Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Another culprit causes too many object access events.

Another culprit causes too many object access events.

  • Comments 1

I encountered this in the course of investigating another report of "too many object access events".  Evidently Exchange 2000 Server can cause a large number of handle close events with no corresponding handle open events.  The KB article explains how to solve the problem.

2005-10-05 UPDATE: Another Exchange audit volume problem, reported by Jeremy D.  You can add a DWORD value named "Disable Close Object Audit" (no quotes) to the following registry key, and set it to "1", and disable event 562 (close handle) for Exchange Server 2003 with SP1 installed.  The key is:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParameterSystem

2008-06-05 UPDATE: Reader Craig reports that the actual key name includes "ParameterSystem" in the registry path.  Updated accordingly.  Thanks Craig!

Comments
Leave a Comment
  • Please add 2 and 6 and type the answer here:
  • Post