Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Event ID 560

Active Directory, Domain, DNS, WINS, DHCP, SBS, New Releases.

Event ID 560

Postby chicagotech » Tue May 15, 2007 11:43 pm

Have you checked these MS articles?

Event IDs 560 and 562 appear many times in the security event log
Discusses why you receive multiple instances of Event ID 560 and Event ID 562 when you use an application that opens audited objects too frequently or that ...
support.microsoft.com/kb/841001 - Similar pages

Event ID 560 Message Is Recorded in the Security Log
When you create a new user and make this user a part of the Users group, when the new user logs on to the computer, an event ID message similar to the ...

Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Paul Armstrong" <PaulArmstrong> wrote in message news:A137CE10-5712-4C37-A62A-63238AE4AF99@microsoft.com...

I have a pretty strange problem that is causing me some headaches, and
causing a security scare at our place!! Wont go into details for obvious
reasons, but the end result is that I think that either there is some
automated process at work, or Windows 2003 is behaving in a very peculiar

Here's the deal.....

We have 600 users, all who have their personal shares mapped to
\\server\users\username which is E:\Users on the server itself.

It was suggested that someone had been accessing other users personal
shares, all users have sole permissions to their shares. As a result file
audits were put on the said personal shares which were suspected of being
accessed, down to object level success and failure.

I have only just started looking at this myself, and from the event logs I
have captured, its throwing out event ID 560 in the logs, with info which at
first glance appears users are logging on directly to the server, and opening
or attempting to open a file in the audited directory (always desktop.ini)
using explorer.exe from the server itself. The file path is

It is currently happening to what seems a random set of users, I myself was
looking at the logs and lo and behold my admin account was accessing these
files, yet I know for certain that although I was logged onto the server I
did not even have any windows open (another time I wasnt even logged in and
at a meeting, another user isnt even based in our building!!!). The others
users who have been captured in the logs accessing these files are not amin
users and if anything restricted, and more importantly were no where near the
physical location of the server, and were by no means accessing the files
themselves anyway.

So this is leaving me completely baffled!! I have scanned for spyware and
virus, using multiple scanners, nothing was flagged.

The server is Windows 2003 Enterprise R2, I would have to look to see what
patches it has exactly.

As I said I can only assume windows has decided to do this on its own, for
some unknown behavioural reasons, or there is somethign automated which is
randomly masquerading as random users.

One thing to point out that in some instances the logs in terms of audit
failures being logged on the said files, were coming in in batches of 3 per
second, then nothing for a minute or so then another 3.

Its all very strange!!!

If anyone has seen this behaviour at all, or can explain, then please help
me out as this would go a very very long way in helping me out here, as its a
very serious situation we're in here.


Paul Armstrong

ps Know Im not too clear so please feel free to ask any questions!!
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Site Admin
Posts: 7096
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Return to Windows

Your Ad Here

Who is online

Users browsing this forum: Yahoo [Bot] and 5 guests