Maybe the audit scope is too broad. C:\Program Files\Exchsrv\bin\store.exe seems to be related to Exchange Service (Not sure, post on Exchange forum for more information). You might consider not to audit application files as they are accessed very
- Audit the access of global system objects is disabled under Local Policy
- i checked the auditing setting on store.exe - try to set auditing to SYSTEM with TAKE OWNERSHIP option, maybee than stop other auditing.. -
Found this: http://technet.microsoft.com/en-us/library/cc957089.aspx ; but i dont know how to disalbe this logging.
I try to find a way how to list all SACL which is set up already.
"You might consider not to audit application files as they are accessed very often." - how to do this? I only set auditing to one of my folder (and subfolders). I don't want to auditing any other application/dir/etc...
The microsoft address what you suggest tell this:
"These events appear if you have not configured the security access control list (SACL) on the object that you are auditing. The events also appear if you have configured the SACL, but not for all the listed accesses. For example, these events are logged
when a user or a program reads a registry subkey, and you have not selected the
Read Control or the Query Value check box in the auditing entry for that registry subkey. "
I don't really understand what should this mean...
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.