6536e97</Data>
        <Data Name="ObjectServer">SC Manager</Data>
        <Data Name="ObjectType">SERVICE OBJECT</Data>
        <Data Name="ObjectName">WinHttpAutoProxySvc</Data>
        <Data Name="HandleId">0x0</Data>
        <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="AccessList">%%7186
                    %%7188
                    %%7191
                    </Data>
        <Data Name="AccessReason">-</Data>
        <Data Name="AccessMask">0x94</Data>
        <Data Name="PrivilegeList">-</Data>
        <Data Name="RestrictedSidCount">0</Data>
        <Data Name="ProcessId">0x260</Data>
        <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
      </EventData>
    </Event>

     

    Wednesday, October 26, 2011 2:33 PM

Answers

All replies

  • Hi,

     

    This thread might be helpful for you:

     

    Event ID 4656

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/fa15d891-a3bc-4977-a610-e8dfebd08147

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, November 7, 2011 5:16 AM
    Wednesday, November 2, 2011 9:14 AM
  • When you enable auditing on an object (e.g. file or folder), this is the first event recorded when an application attempts to access the object in such a way that matches the audit policy defined for that object in terms of who is requesting the access and what type of access is being requested. (At least two subcategories must be enabled, Handle Manipulation and one other such as File System or Registry depending on what type of object you are auditing.)

    This event will be Audit Success or Audit Failure depending on whether the user account under which the account is running has the requested permissions or not. 

    This event's sub category will vary depending on type of object. In the example above notepad.exe running as Administrator successfully opened "New Text Document.txt" for Read access.

    This event does not always mean any access successfully requested was actually exercised - just that it was successfully obtained (if the event is Audit Success of course).  


    Vinod H
    Wednesday, November 2, 2011 12:53 PM