A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for permission to do". The distinction is subtle, but if you are interpreting object access events as recording what changes were made to objects, then you're probably misunderstanding what the log is saying.
To that end, here's a brief overview of Windows Object Access auditing.
On all OS's since Windows NT 3.1 up to and including Windows Server 2003:
Note that event 560 does not record what was done to the object, only what accesses were requested to the object. This is an important distinction.
On Windows XP and Windows Server 2003 a new feature "Operation-Based Auditing" was added:
On Windows Vista:
That's all for now! As always, comments are welcome!
PingBack from http://ithompson.wordpress.com/2007/09/06/tracking-down-file-deletes/