nourben
asked on
Take ownership attempts based on object access events
I am getting tons of these:
A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: DC01$ (domain controler name)
Account Domain: XXXXX (domain name)
Logon ID:
Object:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\C ontrolSet0 01\Service s\SamSs
Handle ID: 1260
Process Information:
Process ID: 2696
Process Name: C:\Windows\System32\CpqMgm t\cqmghost \cqmghost. exe
Access Request Information:
Transaction ID: 00000000-0000-0000-0000-00 0000000000
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Access Mask:
Privileges Used for Access Check: -
Restricted SID Count: 0
A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: DC01$ (domain controler name)
Account Domain: XXXXX (domain name)
Logon ID:
Object:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\C
Handle ID: 1260
Process Information:
Process ID: 2696
Process Name: C:\Windows\System32\CpqMgm
Access Request Information:
Transaction ID: 00000000-0000-0000-0000-00
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Access Mask:
Privileges Used for Access Check: -
Restricted SID Count: 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.